From 133bbe584a89959456e25c5957faad464a6ac236 Mon Sep 17 00:00:00 2001
From: Matthias Fasching <5011972+fasmat@users.noreply.github.com>
Date: Thu, 19 Oct 2023 12:53:30 +0000
Subject: [PATCH] Add mTLS grpcserver (#5154)

## Motivation
Closes #5131

do not merge before https://github.com/spacemeshos/api/pull/268 and https://github.com/spacemeshos/post/pull/245

## Changes
- setup for gRPC servers has been moved from node startup into the `grpcserver` package
- `NewPublic`, `NewPrivate` and `NewTLS` create servers for the given purposes based on the configuration passed to them
- replaced more instances of `go-spacemesh/log` with `zap`

## Test Plan
- existing tests pass
- TODO: add new tests for mTLS connection

## TODO
<!-- This section should be removed when all items are complete -->
- [x] Explain motivation or link existing issue(s)
- [x] Test changes and document test plan
- [x] Update documentation as needed
- [x] Update [changelog](../CHANGELOG.md) as needed
---
 CHANGELOG.md                               |   6 +-
 Makefile-libs.Inc                          |   2 +-
 README.md                                  |  50 ++
 activation/e2e/nipost_test.go              |  10 +-
 activation/post_supervisor.go              |  14 +-
 api/grpcserver/activation_service.go       |  15 +-
 api/grpcserver/admin_service.go            |  15 +-
 api/grpcserver/admin_service_test.go       |  14 +-
 api/grpcserver/config.go                   |  10 +-
 api/grpcserver/debug_service.go            |  15 +-
 api/grpcserver/globalstate_service.go      |  15 +-
 api/grpcserver/globalstate_service_test.go | 364 ++++++++++++++
 api/grpcserver/grpc.go                     | 146 ++++--
 api/grpcserver/grpcserver_test.go          | 536 ++-------------------
 api/grpcserver/grpcserver_tls_test.go      |  46 ++
 api/grpcserver/http_server.go              |  51 +-
 api/grpcserver/http_server_test.go         |  91 ++++
 api/grpcserver/mesh_service.go             |  15 +-
 api/grpcserver/mesh_service_test.go        |   4 +-
 api/grpcserver/node_service.go             |  15 +-
 api/grpcserver/node_service_test.go        | 153 ++++++
 api/grpcserver/post_client.go              |  21 +-
 api/grpcserver/post_service.go             |  16 +-
 api/grpcserver/post_service_test.go        |  71 +++
 api/grpcserver/smesher_service.go          |  15 +-
 api/grpcserver/testdata/README.md          |  38 ++
 api/grpcserver/testdata/ca.crt             |  34 ++
 api/grpcserver/testdata/ca.key             |  52 ++
 api/grpcserver/testdata/client.crt         |  34 ++
 api/grpcserver/testdata/client.key         |  52 ++
 api/grpcserver/testdata/domains.ext        |   6 +
 api/grpcserver/testdata/server.crt         |  34 ++
 api/grpcserver/testdata/server.key         |  52 ++
 api/grpcserver/transaction_service.go      |  15 +-
 api/grpcserver/transaction_service_test.go |   6 +-
 cmd/bootstrapper/generator_test.go         |  23 +-
 cmd/bootstrapper/server_test.go            |   5 +-
 cmd/root.go                                |   6 +
 config/config.go                           |   5 +-
 config/presets/fastnet.go                  |   4 +-
 config/presets/presets.go                  |   3 +-
 config/presets/standalone.go               |   2 +-
 go.mod                                     |  22 +-
 go.sum                                     |  40 +-
 node/bad_peer_test.go                      |  12 +-
 node/node.go                               | 220 ++++-----
 node/node_test.go                          |   3 +-
 node/{util_test.go => test_network.go}     |   2 +-
 48 files changed, 1600 insertions(+), 780 deletions(-)
 create mode 100644 api/grpcserver/globalstate_service_test.go
 create mode 100644 api/grpcserver/grpcserver_tls_test.go
 create mode 100644 api/grpcserver/http_server_test.go
 create mode 100644 api/grpcserver/node_service_test.go
 create mode 100644 api/grpcserver/testdata/README.md
 create mode 100644 api/grpcserver/testdata/ca.crt
 create mode 100644 api/grpcserver/testdata/ca.key
 create mode 100644 api/grpcserver/testdata/client.crt
 create mode 100644 api/grpcserver/testdata/client.key
 create mode 100644 api/grpcserver/testdata/domains.ext
 create mode 100644 api/grpcserver/testdata/server.crt
 create mode 100644 api/grpcserver/testdata/server.key
 rename node/{util_test.go => test_network.go} (97%)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index dbe6b534cea..0bfbffaa1f4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,10 +18,12 @@ See [RELEASE](./RELEASE.md) for workflow instructions.
 
   > 2023-10-02T15:28:14.002+0200 WARN fd68b.sync mesh failed to process layer from sync {"node_id": "fd68b9397572556c2f329f3e5af2faf23aef85dbbbb7e38447fae2f4ef38899f", "module": "sync", "sessionId": "29422935-68d6-47d1-87a8-02293aa181f3", "layer_id": 23104, "errmsg": "requested layer 8063 is before evicted 13102", "name": "sync"}
 
-* [#5091](https://github.com/spacemeshos/go-spacemesh/pull/5091) First stage of separating PoST from the node into its own service.
+* [#5091](https://github.com/spacemeshos/go-spacemesh/pull/5091) Separating PoST from the node into its own service.
 * [#5061](https://github.com/spacemeshos/go-spacemesh/pull/5061) Proof generation is now done via a dedicated service instead of the node.
+* [#5154](https://github.com/spacemeshos/go-spacemesh/pull/5154) Enable TLS connections between node and PoST service.
 
-  Operating a node doesn't require any changes at the moment. The service will be automatically started by the node if needed and will be stopped when the node is stopped.
+  PoST proofs are now done via a dedicated process / service that the node communicates with via gRPC. Smapp users can continue to smesh as they used to. The node will
+  automatically start the PoST service when it starts and will shut it down when it shuts down.
 
 * [#5138](https://github.com/spacemeshos/go-spacemesh/pull/5138) Bump poet to v0.9.7
 
diff --git a/Makefile-libs.Inc b/Makefile-libs.Inc
index 1ebee8716ca..f3fd8f3b384 100644
--- a/Makefile-libs.Inc
+++ b/Makefile-libs.Inc
@@ -50,7 +50,7 @@ else
 	endif
 endif
 
-POSTRS_SETUP_REV = 0.5.0-alpha2
+POSTRS_SETUP_REV = 0.5.0
 POSTRS_SETUP_ZIP = libpost-$(platform)-v$(POSTRS_SETUP_REV).zip
 POSTRS_SETUP_URL_ZIP ?= https://github.com/spacemeshos/post-rs/releases/download/v$(POSTRS_SETUP_REV)/$(POSTRS_SETUP_ZIP)
 POSTRS_PROFILER_ZIP = profiler-$(platform)-v$(POSTRS_SETUP_REV).zip
diff --git a/README.md b/README.md
index d4973738e60..732d7b934ab 100644
--- a/README.md
+++ b/README.md
@@ -235,6 +235,56 @@ on Windows you can use Intel OpenAPI:
 choco install opencl-intel-cpu-runtime
 ```
 
+#### Using a remote machine as provider for PoST proofs
+
+To disable the internal PoST service and disable smeshing on your node you can use the following config:
+
+```json
+"smeshing": {
+    "smeshing-start": false,
+}
+```
+
+or use the `--smeshing-start=false` flag. This will disable smeshing on your node causing it not generate any PoST proofs until a remote post
+service connects.
+
+By default the node listens for the PoST service on `grpc-private-listener` (defaults to 127.0.0.1:9093). This endpoint does not require authentication and
+should only be accessible from the same machine. If you want to allow connections from post services on other hosts to your node, you should do so via the
+`grpc-tls-listener` (defaults to 0.0.0.0:9094) and setup TLS for the connection.
+
+This is useful for example if you want to run a node on a cloud provider with fewer resources and run PoST on a local machine with more resources. The post
+service only needs to be online for the initial proof (i.e. when joining the network for the first time) and during the cyclegap in every epoch.
+
+To setup TLS-secured public connections the API config has been extended with the following options:
+
+```json
+"api": {
+    "grpc-private-services": ["admin", "smesher"], // remove "post" from the list of services only exposed to the local machine
+    "grpc-tls-services": ["post"],                 // add "post" to the list of services that should be exposed via TLS
+    "grpc-tls-listener": "0.0.0.0:9094",           // listen address for TLS connections
+    "grpc-tls-ca-cert": "/path/to/ca.pem",         // CA certificate that signed the node's and the PoST service's certificates
+    "grpc-tls-cert": "/path/to/cert.pem",          // certificate for the node
+    "grpc-tls-key": "/path/to/key.pem",            // private key for the node
+}
+```
+
+Ensure that remote PoST services are setup to connect to your node via TLS, that they trust your node's certificate and use a certificate that is signed by the
+same CA as your node's certificate.
+
+The local (supervised) PoST service can also be configured to connect to your node via TLS if needed. The following config options are available:
+
+```json
+"post-service": {
+    "post-opts-post-service": "/path/to/service-binary", // defaults to service in the same directory as the node binary
+    "post-opts-node-address": "http://domain:port",      // defaults to 127.0.0.1:9093 - the same default value as for "grpc-private-listener"
+
+    // the following settings are mandatory when connecting to the node via TLS - when connecting via the private listener they are not needed
+    "post-opts-tls-ca-cert": "/path/to/ca.pem",  // CA certificate that signed the node's and the PoST service's certificates
+    "post-opts-tls-cert": "/path/to/cert.pem",   // certificate for the PoST service
+    "post-opts-tls-key": "/path/to/key.pem",     // private key for the PoST service
+}
+```
+
 ---
 
 ### Testing
diff --git a/activation/e2e/nipost_test.go b/activation/e2e/nipost_test.go
index 2b3abf4cb45..6f3dc9bc018 100644
--- a/activation/e2e/nipost_test.go
+++ b/activation/e2e/nipost_test.go
@@ -78,19 +78,19 @@ func launchServer(tb testing.TB, services ...grpcserver.ServiceAPI) (grpcserver.
 	cfg := grpcserver.DefaultTestConfig()
 
 	// run on random ports
-	grpcService := grpcserver.New("127.0.0.1:0", logtest.New(tb).Named("grpc"))
+	server := grpcserver.New("127.0.0.1:0", zaptest.NewLogger(tb).Named("grpc"), cfg)
 
 	// attach services
 	for _, svc := range services {
-		svc.RegisterService(grpcService)
+		svc.RegisterService(server.GrpcServer)
 	}
 
-	require.NoError(tb, grpcService.Start())
+	require.NoError(tb, server.Start())
 
 	// update config with bound addresses
-	cfg.PublicListener = grpcService.BoundAddress
+	cfg.PublicListener = server.BoundAddress
 
-	return cfg, func() { assert.NoError(tb, grpcService.Close()) }
+	return cfg, func() { assert.NoError(tb, server.Close()) }
 }
 
 func initPost(tb testing.TB, logger *zap.Logger, mgr *activation.PostSetupManager, opts activation.PostSetupOpts) {
diff --git a/activation/post_supervisor.go b/activation/post_supervisor.go
index 3365c1f0505..acbb2baf44a 100644
--- a/activation/post_supervisor.go
+++ b/activation/post_supervisor.go
@@ -47,8 +47,11 @@ func DefaultTestPostServiceConfig() PostSupervisorConfig {
 
 type PostSupervisorConfig struct {
 	PostServiceCmd string `mapstructure:"post-opts-post-service"`
+	NodeAddress    string `mapstructure:"post-opts-node-address"`
 
-	NodeAddress string `mapstructure:"post-opts-node-address"`
+	CACert string `mapstructure:"post-opts-ca-cert"`
+	Cert   string `mapstructure:"post-opts-cert"`
+	Key    string `mapstructure:"post-opts-key"`
 }
 
 // PostSupervisor manages a local post service.
@@ -153,6 +156,15 @@ func (ps *PostSupervisor) runCmd(ctx context.Context, cmdCfg PostSupervisorConfi
 			"--nonces", strconv.FormatUint(uint64(provingOpts.Nonces), 10),
 			"--randomx-mode", provingOpts.RandomXMode.String(),
 		}
+		if cmdCfg.CACert != "" {
+			args = append(args, "--ca-cert", cmdCfg.CACert)
+		}
+		if cmdCfg.Cert != "" {
+			args = append(args, "--cert", cmdCfg.Cert)
+		}
+		if cmdCfg.Key != "" {
+			args = append(args, "--key", cmdCfg.Key)
+		}
 
 		cmd := exec.CommandContext(
 			ctx,
diff --git a/api/grpcserver/activation_service.go b/api/grpcserver/activation_service.go
index 042a6460341..c8a0afbd4d9 100644
--- a/api/grpcserver/activation_service.go
+++ b/api/grpcserver/activation_service.go
@@ -6,8 +6,10 @@ import (
 	"fmt"
 
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	pb "github.com/spacemeshos/api/release/go/spacemesh/v1"
 	"go.uber.org/zap"
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/emptypb"
@@ -30,8 +32,17 @@ func NewActivationService(atxProvider atxProvider, goldenAtx types.ATXID) *activ
 }
 
 // RegisterService implements ServiceAPI.
-func (s *activationService) RegisterService(server *Server) {
-	pb.RegisterActivationServiceServer(server.GrpcServer, s)
+func (s *activationService) RegisterService(server *grpc.Server) {
+	pb.RegisterActivationServiceServer(server, s)
+}
+
+func (s *activationService) RegisterHandlerService(mux *runtime.ServeMux) error {
+	return pb.RegisterActivationServiceHandlerServer(context.Background(), mux, s)
+}
+
+// String returns the service name.
