nymtech · jstuczyn · Nov 14, 2025 · Nov 13, 2025
diff --git a/common/credential-proxy/src/error.rs b/common/credential-proxy/src/error.rs
@@ -168,6 +168,14 @@ pub enum CredentialProxyError {
         device_id: String,
         credential_id: String,
     },
+
+    #[error(
+        "the attestation check url has not been provided through either the CLI nor the default .env config"
+    )]
+    AttestationCheckUrlNotSet,
+
+    #[error("the provided attestation check url is malformed: {source}")]
+    MalformedAttestationCheckUrl { source: url::ParseError },
 }
 
 impl From<NymAPIError> for CredentialProxyError {

diff --git a/common/network-defaults/src/mainnet.rs b/common/network-defaults/src/mainnet.rs
@@ -54,6 +54,11 @@ pub const NYM_APIS: &[ApiUrlConst] = &[
 ];
 
 pub const NYM_VPN_API: &str = "https://nymvpn.com/api/";
+
+pub const UPGRADE_MODE_ATTESTATION_URL: &str = "https://nym.com/upgrade-mode/attestation.json";
+pub const UPGRADE_MODE_ATTESTER_ED25519_BS58_PUBKEY: &str =
+    "3bgffBYcfFkTTXc2npNNn9MkddFZ3H2LrPjXDmnJzrqd";
+
 #[cfg(feature = "network")]
 pub const NYM_VPN_APIS: &[ApiUrlConst] = &[
     ApiUrlConst {
@@ -159,6 +164,14 @@ pub fn export_to_env() {
     set_var_to_default(var_names::NYXD_WEBSOCKET, NYXD_WS);
     set_var_to_default(var_names::EXIT_POLICY_URL, EXIT_POLICY_URL);
     set_var_to_default(var_names::NYM_VPN_API, NYM_VPN_API);
+    set_var_to_default(
+        var_names::UPGRADE_MODE_ATTESTATION_URL,
+        UPGRADE_MODE_ATTESTATION_URL,
+    );
+    set_var_to_default(
+        var_names::UPGRADE_MODE_ATTESTER_ED25519_BS58_PUBKEY,
+        UPGRADE_MODE_ATTESTER_ED25519_BS58_PUBKEY,
+    );
 }
 
 #[cfg(all(feature = "env", feature = "network"))]
@@ -199,4 +212,12 @@ pub fn export_to_env_if_not_set() {
     set_var_conditionally_to_default(var_names::NYM_API, NYM_API);
     set_var_conditionally_to_default(var_names::NYXD_WEBSOCKET, NYXD_WS);
     set_var_conditionally_to_default(var_names::EXIT_POLICY_URL, EXIT_POLICY_URL);
+    set_var_conditionally_to_default(
+        var_names::UPGRADE_MODE_ATTESTATION_URL,
+        UPGRADE_MODE_ATTESTATION_URL,
+    );
+    set_var_conditionally_to_default(
+        var_names::UPGRADE_MODE_ATTESTER_ED25519_BS58_PUBKEY,
+        UPGRADE_MODE_ATTESTER_ED25519_BS58_PUBKEY,
+    );
 }
diff --git a/common/network-defaults/src/var_names.rs b/common/network-defaults/src/var_names.rs
@@ -25,6 +25,8 @@ pub const NYXD_WEBSOCKET: &str = "NYXD_WS";
 pub const EXIT_POLICY_URL: &str = "EXIT_POLICY";
 pub const NYM_VPN_API: &str = "NYM_VPN_API";
 pub const CLIENT_STATS_COLLECTION_PROVIDER: &str = "CLIENT_STATS_COLLECTION_PROVIDER";
+pub const UPGRADE_MODE_ATTESTATION_URL: &str = "UPGRADE_MODE_ATTESTATION_URL";
+pub const UPGRADE_MODE_ATTESTER_ED25519_BS58_PUBKEY: &str = "UPGRADE_MODE_ATTESTER_ED25519_PUBKEY";
 
 pub const DKG_TIME_CONFIGURATION: &str = "DKG_TIME_CONFIGURATION";
 

diff --git a/nym-credential-proxy/nym-credential-proxy/src/cli.rs b/nym-credential-proxy/nym-credential-proxy/src/cli.rs
@@ -156,12 +156,8 @@ pub struct Cli {
 #[derive(Args, Debug, Clone)]
 pub struct UpgradeModeConfig {
     /// URL for polling for upgrade mode changes.
-    #[clap(
-        long,
-        env = "NYM_CREDENTIAL_PROXY_ATTESTATION_CHECK_URL",
-        default_value = "5m"
-    )]
-    pub(crate) attestation_check_url: Url,
+    #[clap(long, env = "NYM_CREDENTIAL_PROXY_ATTESTATION_CHECK_URL")]
+    pub(crate) attestation_check_url: Option<Url>,
 
     /// Default polling interval of the upgrade mode endpoint.
     #[clap(

diff --git a/nym-credential-proxy/nym-credential-proxy/src/helpers.rs b/nym-credential-proxy/nym-credential-proxy/src/helpers.rs
@@ -8,6 +8,8 @@ use nym_bin_common::bin_info;
 use nym_credential_proxy_lib::error::CredentialProxyError;
 use nym_credential_proxy_lib::storage::CredentialProxyStorage;
 use nym_credential_proxy_lib::ticketbook_manager::TicketbookManager;
+use nym_network_defaults::var_names;
+use nym_network_defaults::var_names::CONFIGURED;
 use tracing::{error, info};
 
 pub async fn wait_for_signal() {
@@ -55,6 +57,28 @@ pub(crate) async fn run_api(cli: Cli) -> Result<(), CredentialProxyError> {
     let webhook_cfg = cli.webhook;
     let jwt_signing_keys = cli.jwt_signing_keys.signing_keys()?;
 
+    let upgrade_mode_attestation_check_url = match cli.upgrade_mode.attestation_check_url {
+        Some(url) => url,
+        None => {
+            // argument hasn't been provided and env is not configured
+            if std::env::var(CONFIGURED).is_err() {
+                return Err(CredentialProxyError::AttestationCheckUrlNotSet);
+            }
+            // argument hasn't been provided and the relevant env value hasn't been set
+            // (technically this shouldn't be possible)
+            let Ok(env_url) = std::env::var(var_names::UPGRADE_MODE_ATTESTATION_URL) else {
+                return Err(CredentialProxyError::AttestationCheckUrlNotSet);
+            };
+
+            match env_url.parse() {
+                Ok(url) => url,
+                Err(err) => {
+                    return Err(CredentialProxyError::MalformedAttestationCheckUrl { source: err });
+                }
+            }
+        }
+    };
+
     let ticketbook_manager = TicketbookManager::new(
         build_sha_short(),
         cli.quorum_check_interval,
@@ -70,7 +94,7 @@ pub(crate) async fn run_api(cli: Cli) -> Result<(), CredentialProxyError> {
         cli.upgrade_mode.attestation_check_regular_polling_interval,
         cli.upgrade_mode
             .attestation_check_expedited_polling_interval,
-        cli.upgrade_mode.attestation_check_url,
+        upgrade_mode_attestation_check_url,
         jwt_signing_keys,
         cli.upgrade_mode.upgrade_mode_jwt_validity,
     );

diff --git a/nym-wallet/Cargo.lock b/nym-wallet/Cargo.lock