+func (s *activationService) String() string {
+	return "ActivationService"
 }
 
 // Get implements v1.ActivationServiceServer.
diff --git a/api/grpcserver/admin_service.go b/api/grpcserver/admin_service.go
index f242bda5d44..0b918a922ec 100644
--- a/api/grpcserver/admin_service.go
+++ b/api/grpcserver/admin_service.go
@@ -9,8 +9,10 @@ import (
 	"time"
 
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	pb "github.com/spacemeshos/api/release/go/spacemesh/v1"
 	"github.com/spf13/afero"
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
@@ -53,8 +55,17 @@ func NewAdminService(db *sql.Database, dataDir string, p peers) *AdminService {
 }
 
 // RegisterService registers this service with a grpc server instance.
-func (a AdminService) RegisterService(server *Server) {
-	pb.RegisterAdminServiceServer(server.GrpcServer, a)
+func (a AdminService) RegisterService(server *grpc.Server) {
+	pb.RegisterAdminServiceServer(server, a)
+}
+
+func (s AdminService) RegisterHandlerService(mux *runtime.ServeMux) error {
+	return pb.RegisterAdminServiceHandlerServer(context.Background(), mux, s)
+}
+
+// String returns the name of this service.
+func (a AdminService) String() string {
+	return "AdminService"
 }
 
 func (a AdminService) CheckpointStream(req *pb.CheckpointStreamRequest, stream pb.AdminService_CheckpointStreamServer) error {
diff --git a/api/grpcserver/admin_service_test.go b/api/grpcserver/admin_service_test.go
index 109fb3c2144..2df5b8ff0dc 100644
--- a/api/grpcserver/admin_service_test.go
+++ b/api/grpcserver/admin_service_test.go
@@ -19,7 +19,7 @@ import (
 
 const snapshot uint32 = 15
 
-func newatx(tb testing.TB, db *sql.Database) {
+func newAtx(tb testing.TB, db *sql.Database) {
 	atx := &types.ActivationTx{
 		InnerActivationTx: types.InnerActivationTx{
 			NIPostChallenge: types.NIPostChallenge{
@@ -32,8 +32,8 @@ func newatx(tb testing.TB, db *sql.Database) {
 		},
 	}
 	atx.SetID(types.RandomATXID())
-	vrfnonce := types.VRFPostIndex(11)
-	atx.VRFNonce = &vrfnonce
+	vrfNonce := types.VRFPostIndex(11)
+	atx.VRFNonce = &vrfNonce
 	atx.SmesherID = types.BytesToNodeID(types.RandomBytes(20))
 	atx.NodeID = &atx.SmesherID
 	atx.SetEffectiveNumUnits(atx.NumUnits)
@@ -45,7 +45,7 @@ func newatx(tb testing.TB, db *sql.Database) {
 
 func createMesh(tb testing.TB, db *sql.Database) {
 	for i := 0; i < 10; i++ {
-		newatx(tb, db)
+		newAtx(tb, db)
 	}
 	acct := &types.Account{
 		Layer: types.LayerID(0), Address: types.Address{1, 1}, NextNonce: 1, Balance: 1300, TemplateAddress: &types.Address{2}, State: []byte("state10"),
@@ -62,7 +62,7 @@ func TestAdminService_Checkpoint(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	c := pb.NewAdminServiceClient(conn)
 
 	stream, err := c.CheckpointStream(ctx, &pb.CheckpointStreamRequest{SnapshotLayer: snapshot})
@@ -98,7 +98,7 @@ func TestAdminService_CheckpointError(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	c := pb.NewAdminServiceClient(conn)
 
 	stream, err := c.CheckpointStream(ctx, &pb.CheckpointStreamRequest{SnapshotLayer: snapshot})
@@ -118,7 +118,7 @@ func TestAdminService_Recovery(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	c := pb.NewAdminServiceClient(conn)
 
 	_, err := c.Recover(ctx, &pb.RecoverRequest{})
diff --git a/api/grpcserver/config.go b/api/grpcserver/config.go
index daa07c75405..c08d63beff7 100644
--- a/api/grpcserver/config.go
+++ b/api/grpcserver/config.go
@@ -10,6 +10,11 @@ type Config struct {
 	PublicListener  string    `mapstructure:"grpc-public-listener"`
 	PrivateServices []Service `mapstructure:"grpc-private-services"`
 	PrivateListener string    `mapstructure:"grpc-private-listener"`
+	TLSServices     []Service `mapstructure:"grpc-tls-services"`
+	TLSListener     string    `mapstructure:"grpc-tls-listener"`
+	TLSCACert       string    `mapstructure:"gprc-tls-ca-cert"`
+	TLSCert         string    `mapstructure:"grpc-tls-cert"`
+	TLSKey          string    `mapstructure:"grpc-tls-key"`
 	GrpcSendMsgSize int       `mapstructure:"grpc-send-msg-size"`
 	GrpcRecvMsgSize int       `mapstructure:"grpc-recv-msg-size"`
 	JSONListener    string    `mapstructure:"grpc-json-listener"`
@@ -36,8 +41,10 @@ func DefaultConfig() Config {
 	return Config{
 		PublicServices:        []Service{Debug, GlobalState, Mesh, Transaction, Node, Activation},
 		PublicListener:        "0.0.0.0:9092",
-		PrivateServices:       []Service{Admin, Smesher, Post}, // TODO(mafa): move from private to public with authentication (probably new service category)
+		PrivateServices:       []Service{Admin, Smesher, Post},
 		PrivateListener:       "127.0.0.1:9093",
+		TLSServices:           []Service{},
+		TLSListener:           "0.0.0.0:9094",
 		JSONListener:          "",
 		GrpcSendMsgSize:       1024 * 1024 * 10,
 		GrpcRecvMsgSize:       1024 * 1024 * 10,
@@ -51,5 +58,6 @@ func DefaultTestConfig() Config {
 	conf.PublicListener = "127.0.0.1:0"
 	conf.PrivateListener = "127.0.0.1:0"
 	conf.JSONListener = "127.0.0.1:0"
+	conf.TLSListener = "127.0.0.1:0"
 	return conf
 }
diff --git a/api/grpcserver/debug_service.go b/api/grpcserver/debug_service.go
index 349e7995d5e..48110b7181a 100644
--- a/api/grpcserver/debug_service.go
+++ b/api/grpcserver/debug_service.go
@@ -5,8 +5,10 @@ import (
 	"fmt"
 
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	pb "github.com/spacemeshos/api/release/go/spacemesh/v1"
 	"go.uber.org/zap"
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
@@ -27,8 +29,17 @@ type DebugService struct {
 }
 
 // RegisterService registers this service with a grpc server instance.
-func (d DebugService) RegisterService(server *Server) {
-	pb.RegisterDebugServiceServer(server.GrpcServer, d)
+func (d DebugService) RegisterService(server *grpc.Server) {
+	pb.RegisterDebugServiceServer(server, d)
+}
+
+func (s DebugService) RegisterHandlerService(mux *runtime.ServeMux) error {
+	return pb.RegisterDebugServiceHandlerServer(context.Background(), mux, s)
+}
+
+// String returns the name of this service.
+func (d DebugService) String() string {
+	return "DebugService"
 }
 
 // NewDebugService creates a new grpc service using config data.
diff --git a/api/grpcserver/globalstate_service.go b/api/grpcserver/globalstate_service.go
index 12602b58e23..8ea8b781cea 100644
--- a/api/grpcserver/globalstate_service.go
+++ b/api/grpcserver/globalstate_service.go
@@ -5,8 +5,10 @@ import (
 	"fmt"
 
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	pb "github.com/spacemeshos/api/release/go/spacemesh/v1"
 	"go.uber.org/zap"
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
@@ -22,8 +24,17 @@ type GlobalStateService struct {
 }
 
 // RegisterService registers this service with a grpc server instance.
-func (s GlobalStateService) RegisterService(server *Server) {
-	pb.RegisterGlobalStateServiceServer(server.GrpcServer, s)
+func (s GlobalStateService) RegisterService(server *grpc.Server) {
+	pb.RegisterGlobalStateServiceServer(server, s)
+}
+
+func (s GlobalStateService) RegisterHandlerService(mux *runtime.ServeMux) error {
+	return pb.RegisterGlobalStateServiceHandlerServer(context.Background(), mux, s)
+}
+
+// String returns the name of the service.
+func (s GlobalStateService) String() string {
+	return "GlobalStateService"
 }
 
 // NewGlobalStateService creates a new grpc service using config data.
diff --git a/api/grpcserver/globalstate_service_test.go b/api/grpcserver/globalstate_service_test.go
new file mode 100644
index 00000000000..b39cf09683f
--- /dev/null
+++ b/api/grpcserver/globalstate_service_test.go
@@ -0,0 +1,364 @@
+package grpcserver
+
+import (
+	"context"
+	"math"
+	"testing"
+	"time"
+
+	pb "github.com/spacemeshos/api/release/go/spacemesh/v1"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/mock/gomock"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	"github.com/spacemeshos/go-spacemesh/common/types"
+)
+
+type globalStateServiceConn struct {
+	pb.GlobalStateServiceClient
+
+	meshAPI     *MockmeshAPI
+	conStateAPI *MockconservativeState
+}
+
+func setupGlobalStateService(t *testing.T) (*globalStateServiceConn, context.Context) {
+	ctrl, mockCtx := gomock.WithContext(context.Background(), t)
+	meshAPI := NewMockmeshAPI(ctrl)
+	conStateAPI := NewMockconservativeState(ctrl)
+	svc := NewGlobalStateService(meshAPI, conStateAPI)
+	cfg, cleanup := launchServer(t, svc)
+	t.Cleanup(cleanup)
+
+	grpcCtx, cancel := context.WithTimeout(context.Background(), time.Second)
+	defer cancel()
+	conn := dialGrpc(grpcCtx, t, cfg)
+	client := pb.NewGlobalStateServiceClient(conn)
+
+	return &globalStateServiceConn{
+		GlobalStateServiceClient: client,
+
+		meshAPI:     meshAPI,
+		conStateAPI: conStateAPI,
+	}, mockCtx
+}
+
+func TestGlobalStateService(t *testing.T) {
+	t.Run("GlobalStateHash", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupGlobalStateService(t)
+
+		layerVerified := types.LayerID(8)
+		c.meshAPI.EXPECT().LatestLayerInState().Return(layerVerified)
+		stateRoot := types.HexToHash32("11111")
+		c.conStateAPI.EXPECT().GetStateRoot().Return(stateRoot, nil)
+
+		res, err := c.GlobalStateHash(ctx, &pb.GlobalStateHashRequest{})
+		require.NoError(t, err)
+		require.Equal(t, layerVerified.Uint32(), res.Response.Layer.Number)
+		require.Equal(t, stateRoot.Bytes(), res.Response.RootHash)
+	})
+	t.Run("Account", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupGlobalStateService(t)
+
+		c.conStateAPI.EXPECT().GetBalance(addr1).Return(accountBalance, nil)
+		c.conStateAPI.EXPECT().GetNonce(addr1).Return(accountCounter, nil)
+		c.conStateAPI.EXPECT().GetProjection(addr1).Return(accountCounter+1, accountBalance+1)
+
+		res, err := c.Account(ctx, &pb.AccountRequest{
+			AccountId: &pb.AccountId{Address: addr1.String()},
+		})
+		require.NoError(t, err)
+		require.Equal(t, addr1.String(), res.AccountWrapper.AccountId.Address)
+		require.Equal(t, uint64(accountBalance), res.AccountWrapper.StateCurrent.Balance.Value)
+		require.Equal(t, uint64(accountCounter), res.AccountWrapper.StateCurrent.Counter)
+		require.Equal(t, uint64(accountBalance+1), res.AccountWrapper.StateProjected.Balance.Value)
+		require.Equal(t, uint64(accountCounter+1), res.AccountWrapper.StateProjected.Counter)
+	})
+	t.Run("AccountDataQuery_MissingFilter", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupGlobalStateService(t)
+
+		_, err := c.AccountDataQuery(ctx, &pb.AccountDataQueryRequest{})
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "`Filter` must be provided")
+	})
+	t.Run("AccountDataQuery_MissingFlags", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupGlobalStateService(t)
+
+		_, err := c.AccountDataQuery(ctx, &pb.AccountDataQueryRequest{
+			Filter: &pb.AccountDataFilter{
+				AccountId: &pb.AccountId{Address: addr1.String()},
+			},
+		})
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "`Filter.AccountMeshDataFlags` must set at least one")
+	})
+	t.Run("AccountDataQuery_BadOffset", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupGlobalStateService(t)
+
+		c.meshAPI.EXPECT().GetRewards(addr1).Return([]*types.Reward{
+			{
+				Layer:       layerFirst,
+				TotalReward: rewardAmount,
+				LayerReward: rewardAmount,
+				Coinbase:    addr1,
+			},
+		}, nil)
+		c.conStateAPI.EXPECT().GetBalance(addr1).Return(accountBalance, nil)
+		c.conStateAPI.EXPECT().GetNonce(addr1).Return(accountCounter, nil)
+		c.conStateAPI.EXPECT().GetProjection(addr1).Return(accountCounter+1, accountBalance+1)
+
+		res, err := c.AccountDataQuery(ctx, &pb.AccountDataQueryRequest{
+			MaxResults: uint32(1),
+			Offset:     math.MaxUint32,
+			Filter: &pb.AccountDataFilter{
+				AccountId: &pb.AccountId{Address: addr1.String()},
+				AccountDataFlags: uint32(pb.AccountDataFlag_ACCOUNT_DATA_FLAG_ACCOUNT |
+					pb.AccountDataFlag_ACCOUNT_DATA_FLAG_REWARD),
+			},
+		})
+		// huge offset is not an error, we just expect no results
+		require.NoError(t, err)
+		require.Equal(t, uint32(0), res.TotalResults)
+		require.Equal(t, 0, len(res.AccountItem))
+	})
+	t.Run("AccountDataQuery_ZeroMaxResults", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupGlobalStateService(t)
+
+		c.meshAPI.EXPECT().GetRewards(addr1).Return([]*types.Reward{
+			{
+				Layer:       layerFirst,
+				TotalReward: rewardAmount,
+				LayerReward: rewardAmount,
+				Coinbase:    addr1,
+			},
+		}, nil)
+		c.conStateAPI.EXPECT().GetBalance(addr1).Return(accountBalance, nil)
+		c.conStateAPI.EXPECT().GetNonce(addr1).Return(accountCounter, nil)
+		c.conStateAPI.EXPECT().GetProjection(addr1).Return(accountCounter+1, accountBalance+1)
+
+		res, err := c.AccountDataQuery(ctx, &pb.AccountDataQueryRequest{
+			MaxResults: uint32(0),
+			Filter: &pb.AccountDataFilter{
+				AccountId: &pb.AccountId{Address: addr1.String()},
+				AccountDataFlags: uint32(pb.AccountDataFlag_ACCOUNT_DATA_FLAG_ACCOUNT |
+					pb.AccountDataFlag_ACCOUNT_DATA_FLAG_REWARD),
+			},
+		})
+		// zero maxresults means return everything
+		require.NoError(t, err)
+		require.Equal(t, uint32(2), res.TotalResults)
+		require.Equal(t, 2, len(res.AccountItem))
+	})
+	t.Run("AccountDataQuery_OneResult", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupGlobalStateService(t)
+
+		c.meshAPI.EXPECT().GetRewards(addr1).Return([]*types.Reward{
+			{
+				Layer:       layerFirst,
+				TotalReward: rewardAmount,
+				LayerReward: rewardAmount,
+				Coinbase:    addr1,
+			},
+		}, nil)
+		c.conStateAPI.EXPECT().GetBalance(addr1).Return(accountBalance, nil)
+		c.conStateAPI.EXPECT().GetNonce(addr1).Return(accountCounter, nil)
+		c.conStateAPI.EXPECT().GetProjection(addr1).Return(accountCounter+1, accountBalance+1)
+
+		res, err := c.AccountDataQuery(ctx, &pb.AccountDataQueryRequest{
+			MaxResults: uint32(1),
+			Filter: &pb.AccountDataFilter{
+				AccountId: &pb.AccountId{Address: addr1.String()},
+				AccountDataFlags: uint32(pb.AccountDataFlag_ACCOUNT_DATA_FLAG_ACCOUNT |
+					pb.AccountDataFlag_ACCOUNT_DATA_FLAG_REWARD),
+			},
+		})
+		require.NoError(t, err)
+		require.Equal(t, uint32(2), res.TotalResults)
+		require.Equal(t, 1, len(res.AccountItem))
+		checkAccountDataQueryItemReward(t, res.AccountItem[0].Datum)
+	})
+	t.Run("AccountDataQuery", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupGlobalStateService(t)
+
+		c.meshAPI.EXPECT().GetRewards(addr1).Return([]*types.Reward{
+			{
+				Layer:       layerFirst,
+				TotalReward: rewardAmount,
+				LayerReward: rewardAmount,
+				Coinbase:    addr1,
+			},
+		}, nil)
+		c.conStateAPI.EXPECT().GetBalance(addr1).Return(accountBalance, nil)
+		c.conStateAPI.EXPECT().GetNonce(addr1).Return(accountCounter, nil)
+		c.conStateAPI.EXPECT().GetProjection(addr1).Return(accountCounter+1, accountBalance+1)
+
+		res, err := c.AccountDataQuery(ctx, &pb.AccountDataQueryRequest{
+			Filter: &pb.AccountDataFilter{
+				AccountId: &pb.AccountId{Address: addr1.String()},
+				AccountDataFlags: uint32(pb.AccountDataFlag_ACCOUNT_DATA_FLAG_ACCOUNT |
+					pb.AccountDataFlag_ACCOUNT_DATA_FLAG_REWARD),
+			},
+		})
+		require.NoError(t, err)
+		require.Equal(t, uint32(2), res.TotalResults)
+		require.Equal(t, 2, len(res.AccountItem))
+
+		checkAccountDataQueryItemReward(t, res.AccountItem[0].Datum)
+		checkAccountDataQueryItemAccount(t, res.AccountItem[1].Datum)
+	})
+	t.Run("AppEventStream", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupGlobalStateService(t)
+
+		stream, err := c.AppEventStream(ctx, &pb.AppEventStreamRequest{})
+		// We expect to be able to open the stream but for it to fail upon the first request
+		require.NoError(t, err)
+		_, err = stream.Recv()
+		statusCode := status.Code(err)
+		require.Equal(t, codes.Unimplemented, statusCode)
+	})
+	t.Run("AccountDataStream_emptyAddress", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupGlobalStateService(t)
+
+		stream, err := c.AccountDataStream(ctx, &pb.AccountDataStreamRequest{
+			Filter: &pb.AccountDataFilter{
+				AccountId: &pb.AccountId{},
+				AccountDataFlags: uint32(
+					pb.AccountDataFlag_ACCOUNT_DATA_FLAG_REWARD |
+						pb.AccountDataFlag_ACCOUNT_DATA_FLAG_ACCOUNT),
+			},
+		})
+		require.NoError(t, err, "unexpected error opening stream")
+
+		_, err = stream.Recv()
+		statusCode := status.Code(err)
+		require.Equal(t, codes.Unknown, statusCode)
+	})
+	t.Run("AccountDataStream_invalidAddress", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupGlobalStateService(t)
+
+		// Just try opening and immediately closing the stream
+		ctx, cancel := context.WithCancel(ctx)
+		stream, err := c.AccountDataStream(ctx, &pb.AccountDataStreamRequest{
+			Filter: &pb.AccountDataFilter{
+				AccountId: &pb.AccountId{Address: types.GenerateAddress([]byte{'A'}).String()},
+				AccountDataFlags: uint32(
+					pb.AccountDataFlag_ACCOUNT_DATA_FLAG_REWARD |
+						pb.AccountDataFlag_ACCOUNT_DATA_FLAG_ACCOUNT),
+			},
+		})
+		require.NoError(t, err, "unexpected error opening stream")
+
+		cancel()
+		_, err = stream.Recv()
+		statusCode := status.Code(err)
+		require.Equal(t, codes.Canceled, statusCode)
+	})
+	t.Run("AccountDataStream", func(t *testing.T) {
+		t.Parallel()
+
+		tt := []struct {
+			name string
+			req  *pb.AccountDataStreamRequest
+			err  string
+		}{
+			{
+				name: "missing filter",
+				req:  &pb.AccountDataStreamRequest{},
+				err:  "`Filter` must be provided",
+			},
+			{
+				name: "empty filter",
+				req: &pb.AccountDataStreamRequest{
+					Filter: &pb.AccountDataFilter{},
+				},
+				err: "`Filter.AccountId` must be provided",
+			},
+			{
+				name: "missing address",
+				req: &pb.AccountDataStreamRequest{
+					Filter: &pb.AccountDataFilter{
+						AccountDataFlags: uint32(
+							pb.AccountDataFlag_ACCOUNT_DATA_FLAG_REWARD |
+								pb.AccountDataFlag_ACCOUNT_DATA_FLAG_ACCOUNT),
+					},
+				},
+				err: "`Filter.AccountId` must be provided",
+			},
+			{
+				name: "filter with zero flags",
+				req: &pb.AccountDataStreamRequest{
+					Filter: &pb.AccountDataFilter{
+						AccountId:        &pb.AccountId{Address: addr1.String()},
+						AccountDataFlags: uint32(0),
+					},
+				},
+				err: "`Filter.AccountDataFlags` must set at least one bitfield",
+			},
+		}
+
+		for _, tc := range tt {
+			tc := tc
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+				c, ctx := setupGlobalStateService(t)
+
+				// there should be no error opening the stream
+				stream, err := c.AccountDataStream(ctx, tc.req)
+				require.NoError(t, err, "unexpected error opening stream")
+
+				// sending a request should generate an error
+				_, err = stream.Recv()
+				require.Error(t, err, "expected an error")
+				require.ErrorContains(t, err, tc.err, "received unexpected error")
+				statusCode := status.Code(err)
+				require.Equal(t, codes.InvalidArgument, statusCode, "expected InvalidArgument error")
+			})
+		}
+	})
+	t.Run("GlobalStateStream", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("nonzero flags", func(t *testing.T) {
+			t.Parallel()
+			c, ctx := setupGlobalStateService(t)
+
+			// Just try opening and immediately closing the stream
+			ctx, cancel := context.WithCancel(ctx)
+			stream, err := c.GlobalStateStream(ctx, &pb.GlobalStateStreamRequest{
+				GlobalStateDataFlags: uint32(pb.GlobalStateDataFlag_GLOBAL_STATE_DATA_FLAG_ACCOUNT),
+			})
+			require.NoError(t, err, "unexpected error opening stream")
+
+			cancel()
+			_, err = stream.Recv()
+			statusCode := status.Code(err)
+			require.Equal(t, codes.Canceled, statusCode)
+		})
+		t.Run("zero flags", func(t *testing.T) {
+			t.Parallel()
+			c, ctx := setupGlobalStateService(t)
+
+			// there should be no error opening the stream
+			stream, err := c.GlobalStateStream(ctx, &pb.GlobalStateStreamRequest{GlobalStateDataFlags: uint32(0)})
+			require.NoError(t, err, "unexpected error opening stream")
+
+			// sending a request should generate an error
+			_, err = stream.Recv()
+			require.Error(t, err, "expected an error")
+			require.ErrorContains(t, err, "`GlobalStateDataFlags` must set at least one bitfield", "received unexpected error")
+			statusCode := status.Code(err)
+			require.Equal(t, codes.InvalidArgument, statusCode, "expected InvalidArgument error")
+		})
+	})
+}
diff --git a/api/grpcserver/grpc.go b/api/grpcserver/grpc.go
index 01a38f81207..9528d4dde67 100644
--- a/api/grpcserver/grpc.go
+++ b/api/grpcserver/grpc.go
@@ -1,26 +1,39 @@
 package grpcserver
 
 import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
 	"net"
+	"os"
 	"time"
 
+	grpczap "github.com/grpc-ecosystem/go-grpc-middleware/logging/zap"
+	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	grpctags "github.com/grpc-ecosystem/go-grpc-middleware/tags"
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/keepalive"
 	"google.golang.org/grpc/reflection"
-
-	"github.com/spacemeshos/go-spacemesh/log"
 )
 
 // ServiceAPI allows individual grpc services to register the grpc server.
 type ServiceAPI interface {
-	RegisterService(*Server)
+	RegisterService(*grpc.Server)
+	RegisterHandlerService(*runtime.ServeMux) error
+	String() string
 }
 
 // Server is a very basic grpc server.
 type Server struct {
 	listener string
-	logger   log.Logger
+	logger   *zap.Logger
 	// BoundAddress contains the address that the server bound to, useful if
 	// the server uses a dynamic port. It is set during startup and can be
 	// safely accessed after Start has completed (I.E. the returned channel has
@@ -30,21 +43,114 @@ type Server struct {
 	grp          errgroup.Group
 }
 
-// New creates and returns a new Server with port and interface.
-func New(listener string, lg log.Logger, opts ...grpc.ServerOption) *Server {
-	opts = append(opts, ServerOptions...)
+func unaryGrpcLogStart(ctx context.Context, req any, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
+	ctxzap.Info(ctx, "started unary call")
+	return handler(ctx, req)
+}
+
+func streamingGrpcLogStart(srv any, stream grpc.ServerStream, _ *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
+	ctxzap.Info(stream.Context(), "started streaming call")
+	return handler(srv, stream)
+}
+
+// NewPublic creates a new Server listening on the PublicListener address with the given logger and config.
+// Services passed in the svc slice are registered with the server.
+func NewPublic(logger *zap.Logger, config Config, svc []ServiceAPI) (*Server, error) {
+	if len(svc) == 0 {
+		return nil, errors.New("no services to register")
+	}
+
+	server := New(config.PublicListener, logger, config)
+	for _, s := range svc {
+		s.RegisterService(server.GrpcServer)
+	}
+	return server, nil
+}
+
+// NewPrivate creates new Server listening on the PrivateListener address with the given logger and config.
+// Services passed in the svc slice are registered with the server.
+func NewPrivate(logger *zap.Logger, config Config, svc []ServiceAPI) (*Server, error) {
+	if len(svc) == 0 {
+		return nil, errors.New("no services to register")
+	}
+
+	server := New(config.PrivateListener, logger, config)
+	for _, s := range svc {
+		s.RegisterService(server.GrpcServer)
+	}
+	return server, nil
+}
+
+// NewTLS creates a new Server listening on the TLSListener address with the given logger and config.
+// Services passed in the svc slice are registered with the server.
+func NewTLS(logger *zap.Logger, config Config, svc []ServiceAPI) (*Server, error) {
+	if len(svc) == 0 {
+		return nil, errors.New("no services to register")
+	}
+
+	serverCert, err := tls.LoadX509KeyPair(config.TLSCert, config.TLSKey)
+	if err != nil {
+		return nil, fmt.Errorf("load server certificate: %w", err)
+	}
+	caCert, err := os.ReadFile(config.TLSCACert)
+	if err != nil {
+		return nil, fmt.Errorf("load ca certificate: %w", err)
+	}
+
+	certPool := x509.NewCertPool()
+	if !certPool.AppendCertsFromPEM(caCert) {
+		return nil, fmt.Errorf("setup CA certificate")
+	}
+
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{serverCert},
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+		ClientCAs:    certPool,
+	}
+
+	server := New(config.TLSListener, logger, config, grpc.Creds(credentials.NewTLS(tlsConfig)))
+	for _, s := range svc {
+		s.RegisterService(server.GrpcServer)
+	}
+	return server, nil
+}
+
+// New creates and returns a new Server listening on the given address.
+// The server is configured with the given logger and config. Additional grpc options can be passed.
+func New(listener string, logger *zap.Logger, config Config, grpcOpts ...grpc.ServerOption) *Server {
+	opts := []grpc.ServerOption{
+		grpc.ChainStreamInterceptor(grpctags.StreamServerInterceptor(), grpczap.StreamServerInterceptor(logger), streamingGrpcLogStart),
+		grpc.ChainUnaryInterceptor(grpctags.UnaryServerInterceptor(), grpczap.UnaryServerInterceptor(logger), unaryGrpcLogStart),
+		grpc.MaxSendMsgSize(config.GrpcSendMsgSize),
+		grpc.MaxRecvMsgSize(config.GrpcRecvMsgSize),
+	}
+
+	// this is done to prevent routers from cleaning up our connections (e.g aws load balances..)
+	// TODO: these parameters work for now but we might need to revisit or add them as configuration
+	// TODO: Configure maxconns, maxconcurrentcons ..
+	opts = append(opts,
+		grpc.KeepaliveParams(keepalive.ServerParameters{
+			MaxConnectionIdle:     time.Minute * 120,
+			MaxConnectionAge:      time.Minute * 180,
+			MaxConnectionAgeGrace: time.Minute * 10,
+			Time:                  time.Minute,
+			Timeout:               time.Minute * 3,
+		}),
+	)
+
+	opts = append(opts, grpcOpts...)
 	return &Server{
 		listener:   listener,
-		logger:     lg,
+		logger:     logger,
 		GrpcServer: grpc.NewServer(opts...),
 	}
 }
 
 // Start starts the server.
 func (s *Server) Start() error {
-	s.logger.With().Info("starting grpc server",
-		log.String("address", s.listener),
-		log.Array("services", log.ArrayMarshalerFunc(func(encoder log.ArrayEncoder) error {
+	s.logger.Info("starting grpc server",
+		zap.String("address", s.listener),
+		zap.Array("services", zapcore.ArrayMarshalerFunc(func(encoder zapcore.ArrayEncoder) error {
 			for svc := range s.GrpcServer.GetServiceInfo() {
 				encoder.AppendString(svc)
 			}
@@ -53,14 +159,14 @@ func (s *Server) Start() error {
 	)
 	lis, err := net.Listen("tcp", s.listener)
 	if err != nil {
-		s.logger.Error("error listening: %v", err)
+		s.logger.Error("start listen server", zap.Error(err))
 		return err
 	}
 	s.BoundAddress = lis.Addr().String()
 	reflection.Register(s.GrpcServer)
 	s.grp.Go(func() error {
 		if err := s.GrpcServer.Serve(lis); err != nil {
-			s.logger.Error("error serving grpc server: %v", err)
+			s.logger.Error("serving grpc server", zap.Error(err))
 			return err
 		}
 		return nil
@@ -84,17 +190,3 @@ func (s *Server) Close() error {
 	s.GrpcServer.Stop()
 	return s.grp.Wait()
 }
-
-// ServerOptions are shared by all grpc servers.
-var ServerOptions = []grpc.ServerOption{
-	// XXX: this is done to prevent routers from cleaning up our connections (e.g aws load balances..)
-	// TODO: these parameters work for now but we might need to revisit or add them as configuration
-	// TODO: Configure maxconns, maxconcurrentcons ..
-	grpc.KeepaliveParams(keepalive.ServerParameters{
-		MaxConnectionIdle:     time.Minute * 120,
-		MaxConnectionAge:      time.Minute * 180,
-		MaxConnectionAgeGrace: time.Minute * 10,
-		Time:                  time.Minute,
-		Timeout:               time.Minute * 3,
-	}),
-}
diff --git a/api/grpcserver/grpcserver_test.go b/api/grpcserver/grpcserver_test.go
index 61d65c717e8..116c3434b35 100644
--- a/api/grpcserver/grpcserver_test.go
+++ b/api/grpcserver/grpcserver_test.go
@@ -10,7 +10,6 @@ import (
 	"math"
 	"math/big"
 	"net"
-	"net/http"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -24,14 +23,13 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/mock/gomock"
+	"go.uber.org/zap/zaptest"
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/genproto/googleapis/rpc/code"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/encoding/protojson"
-	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/emptypb"
 
 	"github.com/spacemeshos/go-spacemesh/activation"
@@ -89,9 +87,6 @@ var (
 	challenge   = newChallenge(1, prevAtxID, prevAtxID, postGenesisEpoch)
 	globalAtx   *types.VerifiedActivationTx
 	globalAtx2  *types.VerifiedActivationTx
-	signer      *signing.EdSigner
-	signer1     *signing.EdSigner
-	signer2     *signing.EdSigner
 	globalTx    *types.Transaction
 	globalTx2   *types.Transaction
 	ballot1     = genLayerBallot(types.LayerID(11))
@@ -131,10 +126,10 @@ func genLayerBlock(layerID types.LayerID, txs []types.TransactionID) *types.Bloc
 	return b
 }
 
-func dialGrpc(ctx context.Context, tb testing.TB, address string) *grpc.ClientConn {
+func dialGrpc(ctx context.Context, tb testing.TB, cfg Config) *grpc.ClientConn {
 	tb.Helper()
 	conn, err := grpc.DialContext(ctx,
-		address,
+		cfg.PublicListener,
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithBlock(),
 	)
@@ -143,33 +138,21 @@ func dialGrpc(ctx context.Context, tb testing.TB, address string) *grpc.ClientCo
 	return conn
 }
 
-func newEdSigner(t *testing.T) *signing.EdSigner {
-	t.Helper()
-	signer, err := signing.NewEdSigner()
-	require.NoError(t, err)
-	return signer
-}
-
-func newAddress(t *testing.T) types.Address {
-	t.Helper()
-	return wallet.Address(newEdSigner(t).PublicKey().Bytes())
-}
-
 func TestMain(m *testing.M) {
 	types.SetLayersPerEpoch(layersPerEpoch)
 
 	var err error
-	signer, err = signing.NewEdSigner()
+	signer, err := signing.NewEdSigner()
 	if err != nil {
 		log.Println("failed to create signer:", err)
 		os.Exit(1)
 	}
-	signer1, err = signing.NewEdSigner()
+	signer1, err := signing.NewEdSigner()
 	if err != nil {
 		log.Println("failed to create signer:", err)
 		os.Exit(1)
 	}
-	signer2, err = signing.NewEdSigner()
+	signer2, err := signing.NewEdSigner()
 	if err != nil {
 		log.Println("failed to create signer:", err)
 		os.Exit(1)
@@ -432,49 +415,20 @@ func newChallenge(sequence uint64, prevAtxID, posAtxID types.ATXID, epoch types.
 	}
 }
 
-func marshalProto(t *testing.T, msg proto.Message) []byte {
-	buf, err := protojson.Marshal(msg)
-	require.NoError(t, err)
-	return buf
-}
-
 func launchServer(tb testing.TB, services ...ServiceAPI) (Config, func()) {
 	cfg := DefaultTestConfig()
+	cfg.PublicListener = "127.0.0.1:0" // run on random port
 
-	// run on random ports
-	grpcService := New("127.0.0.1:0", logtest.New(tb).Named("grpc"))
-	jsonService := NewJSONHTTPServer("127.0.0.1:0", logtest.New(tb).WithName("grpc.JSON"))
-
-	// attach services
-	for _, svc := range services {
-		svc.RegisterService(grpcService)
-	}
+	grpcService, err := NewPublic(zaptest.NewLogger(tb).Named("grpc"), cfg, services)
+	require.NoError(tb, err)
 
-	// start gRPC and json servers
+	// start gRPC server
 	require.NoError(tb, grpcService.Start())
-	if len(services) > 0 {
-		require.NoError(tb, jsonService.StartService(context.Background(), services...))
-	}
 
 	// update config with bound addresses
 	cfg.PublicListener = grpcService.BoundAddress
-	cfg.JSONListener = jsonService.BoundAddress
-
-	return cfg, func() {
-		assert.NoError(tb, grpcService.Close())
-		assert.NoError(tb, jsonService.Shutdown(context.Background()))
-	}
-}
 
-func callEndpoint(t *testing.T, url string, payload []byte) ([]byte, int) {
-	resp, err := http.Post(url, "application/json", bytes.NewReader(payload))
-	require.NoError(t, err)
-	require.Equal(t, "application/json", resp.Header.Get("Content-Type"))
-	buf, err := io.ReadAll(resp.Body)
-	require.NoError(t, err)
-	require.NoError(t, resp.Body.Close())
-
-	return buf, resp.StatusCode
+	return cfg, func() { assert.NoError(tb, grpcService.Close()) }
 }
 
 func getFreePort(optionalPort int) (int, error) {
@@ -496,382 +450,13 @@ func TestNewServersConfig(t *testing.T) {
 	port2, err := getFreePort(0)
 	require.NoError(t, err, "Should be able to establish a connection on a port")
 
-	grpcService := New(fmt.Sprintf(":%d", port1), logtest.New(t).Named("grpc"))
-	jsonService := NewJSONHTTPServer(fmt.Sprintf(":%d", port2), logtest.New(t).WithName("grpc.JSON"))
+	grpcService := New(fmt.Sprintf(":%d", port1), zaptest.NewLogger(t).Named("grpc"), DefaultTestConfig())
+	jsonService := NewJSONHTTPServer(fmt.Sprintf(":%d", port2), zaptest.NewLogger(t).Named("grpc.JSON"))
 
 	require.Contains(t, grpcService.listener, strconv.Itoa(port1), "Expected same port")
 	require.Contains(t, jsonService.listener, strconv.Itoa(port2), "Expected same port")
 }
 
-func TestNodeService(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	syncer := NewMocksyncer(ctrl)
-	syncer.EXPECT().IsSynced(gomock.Any()).Return(false).AnyTimes()
-	peerCounter := NewMockpeerCounter(ctrl)
-	peerCounter.EXPECT().PeerCount().Return(uint64(0)).AnyTimes()
-	genTime := NewMockgenesisTimeAPI(ctrl)
-
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
-	defer cancel()
-
-	version := "v0.0.0"
-	build := "cafebabe"
-	grpcService := NewNodeService(peerCounter, meshAPIMock, genTime, syncer, version, build)
-	cfg, cleanup := launchServer(t, grpcService)
-	t.Cleanup(cleanup)
-
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
-	c := pb.NewNodeServiceClient(conn)
-
-	// Construct an array of test cases to test each endpoint in turn
-	testCases := []struct {
-		name string
-		run  func(t *testing.T)
-	}{
-		{"Echo", func(t *testing.T) {
-			const message = "Hello World"
-			res, err := c.Echo(context.Background(), &pb.EchoRequest{
-				Msg: &pb.SimpleString{Value: message},
-			})
-			require.NoError(t, err)
-			require.Equal(t, message, res.Msg.Value)
-
-			// now try sending bad payloads
-			_, err = c.Echo(context.Background(), &pb.EchoRequest{Msg: nil})
-			require.Error(t, err)
-			grpcStatus, ok := status.FromError(err)
-			require.True(t, ok)
-			require.Equal(t, codes.InvalidArgument, grpcStatus.Code())
-			require.Equal(t, "Must include `Msg`", grpcStatus.Message())
-
-			_, err = c.Echo(context.Background(), &pb.EchoRequest{})
-			require.Error(t, err)
-			grpcStatus, ok = status.FromError(err)
-			require.True(t, ok)
-			require.Equal(t, codes.InvalidArgument, grpcStatus.Code())
-			require.Equal(t, "Must include `Msg`", grpcStatus.Message())
-		}},
-		{"Version", func(t *testing.T) {
-			res, err := c.Version(context.Background(), &emptypb.Empty{})
-			require.NoError(t, err)
-			require.Equal(t, version, res.VersionString.Value)
-		}},
-		{"Build", func(t *testing.T) {
-			res, err := c.Build(context.Background(), &emptypb.Empty{})
-			require.NoError(t, err)
-			require.Equal(t, build, res.BuildString.Value)
-		}},
-		{"Status", func(t *testing.T) {
-			// First do a mock checking during a genesis layer
-			// During genesis all layers should be set to current layer
-
-			layerCurrent := types.LayerID(layersPerEpoch) // end of first epoch
-			genTime.EXPECT().CurrentLayer().Return(layerCurrent)
-			req := &pb.StatusRequest{}
-			res, err := c.Status(context.Background(), req)
-			require.NoError(t, err)
-			require.Equal(t, uint64(0), res.Status.ConnectedPeers)
-			require.Equal(t, false, res.Status.IsSynced)
-			require.Equal(t, layerLatest.Uint32(), res.Status.SyncedLayer.Number)
-			require.Equal(t, layerCurrent.Uint32(), res.Status.TopLayer.Number)
-			require.Equal(t, layerLatest.Uint32(), res.Status.VerifiedLayer.Number)
-
-			// Now do a mock check post-genesis
-			layerCurrent = types.LayerID(12)
-			genTime.EXPECT().CurrentLayer().Return(layerCurrent)
-			res, err = c.Status(context.Background(), req)
-			require.NoError(t, err)
-			require.Equal(t, uint64(0), res.Status.ConnectedPeers)
-			require.Equal(t, false, res.Status.IsSynced)
-			require.Equal(t, layerLatest.Uint32(), res.Status.SyncedLayer.Number)
-			require.Equal(t, layerCurrent.Uint32(), res.Status.TopLayer.Number)
-			require.Equal(t, layerVerified.Uint32(), res.Status.VerifiedLayer.Number)
-		}},
-		{"NodeInfo", func(t *testing.T) {
-			resp, err := c.NodeInfo(ctx, &emptypb.Empty{})
-			require.NoError(t, err)
-			require.Equal(t, resp.Hrp, types.NetworkHRP())
-			require.Equal(t, resp.FirstGenesis, types.FirstEffectiveGenesis().Uint32())
-			require.Equal(t, resp.EffectiveGenesis, types.GetEffectiveGenesis().Uint32())
-			require.Equal(t, resp.EpochSize, types.GetLayersPerEpoch())
-		}},
-		// NOTE: ErrorStream and StatusStream have comprehensive, E2E tests in cmd/node/node_test.go.
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, tc.run)
-	}
-}
-
-func TestGlobalStateService(t *testing.T) {
-	svc := NewGlobalStateService(meshAPIMock, conStateAPI)
-	cfg, cleanup := launchServer(t, svc)
-	t.Cleanup(cleanup)
-
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
-	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
-	c := pb.NewGlobalStateServiceClient(conn)
-
-	// Construct an array of test cases to test each endpoint in turn
-	testCases := []struct {
-		name string
-		run  func(*testing.T)
-	}{
-		{"GlobalStateHash", func(t *testing.T) {
-			res, err := c.GlobalStateHash(context.Background(), &pb.GlobalStateHashRequest{})
-			require.NoError(t, err)
-			require.Equal(t, layerVerified.Uint32(), res.Response.Layer.Number)
-			require.Equal(t, stateRoot.Bytes(), res.Response.RootHash)
-		}},
-		{"Account", func(t *testing.T) {
-			res, err := c.Account(context.Background(), &pb.AccountRequest{
-				AccountId: &pb.AccountId{Address: addr1.String()},
-			})
-			require.NoError(t, err)
-			require.Equal(t, addr1.String(), res.AccountWrapper.AccountId.Address)
-			require.Equal(t, uint64(accountBalance), res.AccountWrapper.StateCurrent.Balance.Value)
-			require.Equal(t, uint64(accountCounter), res.AccountWrapper.StateCurrent.Counter)
-			require.Equal(t, uint64(accountBalance+1), res.AccountWrapper.StateProjected.Balance.Value)
-			require.Equal(t, uint64(accountCounter+1), res.AccountWrapper.StateProjected.Counter)
-		}},
-		{"AccountDataQuery_MissingFilter", func(t *testing.T) {
-			_, err := c.AccountDataQuery(context.Background(), &pb.AccountDataQueryRequest{})
-			require.Error(t, err)
-			require.Contains(t, err.Error(), "`Filter` must be provided")
-		}},
-		{"AccountDataQuery_MissingFlags", func(t *testing.T) {
-			_, err := c.AccountDataQuery(context.Background(), &pb.AccountDataQueryRequest{
-				Filter: &pb.AccountDataFilter{
-					AccountId: &pb.AccountId{Address: addr1.String()},
-				},
-			})
-			require.Error(t, err)
-			require.Contains(t, err.Error(), "`Filter.AccountMeshDataFlags` must set at least one")
-		}},
-		{"AccountDataQuery_BadOffset", func(t *testing.T) {
-			res, err := c.AccountDataQuery(context.Background(), &pb.AccountDataQueryRequest{
-				MaxResults: uint32(1),
-				Offset:     math.MaxUint32,
-				Filter: &pb.AccountDataFilter{
-					AccountId: &pb.AccountId{Address: addr1.String()},
-					AccountDataFlags: uint32(pb.AccountDataFlag_ACCOUNT_DATA_FLAG_ACCOUNT |
-						pb.AccountDataFlag_ACCOUNT_DATA_FLAG_REWARD),
-				},
-			})
-			// huge offset is not an error, we just expect no results
-			require.NoError(t, err)
-			require.Equal(t, uint32(0), res.TotalResults)
-			require.Equal(t, 0, len(res.AccountItem))
-		}},
-		{"AccountDataQuery_ZeroMaxResults", func(t *testing.T) {
-			res, err := c.AccountDataQuery(context.Background(), &pb.AccountDataQueryRequest{
-				MaxResults: uint32(0),
-				Filter: &pb.AccountDataFilter{
-					AccountId: &pb.AccountId{Address: addr1.String()},
-					AccountDataFlags: uint32(pb.AccountDataFlag_ACCOUNT_DATA_FLAG_ACCOUNT |
-						pb.AccountDataFlag_ACCOUNT_DATA_FLAG_REWARD),
-				},
-			})
-			// zero maxresults means return everything
-			require.NoError(t, err)
-			require.Equal(t, uint32(2), res.TotalResults)
-			require.Equal(t, 2, len(res.AccountItem))
-		}},
-		{"AccountDataQuery_OneResult", func(t *testing.T) {
-			res, err := c.AccountDataQuery(context.Background(), &pb.AccountDataQueryRequest{
-				MaxResults: uint32(1),
-				Filter: &pb.AccountDataFilter{
-					AccountId: &pb.AccountId{Address: addr1.String()},
-					AccountDataFlags: uint32(pb.AccountDataFlag_ACCOUNT_DATA_FLAG_ACCOUNT |
-						pb.AccountDataFlag_ACCOUNT_DATA_FLAG_REWARD),
-				},
-			})
-			require.NoError(t, err)
-			require.Equal(t, uint32(2), res.TotalResults)
-			require.Equal(t, 1, len(res.AccountItem))
-			checkAccountDataQueryItemReward(t, res.AccountItem[0].Datum)
-		}},
-		{"AccountDataQuery", func(t *testing.T) {
-			res, err := c.AccountDataQuery(context.Background(), &pb.AccountDataQueryRequest{
-				Filter: &pb.AccountDataFilter{
-					AccountId: &pb.AccountId{Address: addr1.String()},
-					AccountDataFlags: uint32(pb.AccountDataFlag_ACCOUNT_DATA_FLAG_ACCOUNT |
-						pb.AccountDataFlag_ACCOUNT_DATA_FLAG_REWARD),
-				},
-			})
-			require.NoError(t, err)
-			require.Equal(t, uint32(2), res.TotalResults)
-			require.Equal(t, 2, len(res.AccountItem))
-			checkAccountDataQueryItemReward(t, res.AccountItem[0].Datum)
-			checkAccountDataQueryItemAccount(t, res.AccountItem[1].Datum)
-		}},
-		{"AppEventStream", func(t *testing.T) {
-			stream, err := c.AppEventStream(context.Background(), &pb.AppEventStreamRequest{})
-			// We expect to be able to open the stream but for it to fail upon the first request
-			require.NoError(t, err)
-			_, err = stream.Recv()
-			statusCode := status.Code(err)
-			require.Equal(t, codes.Unimplemented, statusCode)
-		}},
-		{name: "AccountDataStream", run: func(t *testing.T) {
-			// common testing framework
-			generateRunFn := func(req *pb.AccountDataStreamRequest) func(*testing.T) {
-				return func(*testing.T) {
-					// Just try opening and immediately closing the stream
-					stream, err := c.AccountDataStream(context.Background(), req)
-					require.NoError(t, err, "unexpected error opening stream")
-
-					// Do we need this? It doesn't seem to cause any harm
-					stream.Context().Done()
-				}
-			}
-			generateRunFnError := func(msg string, req *pb.AccountDataStreamRequest) func(*testing.T) {
-				return func(t *testing.T) {
-					// there should be no error opening the stream
-					stream, err := c.AccountDataStream(context.Background(), req)
-					require.NoError(t, err, "unexpected error opening stream")
-
-					// sending a request should generate an error
-					_, err = stream.Recv()
-					require.Error(t, err, "expected an error")
-					require.Contains(t, err.Error(), msg, "received unexpected error")
-					statusCode := status.Code(err)
-					require.Equal(t, codes.InvalidArgument, statusCode, "expected InvalidArgument error")
-
-					// Do we need this? It doesn't seem to cause any harm
-					stream.Context().Done()
-				}
-			}
-			subtests := []struct {
-				name string
-				run  func(*testing.T)
-			}{
-				// ERROR INPUTS
-				// We expect these to produce errors
-				{
-					name: "missing filter",
-					run:  generateRunFnError("`Filter` must be provided", &pb.AccountDataStreamRequest{}),
-				},
-				{
-					name: "empty filter",
-					run: generateRunFnError("`Filter.AccountId` must be provided", &pb.AccountDataStreamRequest{
-						Filter: &pb.AccountDataFilter{},
-					}),
-				},
-				{
-					name: "missing address",
-					run: generateRunFnError("`Filter.AccountId` must be provided", &pb.AccountDataStreamRequest{
-						Filter: &pb.AccountDataFilter{
-							AccountDataFlags: uint32(
-								pb.AccountDataFlag_ACCOUNT_DATA_FLAG_REWARD |
-									pb.AccountDataFlag_ACCOUNT_DATA_FLAG_ACCOUNT),
-						},
-					}),
-				},
-				{
-					name: "filter with zero flags",
-					run: generateRunFnError("`Filter.AccountDataFlags` must set at least one bitfield", &pb.AccountDataStreamRequest{
-						Filter: &pb.AccountDataFilter{
-							AccountId:        &pb.AccountId{Address: addr1.String()},
-							AccountDataFlags: uint32(0),
-						},
-					}),
-				},
-
-				// SUCCESS
-				{
-					name: "empty address",
-					run: generateRunFn(&pb.AccountDataStreamRequest{
-						Filter: &pb.AccountDataFilter{
-							AccountId: &pb.AccountId{},
-							AccountDataFlags: uint32(
-								pb.AccountDataFlag_ACCOUNT_DATA_FLAG_REWARD |
-									pb.AccountDataFlag_ACCOUNT_DATA_FLAG_ACCOUNT),
-						},
-					}),
-				},
-				{
-					name: "invalid address",
-					run: generateRunFn(&pb.AccountDataStreamRequest{
-						Filter: &pb.AccountDataFilter{
-							AccountId: &pb.AccountId{Address: types.GenerateAddress([]byte{'A'}).String()},
-							AccountDataFlags: uint32(
-								pb.AccountDataFlag_ACCOUNT_DATA_FLAG_REWARD |
-									pb.AccountDataFlag_ACCOUNT_DATA_FLAG_ACCOUNT),
-						},
-					}),
-				},
-			}
-
-			// Run sub-subtests
-			for _, r := range subtests {
-				t.Run(r.name, r.run)
-			}
-		}},
-		{name: "GlobalStateStream", run: func(t *testing.T) {
-			// common testing framework
-			generateRunFn := func(req *pb.GlobalStateStreamRequest) func(*testing.T) {
-				return func(*testing.T) {
-					// Just try opening and immediately closing the stream
-					stream, err := c.GlobalStateStream(context.Background(), req)
-					require.NoError(t, err, "unexpected error opening stream")
-
-					// Do we need this? It doesn't seem to cause any harm
-					stream.Context().Done()
-				}
-			}
-			generateRunFnError := func(msg string, req *pb.GlobalStateStreamRequest) func(*testing.T) {
-				return func(t *testing.T) {
-					// there should be no error opening the stream
-					stream, err := c.GlobalStateStream(context.Background(), req)
-					require.NoError(t, err, "unexpected error opening stream")
-
-					// sending a request should generate an error
-					_, err = stream.Recv()
-					require.Error(t, err, "expected an error")
-					require.Contains(t, err.Error(), msg, "received unexpected error")
-					statusCode := status.Code(err)
-					require.Equal(t, codes.InvalidArgument, statusCode, "expected InvalidArgument error")
-
-					// Do we need this? It doesn't seem to cause any harm
-					stream.Context().Done()
-				}
-			}
-			subtests := []struct {
-				name string
-				run  func(*testing.T)
-			}{
-				// ERROR INPUTS
-				// We expect these to produce errors
-				{
-					name: "zero flags",
-					run: generateRunFnError("`GlobalStateDataFlags` must set at least one bitfield",
-						&pb.GlobalStateStreamRequest{GlobalStateDataFlags: uint32(0)}),
-				},
-
-				// SUCCESS
-				{
-					name: "nonzero flags",
-					run: generateRunFn(&pb.GlobalStateStreamRequest{
-						GlobalStateDataFlags: uint32(pb.GlobalStateDataFlag_GLOBAL_STATE_DATA_FLAG_ACCOUNT),
-					}),
-				},
-			}
-
-			// Run sub-subtests
-			for _, r := range subtests {
-				t.Run(r.name, r.run)
-			}
-		}},
-	}
-
-	// Run subtests
-	for _, tc := range testCases {
-		t.Run(tc.name, tc.run)
-	}
-}
-
 type smesherServiceConn struct {
 	pb.SmesherServiceClient
 
@@ -891,7 +476,7 @@ func setupSmesherService(t *testing.T) (*smesherServiceConn, context.Context) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	client := pb.NewSmesherServiceClient(conn)
 
 	return &smesherServiceConn{
@@ -953,10 +538,11 @@ func TestSmesherService(t *testing.T) {
 	t.Run("SmesherID", func(t *testing.T) {
 		t.Parallel()
 		c, ctx := setupSmesherService(t)
-		c.smeshingProvider.EXPECT().SmesherID().Return(signer.NodeID())
+		nodeId := types.RandomNodeID()
+		c.smeshingProvider.EXPECT().SmesherID().Return(nodeId)
 		res, err := c.SmesherID(ctx, &emptypb.Empty{})
 		require.NoError(t, err)
-		require.Equal(t, signer.NodeID().Bytes(), res.PublicKey)
+		require.Equal(t, nodeId.Bytes(), res.PublicKey)
 	})
 
 	t.Run("SetCoinbaseMissingArgs", func(t *testing.T) {
@@ -1063,14 +649,14 @@ func TestMeshService(t *testing.T) {
 	genTime.EXPECT().GenesisTime().Return(genesis)
 	genTime.EXPECT().CurrentLayer().Return(layerCurrent).AnyTimes()
 	db := datastore.NewCachedDB(sql.InMemory(), logtest.New(t))
-	grpcService := NewMeshService(db, meshAPIMock, conStateAPI, genTime, layersPerEpoch, types.Hash20{}, layerDuration, layerAvgSize, txsPerProposal)
+	svc := NewMeshService(db, meshAPIMock, conStateAPI, genTime, layersPerEpoch, types.Hash20{}, layerDuration, layerAvgSize, txsPerProposal)
 	require.NoError(t, activesets.Add(db, ballot1.EpochData.ActiveSetHash, &types.EpochActiveSet{Set: types.ATXIDList{globalAtx.ID(), globalAtx2.ID()}}))
-	cfg, cleanup := launchServer(t, grpcService)
+	cfg, cleanup := launchServer(t, svc)
 	t.Cleanup(cleanup)
 
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	c := pb.NewMeshServiceClient(conn)
 
 	// Construct an array of test cases to test each endpoint in turn
@@ -1575,13 +1161,13 @@ func TestTransactionServiceSubmitUnsync(t *testing.T) {
 	txHandler := NewMocktxValidator(ctrl)
 	txHandler.EXPECT().VerifyAndCacheTx(gomock.Any(), gomock.Any()).Return(nil)
 
-	grpcService := NewTransactionService(sql.InMemory(), publisher, meshAPIMock, conStateAPI, syncer, txHandler)
-	cfg, cleanup := launchServer(t, grpcService)
+	svc := NewTransactionService(sql.InMemory(), publisher, meshAPIMock, conStateAPI, syncer, txHandler)
+	cfg, cleanup := launchServer(t, svc)
 	t.Cleanup(cleanup)
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	c := pb.NewTransactionServiceClient(conn)
 
 	serializedTx, err := codec.Encode(globalTx)
@@ -1620,7 +1206,7 @@ func TestTransactionServiceSubmitInvalidTx(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	c := pb.NewTransactionServiceClient(conn)
 
 	serializedTx, err := codec.Encode(globalTx)
@@ -1653,7 +1239,7 @@ func TestTransactionService_SubmitNoConcurrency(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	c := pb.NewTransactionServiceClient(conn)
 	for i := 0; i < numTxs; i++ {
 		res, err := c.SubmitTransaction(ctx, &pb.SubmitTransactionRequest{
@@ -1681,7 +1267,7 @@ func TestTransactionService(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	c := pb.NewTransactionServiceClient(conn)
 
 	// Construct an array of test cases to test each endpoint in turn
@@ -2021,7 +1607,7 @@ func TestAccountMeshDataStream_comprehensive(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	c := pb.NewMeshServiceClient(conn)
 
 	// set up the grpc listener stream
@@ -2077,7 +1663,7 @@ func TestAccountDataStream_comprehensive(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	c := pb.NewGlobalStateServiceClient(conn)
 
 	// set up the grpc listener stream
@@ -2136,7 +1722,7 @@ func TestGlobalStateStream_comprehensive(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	c := pb.NewGlobalStateServiceClient(conn)
 
 	// set up the grpc listener stream
@@ -2200,7 +1786,7 @@ func TestLayerStream_comprehensive(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 
 	// set up the grpc listener stream
 	c := pb.NewMeshServiceClient(conn)
@@ -2341,8 +1927,8 @@ func TestMultiService(t *testing.T) {
 	cfg, shutDown := launchServer(t, svc1, svc2)
 	t.Cleanup(shutDown)
 
-	c1 := pb.NewNodeServiceClient(dialGrpc(ctx, t, cfg.PublicListener))
-	c2 := pb.NewMeshServiceClient(dialGrpc(ctx, t, cfg.PublicListener))
+	c1 := pb.NewNodeServiceClient(dialGrpc(ctx, t, cfg))
+	c2 := pb.NewMeshServiceClient(dialGrpc(ctx, t, cfg))
 
 	// call endpoints and validate results
 	const message = "Hello World"
@@ -2371,50 +1957,6 @@ func TestMultiService(t *testing.T) {
 	require.Contains(t, err2.Error(), "rpc error: code = Unavailable")
 }
 
-func TestJsonApi(t *testing.T) {
-	const message = "hello world!"
-
-	// we cannot start the gateway service without enabling at least one service
-	cfg, shutDown := launchServer(t)
-	t.Cleanup(shutDown)
-	time.Sleep(time.Second)
-
-	payload := marshalProto(t, &pb.EchoRequest{Msg: &pb.SimpleString{Value: message}})
-	url := fmt.Sprintf("http://%s/%s", cfg.JSONListener, "v1/node/echo")
-	_, err := http.Post(url, "application/json", bytes.NewReader(payload))
-	require.Error(t, err)
-	shutDown()
-
-	// enable services and try again
-	ctrl := gomock.NewController(t)
-	syncer := NewMocksyncer(ctrl)
-	syncer.EXPECT().IsSynced(gomock.Any()).Return(false).AnyTimes()
-	peerCounter := NewMockpeerCounter(ctrl)
-	genTime := NewMockgenesisTimeAPI(ctrl)
-	genesis := time.Unix(genTimeUnix, 0)
-	genTime.EXPECT().GenesisTime().Return(genesis)
-	svc1 := NewNodeService(peerCounter, meshAPIMock, genTime, syncer, "v0.0.0", "cafebabe")
-	svc2 := NewMeshService(datastore.NewCachedDB(sql.InMemory(), logtest.New(t)), meshAPIMock, conStateAPI, genTime, layersPerEpoch, types.Hash20{}, layerDuration, layerAvgSize, txsPerProposal)
-	cfg, cleanup := launchServer(t, svc1, svc2)
-	t.Cleanup(cleanup)
-	time.Sleep(time.Second)
-
-	// generate request payload (api input params)
-	payload = marshalProto(t, &pb.EchoRequest{Msg: &pb.SimpleString{Value: message}})
-	respBody, respStatus := callEndpoint(t, fmt.Sprintf("http://%s/v1/node/echo", cfg.JSONListener), payload)
-	require.Equal(t, http.StatusOK, respStatus)
-	var msg pb.EchoResponse
-	require.NoError(t, protojson.Unmarshal(respBody, &msg))
-	require.Equal(t, message, msg.Msg.Value)
-
-	// Test MeshService
-	respBody2, respStatus2 := callEndpoint(t, fmt.Sprintf("http://%s/v1/mesh/genesistime", cfg.JSONListener), nil)
-	require.Equal(t, http.StatusOK, respStatus2)
-	var msg2 pb.GenesisTimeResponse
-	require.NoError(t, protojson.Unmarshal(respBody2, &msg2))
-	require.Equal(t, uint64(genesis.Unix()), msg2.Unixtime.Value)
-}
-
 func TestDebugService(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	identity := NewMocknetworkIdentity(ctrl)
@@ -2426,7 +1968,7 @@ func TestDebugService(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	c := pb.NewDebugServiceClient(conn)
 
 	t.Run("Accounts", func(t *testing.T) {
@@ -2531,8 +2073,8 @@ func TestEventsReceived(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
 
-	conn1 := dialGrpc(ctx, t, cfg.PublicListener)
-	conn2 := dialGrpc(ctx, t, cfg.PublicListener)
+	conn1 := dialGrpc(ctx, t, cfg)
+	conn2 := dialGrpc(ctx, t, cfg)
 
 	txClient := pb.NewTransactionServiceClient(conn1)
 	accountClient := pb.NewGlobalStateServiceClient(conn2)
@@ -2608,9 +2150,9 @@ func TestTransactionsRewards(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	t.Cleanup(cancel)
-	client := pb.NewGlobalStateServiceClient(dialGrpc(ctx, t, cfg.PublicListener))
+	client := pb.NewGlobalStateServiceClient(dialGrpc(ctx, t, cfg))
 
-	address := newAddress(t)
+	address := wallet.Address(types.RandomNodeID().Bytes())
 	weight := new(big.Rat).SetFloat64(18.7)
 	rewards := []types.CoinbaseReward{{Coinbase: address, Weight: types.RatNumFromBigRat(weight)}}
 
@@ -2698,7 +2240,7 @@ func TestVMAccountUpdates(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	t.Cleanup(cancel)
-	client := pb.NewGlobalStateServiceClient(dialGrpc(ctx, t, cfg.PublicListener))
+	client := pb.NewGlobalStateServiceClient(dialGrpc(ctx, t, cfg))
 	eg, ctx := errgroup.WithContext(ctx)
 	states := make(chan *pb.AccountState, len(accounts))
 	for _, account := range accounts {
@@ -2785,7 +2327,7 @@ func TestMeshService_EpochStream(t *testing.T) {
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	client := pb.NewMeshServiceClient(conn)
 
 	stream, err := client.EpochStream(ctx, &pb.EpochStreamRequest{Epoch: epoch.Uint32()})
diff --git a/api/grpcserver/grpcserver_tls_test.go b/api/grpcserver/grpcserver_tls_test.go
new file mode 100644
index 00000000000..2faa27e3546
--- /dev/null
+++ b/api/grpcserver/grpcserver_tls_test.go
@@ -0,0 +1,46 @@
+package grpcserver
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/zap/zaptest"
+)
+
+const (
+	caCert     = "testdata/ca.crt"
+	serverCert = "testdata/server.crt"
+	serverKey  = "testdata/server.key"
+	clientCert = "testdata/client.crt"
+	clientKey  = "testdata/client.key"
+)
+
+func launchTLSServer(tb testing.TB, services ...ServiceAPI) (Config, func()) {
+	pwd, err := os.Getwd()
+	require.NoError(tb, err)
+	caCert := filepath.Join(pwd, caCert)
+	require.FileExists(tb, caCert)
+	serverCert := filepath.Join(pwd, serverCert)
+	require.FileExists(tb, serverCert)
+	serverKey := filepath.Join(pwd, serverKey)
+	require.FileExists(tb, serverKey)
+
+	cfg := DefaultTestConfig()
+	cfg.TLSCACert = caCert
+	cfg.TLSCert = serverCert
+	cfg.TLSKey = serverKey
+
+	grpcService, err := NewTLS(zaptest.NewLogger(tb).Named("grpc.TLS"), cfg, services)
+	require.NoError(tb, err)
+
+	// start gRPC server
+	require.NoError(tb, grpcService.Start())
+
+	// update config with bound addresses
+	cfg.TLSListener = grpcService.BoundAddress
+
+	return cfg, func() { assert.NoError(tb, grpcService.Close()) }
+}
diff --git a/api/grpcserver/http_server.go b/api/grpcserver/http_server.go
index 0d026f224a6..1dc58e23b66 100644
--- a/api/grpcserver/http_server.go
+++ b/api/grpcserver/http_server.go
@@ -8,17 +8,15 @@ import (
 	"net/http"
 
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
-	pb "github.com/spacemeshos/api/release/go/spacemesh/v1"
+	"go.uber.org/zap"
 	"golang.org/x/sync/errgroup"
-
-	"github.com/spacemeshos/go-spacemesh/log"
 )
 
 // JSONHTTPServer is a JSON http server providing the Spacemesh API.
 // It is implemented using a grpc-gateway. See https://github.com/grpc-ecosystem/grpc-gateway .
 type JSONHTTPServer struct {
 	listener string
-	logger   log.Logger
+	logger   *zap.Logger
 
 	// BoundAddress contains the address that the server bound to, useful if
 	// the server uses a dynamic port. It is set during startup and can be
@@ -26,11 +24,11 @@ type JSONHTTPServer struct {
 	// been waited on)
 	BoundAddress string
 	server       *http.Server
-	grp          errgroup.Group
+	eg           errgroup.Group
 }
 
 // NewJSONHTTPServer creates a new json http server.
-func NewJSONHTTPServer(listener string, lg log.Logger) *JSONHTTPServer {
+func NewJSONHTTPServer(listener string, lg *zap.Logger) *JSONHTTPServer {
 	return &JSONHTTPServer{
 		logger:   lg,
 		listener: listener,
@@ -49,7 +47,7 @@ func (s *JSONHTTPServer) Shutdown(ctx context.Context) error {
 			return fmt.Errorf("shutdown: %w", err)
 		}
 	}
-	err := s.grp.Wait()
+	err := s.eg.Wait()
 	if errors.Is(err, http.ErrServerClosed) {
 		return nil
 	}
@@ -66,52 +64,27 @@ func (s *JSONHTTPServer) StartService(
 		s.logger.Error("not starting grpc gateway service; at least one service must be enabled")
 		return errors.New("no services provided")
 	}
-	ctx, cancel := context.WithCancel(ctx)
-
-	// This will close all downstream connections when the server closes
-	defer cancel()
-
-	mux := runtime.NewServeMux()
 
 	// register each individual, enabled service
-	serviceCount := 0
+	mux := runtime.NewServeMux()
 	for _, svc := range services {
-		var err error
-		switch typed := svc.(type) {
-		case *GlobalStateService:
-			err = pb.RegisterGlobalStateServiceHandlerServer(ctx, mux, typed)
-		case *MeshService:
-			err = pb.RegisterMeshServiceHandlerServer(ctx, mux, typed)
-		case *NodeService:
-			err = pb.RegisterNodeServiceHandlerServer(ctx, mux, typed)
-		case *SmesherService:
-			err = pb.RegisterSmesherServiceHandlerServer(ctx, mux, typed)
-		case *TransactionService:
-			err = pb.RegisterTransactionServiceHandlerServer(ctx, mux, typed)
-		case *DebugService:
-			err = pb.RegisterDebugServiceHandlerServer(ctx, mux, typed)
-		}
-		if err != nil {
-			s.logger.Error("registering %T with grpc gateway failed with %v", svc, err)
-			return err
+		if err := svc.RegisterHandlerService(mux); err != nil {
+			return fmt.Errorf("registering service %s with grpc gateway failed: %w", svc, err)
 		}
-		serviceCount++
 	}
 
-	s.logger.With().Info("starting grpc gateway server", log.String("address", s.listener))
-
+	s.logger.Info("starting grpc gateway server", zap.String("address", s.listener))
 	lis, err := net.Listen("tcp", s.listener)
 	if err != nil {
-		s.logger.Error("error listening: %v", err)
-		return err
+		return fmt.Errorf("listening on %s: %w", s.listener, err)
 	}
 	s.BoundAddress = lis.Addr().String()
 	s.server = &http.Server{
 		Handler: mux,
 	}
-	s.grp.Go(func() error {
+	s.eg.Go(func() error {
 		if err := s.server.Serve(lis); err != nil {
-			s.logger.Error("error from grpc http server: %v", err)
+			s.logger.Error("serving grpc server", zap.Error(err))
 			return nil
 		}
 		return nil
diff --git a/api/grpcserver/http_server_test.go b/api/grpcserver/http_server_test.go
new file mode 100644
index 00000000000..4448b20451d
--- /dev/null
+++ b/api/grpcserver/http_server_test.go
@@ -0,0 +1,91 @@
+package grpcserver
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"testing"
+	"time"
+
+	pb "github.com/spacemeshos/api/release/go/spacemesh/v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/mock/gomock"
+	"go.uber.org/zap/zaptest"
+	"google.golang.org/protobuf/encoding/protojson"
+
+	"github.com/spacemeshos/go-spacemesh/common/types"
+	"github.com/spacemeshos/go-spacemesh/datastore"
+	"github.com/spacemeshos/go-spacemesh/log/logtest"
+	"github.com/spacemeshos/go-spacemesh/sql"
+)
+
+func launchJsonServer(tb testing.TB, services ...ServiceAPI) (Config, func()) {
+	cfg := DefaultTestConfig()
+
+	// run on random port
+	jsonService := NewJSONHTTPServer("127.0.0.1:0", zaptest.NewLogger(tb).Named("grpc.JSON"))
+
+	// start json server
+	require.NoError(tb, jsonService.StartService(context.Background(), services...))
+
+	// update config with bound address
+	cfg.JSONListener = jsonService.BoundAddress
+
+	return cfg, func() { assert.NoError(tb, jsonService.Shutdown(context.Background())) }
+}
+
+func callEndpoint(ctx context.Context, tb testing.TB, url string, body []byte) ([]byte, int) {
+	req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(body))
+	require.NoError(tb, err)
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := http.DefaultClient.Do(req)
+	require.NoError(tb, err)
+	require.Equal(tb, "application/json", resp.Header.Get("Content-Type"))
+	buf, err := io.ReadAll(resp.Body)
+	require.NoError(tb, err)
+	require.NoError(tb, resp.Body.Close())
+	return buf, resp.StatusCode
+}
+
+func TestJsonApi(t *testing.T) {
+	const layerDuration = 10 * time.Second
+	const layerAvgSize = 10
+	const txsPerProposal = 99
+	const version = "v0.0.0"
+	const build = "cafebabe"
+
+	ctrl, ctx := gomock.WithContext(context.Background(), t)
+	peerCounter := NewMockpeerCounter(ctrl)
+	meshAPIMock := NewMockmeshAPI(ctrl)
+	genTime := NewMockgenesisTimeAPI(ctrl)
+	syncer := NewMocksyncer(ctrl)
+	conStateAPI := NewMockconservativeState(ctrl)
+	svc1 := NewNodeService(peerCounter, meshAPIMock, genTime, syncer, version, build)
+	svc2 := NewMeshService(datastore.NewCachedDB(sql.InMemory(), logtest.New(t)), meshAPIMock, conStateAPI, genTime, 5, types.Hash20{}, layerDuration, layerAvgSize, txsPerProposal)
+	cfg, cleanup := launchJsonServer(t, svc1, svc2)
+	t.Cleanup(cleanup)
+	time.Sleep(time.Second)
+
+	// generate request payload (api input params)
+	const message = "hello world!"
+	payload, err := protojson.Marshal(&pb.EchoRequest{Msg: &pb.SimpleString{Value: message}})
+	require.NoError(t, err)
+	respBody, respStatus := callEndpoint(ctx, t, fmt.Sprintf("http://%s/v1/node/echo", cfg.JSONListener), payload)
+	require.Equal(t, http.StatusOK, respStatus)
+	var msg pb.EchoResponse
+	require.NoError(t, protojson.Unmarshal(respBody, &msg))
+	require.Equal(t, message, msg.Msg.Value)
+
+	// Test MeshService
+	now := time.Now()
+	genTime.EXPECT().GenesisTime().Return(now)
+	respBody2, respStatus2 := callEndpoint(ctx, t, fmt.Sprintf("http://%s/v1/mesh/genesistime", cfg.JSONListener), nil)
+	require.Equal(t, http.StatusOK, respStatus2)
+	var msg2 pb.GenesisTimeResponse
+	require.NoError(t, protojson.Unmarshal(respBody2, &msg2))
+	require.Equal(t, uint64(now.Unix()), msg2.Unixtime.Value)
+}
diff --git a/api/grpcserver/mesh_service.go b/api/grpcserver/mesh_service.go
index c8a9a8aa814..fdb4d53d661 100644
--- a/api/grpcserver/mesh_service.go
+++ b/api/grpcserver/mesh_service.go
@@ -8,8 +8,10 @@ import (
 	"time"
 
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	pb "github.com/spacemeshos/api/release/go/spacemesh/v1"
 	"go.uber.org/zap"
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
@@ -35,8 +37,17 @@ type MeshService struct {
 }
 
 // RegisterService registers this service with a grpc server instance.
-func (s MeshService) RegisterService(server *Server) {
-	pb.RegisterMeshServiceServer(server.GrpcServer, s)
+func (s MeshService) RegisterService(server *grpc.Server) {
+	pb.RegisterMeshServiceServer(server, s)
+}
+
+func (s MeshService) RegisterHandlerService(mux *runtime.ServeMux) error {
+	return pb.RegisterMeshServiceHandlerServer(context.Background(), mux, s)
+}
+
+// String returns the name of this service.
+func (s MeshService) String() string {
+	return "MeshService"
 }
 
 // NewMeshService creates a new service using config data.
diff --git a/api/grpcserver/mesh_service_test.go b/api/grpcserver/mesh_service_test.go
index a68a6902ff8..16044eb339e 100644
--- a/api/grpcserver/mesh_service_test.go
+++ b/api/grpcserver/mesh_service_test.go
@@ -147,7 +147,7 @@ func TestMeshService_MalfeasanceQuery(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	client := pb.NewMeshServiceClient(conn)
 	nodeID, proof := BallotMalfeasance(t, db)
 
@@ -190,7 +190,7 @@ func TestMeshService_MalfeasanceStream(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 	defer cancel()
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	client := pb.NewMeshServiceClient(conn)
 
 	for i := 0; i < 10; i++ {
diff --git a/api/grpcserver/node_service.go b/api/grpcserver/node_service.go
index 58c3b693403..c3fb61e4c26 100644
--- a/api/grpcserver/node_service.go
+++ b/api/grpcserver/node_service.go
@@ -5,8 +5,10 @@ import (
 	"fmt"
 
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	pb "github.com/spacemeshos/api/release/go/spacemesh/v1"
 	"go.uber.org/zap/zapcore"
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
@@ -29,8 +31,17 @@ type NodeService struct {
 }
 
 // RegisterService registers this service with a grpc server instance.
-func (s NodeService) RegisterService(server *Server) {
-	pb.RegisterNodeServiceServer(server.GrpcServer, s)
+func (s NodeService) RegisterService(server *grpc.Server) {
+	pb.RegisterNodeServiceServer(server, s)
+}
+
+func (s NodeService) RegisterHandlerService(mux *runtime.ServeMux) error {
+	return pb.RegisterNodeServiceHandlerServer(context.Background(), mux, s)
+}
+
+// String returns the name of this service.
+func (s NodeService) String() string {
+	return "NodeService"
 }
 
 // NewNodeService creates a new grpc service using config data.
diff --git a/api/grpcserver/node_service_test.go b/api/grpcserver/node_service_test.go
new file mode 100644
index 00000000000..752635c3ab0
--- /dev/null
+++ b/api/grpcserver/node_service_test.go
@@ -0,0 +1,153 @@
+package grpcserver
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	pb "github.com/spacemeshos/api/release/go/spacemesh/v1"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/mock/gomock"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/emptypb"
+
+	"github.com/spacemeshos/go-spacemesh/common/types"
+)
+
+type nodeServiceConn struct {
+	pb.NodeServiceClient
+
+	meshAPI     *MockmeshAPI
+	genTime     *MockgenesisTimeAPI
+	peerCounter *MockpeerCounter
+	syncer      *Mocksyncer
+}
+
+func setupNodeService(t *testing.T) (*nodeServiceConn, context.Context) {
+	ctrl, mockCtx := gomock.WithContext(context.Background(), t)
+	peerCounter := NewMockpeerCounter(ctrl)
+	meshAPI := NewMockmeshAPI(ctrl)
+	genTime := NewMockgenesisTimeAPI(ctrl)
+	syncer := NewMocksyncer(ctrl)
+
+	version := "v0.0.0"
+	build := "cafebabe"
+	grpcService := NewNodeService(peerCounter, meshAPI, genTime, syncer, version, build)
+	cfg, cleanup := launchServer(t, grpcService)
+	t.Cleanup(cleanup)
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+	defer cancel()
+	conn := dialGrpc(ctx, t, cfg)
+	client := pb.NewNodeServiceClient(conn)
+
+	return &nodeServiceConn{
+		NodeServiceClient: client,
+
+		meshAPI:     meshAPI,
+		genTime:     genTime,
+		peerCounter: peerCounter,
+		syncer:      syncer,
+	}, mockCtx
+}
+
+func TestNodeService(t *testing.T) {
+	t.Run("Echo", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupNodeService(t)
+
+		const message = "Hello World"
+		res, err := c.Echo(ctx, &pb.EchoRequest{
+			Msg: &pb.SimpleString{Value: message},
+		})
+		require.NoError(t, err)
+		require.Equal(t, message, res.Msg.Value)
+
+		// now try sending bad payloads
+		_, err = c.Echo(ctx, &pb.EchoRequest{Msg: nil})
+		require.Error(t, err)
+		grpcStatus, ok := status.FromError(err)
+		require.True(t, ok)
+		require.Equal(t, codes.InvalidArgument, grpcStatus.Code())
+		require.Equal(t, "Must include `Msg`", grpcStatus.Message())
+
+		_, err = c.Echo(ctx, &pb.EchoRequest{})
+		require.Error(t, err)
+		grpcStatus, ok = status.FromError(err)
+		require.True(t, ok)
+		require.Equal(t, codes.InvalidArgument, grpcStatus.Code())
+		require.Equal(t, "Must include `Msg`", grpcStatus.Message())
+	})
+	t.Run("Version", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupNodeService(t)
+
+		res, err := c.Version(ctx, &emptypb.Empty{})
+		require.NoError(t, err)
+		require.Equal(t, "v0.0.0", res.VersionString.Value)
+	})
+	t.Run("Build", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupNodeService(t)
+
+		res, err := c.Build(ctx, &emptypb.Empty{})
+		require.NoError(t, err)
+		require.Equal(t, "cafebabe", res.BuildString.Value)
+	})
+	t.Run("Status genesis", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupNodeService(t)
+
+		// First do a mock checking during a genesis layer
+		// During genesis all layers should be set to current layer
+		layerLatest := types.LayerID(10)
+		c.meshAPI.EXPECT().LatestLayer().Return(layerLatest)
+		layerCurrent := types.LayerID(layersPerEpoch) // end of first epoch
+		c.genTime.EXPECT().CurrentLayer().Return(layerCurrent)
+		c.peerCounter.EXPECT().PeerCount().Return(0)
+		c.syncer.EXPECT().IsSynced(gomock.Any()).Return(false)
+
+		res, err := c.Status(ctx, &pb.StatusRequest{})
+		require.NoError(t, err)
+		require.Equal(t, uint64(0), res.Status.ConnectedPeers)
+		require.Equal(t, false, res.Status.IsSynced)
+		require.Equal(t, layerLatest.Uint32(), res.Status.SyncedLayer.Number)
+		require.Equal(t, layerCurrent.Uint32(), res.Status.TopLayer.Number)
+		require.Equal(t, layerLatest.Uint32(), res.Status.VerifiedLayer.Number)
+	})
+	t.Run("Status post-genesis", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupNodeService(t)
+
+		// Now do a mock check post-genesis
+		layerLatest := types.LayerID(10)
+		c.meshAPI.EXPECT().LatestLayer().Return(layerLatest)
+		layerCurrent = types.LayerID(12)
+		c.genTime.EXPECT().CurrentLayer().Return(layerCurrent)
+		layerVerified := types.LayerID(8)
+		c.meshAPI.EXPECT().LatestLayerInState().Return(layerVerified)
+		c.peerCounter.EXPECT().PeerCount().Return(100)
+		c.syncer.EXPECT().IsSynced(gomock.Any()).Return(false)
+
+		res, err := c.Status(ctx, &pb.StatusRequest{})
+		require.NoError(t, err)
+		require.Equal(t, uint64(100), res.Status.ConnectedPeers)
+		require.Equal(t, false, res.Status.IsSynced)
+		require.Equal(t, layerLatest.Uint32(), res.Status.SyncedLayer.Number)
+		require.Equal(t, layerCurrent.Uint32(), res.Status.TopLayer.Number)
+		require.Equal(t, layerVerified.Uint32(), res.Status.VerifiedLayer.Number)
+	})
+	t.Run("NodeInfo", func(t *testing.T) {
+		t.Parallel()
+		c, ctx := setupNodeService(t)
+
+		resp, err := c.NodeInfo(ctx, &emptypb.Empty{})
+		require.NoError(t, err)
+		require.Equal(t, resp.Hrp, types.NetworkHRP())
+		require.Equal(t, resp.FirstGenesis, types.FirstEffectiveGenesis().Uint32())
+		require.Equal(t, resp.EffectiveGenesis, types.GetEffectiveGenesis().Uint32())
+		require.Equal(t, resp.EpochSize, types.GetLayersPerEpoch())
+	})
+	// NOTE: ErrorStream and StatusStream have comprehensive, E2E tests in cmd/node/node_test.go.
+}
diff --git a/api/grpcserver/post_client.go b/api/grpcserver/post_client.go
index 2c6781d25c3..525ac04b4b4 100644
--- a/api/grpcserver/post_client.go
+++ b/api/grpcserver/post_client.go
@@ -75,19 +75,28 @@ func (pc *postClient) Proof(ctx context.Context, challenge []byte) (*types.Post,
 					}
 				}
 
-				meta := proofResp.GetMetadata()
-				if !bytes.Equal(meta.GetChallenge(), challenge) {
-					return nil, nil, fmt.Errorf("unexpected challenge: %x", meta.GetChallenge())
+				proof := proofResp.GetProof()
+				proofMeta := proofResp.GetMetadata()
+				if proofMeta == nil {
+					return nil, nil, fmt.Errorf("proof metadata is nil")
+				}
+
+				if !bytes.Equal(proofMeta.GetChallenge(), challenge) {
+					return nil, nil, fmt.Errorf("unexpected challenge: %x", proofMeta.GetChallenge())
+				}
+
+				postMeta := proofMeta.GetMeta()
+				if postMeta == nil {
+					return nil, nil, fmt.Errorf("post metadata is nil")
 				}
 
-				proof := proofResp.GetProof()
 				return &types.Post{
 						Nonce:   proof.GetNonce(),
 						Indices: proof.GetIndices(),
 						Pow:     proof.GetPow(),
 					}, &types.PostMetadata{
-						Challenge:     meta.GetChallenge(),
-						LabelsPerUnit: meta.GetLabelsPerUnit(),
+						Challenge:     proofMeta.GetChallenge(),
+						LabelsPerUnit: postMeta.GetLabelsPerUnit(),
 					}, nil
 			case pb.GenProofStatus_GEN_PROOF_STATUS_ERROR:
 				return nil, nil, fmt.Errorf("error generating proof: %s", proofResp)
diff --git a/api/grpcserver/post_service.go b/api/grpcserver/post_service.go
index 89adf7a6031..7512629b150 100644
--- a/api/grpcserver/post_service.go
+++ b/api/grpcserver/post_service.go
@@ -1,11 +1,14 @@
 package grpcserver
 
 import (
+	"context"
 	"fmt"
 	"sync"
 
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	pb "github.com/spacemeshos/api/release/go/spacemesh/v1"
 	"go.uber.org/zap"
+	"google.golang.org/grpc"
 
 	"github.com/spacemeshos/go-spacemesh/activation"
 	"github.com/spacemeshos/go-spacemesh/common/types"
@@ -27,8 +30,17 @@ type postCommand struct {
 }
 
 // RegisterService registers this service with a grpc server instance.
-func (s *PostService) RegisterService(server *Server) {
-	pb.RegisterPostServiceServer(server.GrpcServer, s)
+func (s *PostService) RegisterService(server *grpc.Server) {
+	pb.RegisterPostServiceServer(server, s)
+}
+
+func (s *PostService) RegisterHandlerService(mux *runtime.ServeMux) error {
+	return pb.RegisterPostServiceHandlerServer(context.Background(), mux, s)
+}
+
+// String returns the name of this service.
+func (s *PostService) String() string {
+	return "PostService"
 }
 
 // NewPostService creates a new grpc service using config data.
diff --git a/api/grpcserver/post_service_test.go b/api/grpcserver/post_service_test.go
index d960c62f09b..f687ba760cc 100644
--- a/api/grpcserver/post_service_test.go
+++ b/api/grpcserver/post_service_test.go
@@ -3,6 +3,8 @@ package grpcserver
 import (
 	"context"
 	"fmt"
+	"os"
+	"path/filepath"
 	"testing"
 	"time"
 
@@ -84,6 +86,32 @@ func launchPostSupervisor(tb testing.TB, log *zap.Logger, cfg Config, postOpts a
 	return func() { assert.NoError(tb, ps.Stop()) }
 }
 
+func launchPostSupervisorTLS(tb testing.TB, log *zap.Logger, cfg Config, postOpts activation.PostSetupOpts) func() {
+	pwd, err := os.Getwd()
+	require.NoError(tb, err)
+	caCert := filepath.Join(pwd, caCert)
+	require.FileExists(tb, caCert)
+	clientCert := filepath.Join(pwd, clientCert)
+	require.FileExists(tb, clientCert)
+	clientKey := filepath.Join(pwd, clientKey)
+	require.FileExists(tb, clientKey)
+
+	cmdCfg := activation.DefaultTestPostServiceConfig()
+	cmdCfg.CACert = caCert
+	cmdCfg.Cert = clientCert
+	cmdCfg.Key = clientKey
+	cmdCfg.NodeAddress = fmt.Sprintf("https://%s", cfg.TLSListener)
+	postCfg := activation.DefaultPostConfig()
+	provingOpts := activation.DefaultPostProvingOpts()
+	provingOpts.RandomXMode = activation.PostRandomXModeLight
+
+	ps, err := activation.NewPostSupervisor(log, cmdCfg, postCfg, postOpts, provingOpts)
+	require.NoError(tb, err)
+	require.NotNil(tb, ps)
+	require.NoError(tb, ps.Start())
+	return func() { assert.NoError(tb, ps.Stop()) }
+}
+
 func Test_GenerateProof(t *testing.T) {
 	log := zaptest.NewLogger(t)
 	svc := NewPostService(log)
@@ -127,6 +155,49 @@ func Test_GenerateProof(t *testing.T) {
 	require.Nil(t, meta)
 }
 
+func Test_GenerateProof_TLS(t *testing.T) {
+	log := zaptest.NewLogger(t)
+	svc := NewPostService(log)
+	cfg, cleanup := launchTLSServer(t, svc)
+	t.Cleanup(cleanup)
+
+	opts := activation.DefaultPostSetupOpts()
+	opts.DataDir = t.TempDir()
+	opts.ProviderID.SetInt64(int64(initialization.CPUProviderID()))
+	opts.Scrypt.N = 2 // Speedup initialization in tests.
+	id := initPost(t, log.Named("post"), opts)
+	postCleanup := launchPostSupervisorTLS(t, log.Named("supervisor"), cfg, opts)
+	t.Cleanup(postCleanup)
+
+	var client activation.PostClient
+	require.Eventually(t, func() bool {
+		var err error
+		client, err = svc.Client(id)
+		return err == nil
+	}, 10*time.Second, 100*time.Millisecond, "timed out waiting for connection")
+
+	challenge := make([]byte, 32)
+	for i := range challenge {
+		challenge[i] = byte(0xca)
+	}
+
+	proof, meta, err := client.Proof(context.Background(), challenge)
+	require.NoError(t, err)
+	require.NotNil(t, proof)
+	require.NotNil(t, meta)
+
+	// drop connection
+	postCleanup()
+	require.Eventually(t, func() bool {
+		proof, meta, err = client.Proof(context.Background(), challenge)
+		return err != nil
+	}, 5*time.Second, 100*time.Millisecond)
+
+	require.ErrorContains(t, err, "post client closed")
+	require.Nil(t, proof)
+	require.Nil(t, meta)
+}
+
 func Test_Cancel_GenerateProof(t *testing.T) {
 	log := zaptest.NewLogger(t)
 	svc := NewPostService(log)
diff --git a/api/grpcserver/smesher_service.go b/api/grpcserver/smesher_service.go
index 3bc2b724aa2..bb89c205b13 100644
--- a/api/grpcserver/smesher_service.go
+++ b/api/grpcserver/smesher_service.go
@@ -7,11 +7,13 @@ import (
 	"time"
 
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	pb "github.com/spacemeshos/api/release/go/spacemesh/v1"
 	"github.com/spacemeshos/post/config"
 	"go.uber.org/zap"
 	"google.golang.org/genproto/googleapis/rpc/code"
 	rpcstatus "google.golang.org/genproto/googleapis/rpc/status"
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/emptypb"
@@ -31,8 +33,17 @@ type SmesherService struct {
 }
 
 // RegisterService registers this service with a grpc server instance.
-func (s SmesherService) RegisterService(server *Server) {
-	pb.RegisterSmesherServiceServer(server.GrpcServer, s)
+func (s SmesherService) RegisterService(server *grpc.Server) {
+	pb.RegisterSmesherServiceServer(server, s)
+}
+
+func (s SmesherService) RegisterHandlerService(mux *runtime.ServeMux) error {
+	return pb.RegisterSmesherServiceHandlerServer(context.Background(), mux, s)
+}
+
+// String returns the name of this service.
+func (s SmesherService) String() string {
+	return "SmesherService"
 }
 
 // NewSmesherService creates a new grpc service using config data.
diff --git a/api/grpcserver/testdata/README.md b/api/grpcserver/testdata/README.md
new file mode 100644
index 00000000000..0deb71a48c7
--- /dev/null
+++ b/api/grpcserver/testdata/README.md
@@ -0,0 +1,38 @@
+# Test data
+
+The files in this folder are only intended to be used for testing. They are not intended to be used in production.
+
+## Certificates
+
+The certificate files are used for testing TLS connections. They have been generated using the following commands:
+
+```bash
+# create certificate extensions to allow using them for localhost
+cat > domains.ext <<EOF
+[v3_req]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+IP.1 = 127.0.0.1
+EOF
+
+# create CA private key and certificate
+openssl req -x509 -newkey rsa:4096 -days 365 -nodes -keyout ca.key -out ca.crt -subj "/C=EN/ST=Spacemesh/L=Tel Aviv/O=Spacemesh/CN=spacemesh.io/emailAddress=info@spacemesh.io"
+
+# create server private key and CSR
+openssl req -newkey rsa:4096 -nodes -keyout server.key -out server-req.pem \
+    -subj "/C=EN/ST=Spacemesh/L=Tel Aviv/O=Server/CN=server.spacemesh.io/emailAddress=info@spacemesh.io"
+
+# use CA private key to sign ser CRS and get back the signed certificate
+openssl x509 -req -in server-req.pem -days 60 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extfile domains.ext -extensions v3_req
+rm server-req.pem
+
+# create client private key and CSR
+openssl req -newkey rsa:4096 -nodes -keyout client.key -out client-req.pem \
+    -subj "/C=EN/ST=Spacemesh/L=Tel Aviv/O=Client/CN=client.spacemesh.io/emailAddress=info@spacemesh.io" \
+
+# use CA private key to sign client CSR and get back the signed certificate
+openssl x509 -req -in client-req.pem -days 60 -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -extfile domains.ext -extensions v3_req
+rm client-req.pem
+```
diff --git a/api/grpcserver/testdata/ca.crt b/api/grpcserver/testdata/ca.crt
new file mode 100644
index 00000000000..421119a474f
--- /dev/null
+++ b/api/grpcserver/testdata/ca.crt
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF5TCCA82gAwIBAgIUXX1SBglREeOwJb/Z4tYWvY8M/6wwDQYJKoZIhvcNAQEL
+BQAwgYExCzAJBgNVBAYTAkVOMRIwEAYDVQQIDAlTcGFjZW1lc2gxETAPBgNVBAcM
+CFRlbCBBdml2MRIwEAYDVQQKDAlTcGFjZW1lc2gxFTATBgNVBAMMDHNwYWNlbWVz
+aC5pbzEgMB4GCSqGSIb3DQEJARYRaW5mb0BzcGFjZW1lc2guaW8wHhcNMjMxMDEz
+MTU1MjQwWhcNMjQxMDEyMTU1MjQwWjCBgTELMAkGA1UEBhMCRU4xEjAQBgNVBAgM
+CVNwYWNlbWVzaDERMA8GA1UEBwwIVGVsIEF2aXYxEjAQBgNVBAoMCVNwYWNlbWVz
+aDEVMBMGA1UEAwwMc3BhY2VtZXNoLmlvMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHNw
+YWNlbWVzaC5pbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANDcnyfM
+tBZjzbPh5pjn16twRucN01bb50P383y+fv87qOSrLLn/EVPu0K1BgI8yz4N1V6zX
+IEMIhMT7qJxyroU0qtPBMLbfkBuQGUG60MZdwedocPLLK+KAT8khFiibFD45sBgc
+S2oISQ80XZNUvkPybErXukqx4TSodquh6UO+ZuUYv+nebgoDroepx6tLFOuPezqt
+gNuiz0KIarjXToUqb8fiUwTcXgSyeO+a/VVNhUHB1nXiJBRetyuZsu0C8JK+y/59
+YBo0zyeNAynG488FsEmUK5lDDUKseIjfY7I4YPrKR2kBd5AHI8UCSpNOmHrvc6yU
+xWU6zVzI68VB3vNA9kVZTfXXvTrbo9Sa/TNUT+zqcxsbsoOXFsSmUL3I/7yBSiwQ
+iPoQD4waMeAioYBJPQexTKy0vjCDVTdLTXQZe7CrXSSP7Iphnk0dlu+oaS+DLygf
+pxlKBcg/vRiBhSb79nWkRgdlKsDtZEJ2IBBo23njt6fJGGUKAugaDQTugUolKXMW
+puU3PNiTyHUWwLN5qQh2wWl2mgQAoYPw/CASC2dROD/WqOiVSqGs/zUGAthREiud
+B9sB/OgwU2n53so07kcpZV10Cihc//Putuj7rnploOHTpNqFxObWByNKAZyZz0aM
+G3DuIOHJEBnrotG2MnGvKvDex1siF/6YC53LAgMBAAGjUzBRMB0GA1UdDgQWBBR0
+wOO4u0m6cJxDCUrBUJl/IYz71zAfBgNVHSMEGDAWgBR0wOO4u0m6cJxDCUrBUJl/
+IYz71zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQDBLx0O1VHc
+GxoCcodT8TZVq6YVFOc3Hw3OszLh0RVvATd0FeHH5zmP49sp6NHeDwSUHkbMUm++
+Vf7Gx+n0THbp+9z8BXoBO4xXERkhO4y4J0yaooN7gWf2JsxHfAZjB+1dKxYTrrl+
+q9LriXiLMgQ0Oy9ccOI/D2MCqu3XEfAuyjq7oZXSVXgO0jW5kKlcI58XO4qLjryZ
+yowBbcmaEORTwGcZslrIkh+rIu+VXkasm7JD/BeL3mi6gPb4emyq3zmorj5UXMwD
+6gPrEG0gYezplWJkDcAdq1IVkfgPUMEoQfzhJUcIsc9t4YyGjNLLMDunUSh29XIV
+CMiX4DL2X8zk7sn0jTgckTvio3LoNWN/BlkjflywJPkG3cjyvKe3KfTOw8LN+jYu
+aD0YTROL+P9kOrc/nOevo4M7A8COzCQlMoF9+wnOCaSmg++Av30GIWpjpv5bC6e5
+jAK0o9WB2mMTD3+WexaSv6uKw3mtj9ekzp0PuR29iWHh3cisK8YdcFNcaxFzQ1Og
+HUt+7ozC06akmdZpRuLJogSpB26mLji8EWzgNzYoxVHFKRR5z8UJHHDi65s2O0Mh
+XayKiGLI9ja/SAkQwGqarL0u+r/Da9myZ+huGOkWtyzN24tPML3eT3Vc8KllLsWe
+HhfhKsR8HA6pNLGlub4yjQ9YqpffBVfqlQ==
+-----END CERTIFICATE-----
diff --git a/api/grpcserver/testdata/ca.key b/api/grpcserver/testdata/ca.key
new file mode 100644
index 00000000000..3f44f819e74
--- /dev/null
+++ b/api/grpcserver/testdata/ca.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDQ3J8nzLQWY82z
+4eaY59ercEbnDdNW2+dD9/N8vn7/O6jkqyy5/xFT7tCtQYCPMs+DdVes1yBDCITE
++6iccq6FNKrTwTC235AbkBlButDGXcHnaHDyyyvigE/JIRYomxQ+ObAYHEtqCEkP
+NF2TVL5D8mxK17pKseE0qHaroelDvmblGL/p3m4KA66HqcerSxTrj3s6rYDbos9C
+iGq4106FKm/H4lME3F4Esnjvmv1VTYVBwdZ14iQUXrcrmbLtAvCSvsv+fWAaNM8n
+jQMpxuPPBbBJlCuZQw1CrHiI32OyOGD6ykdpAXeQByPFAkqTTph673OslMVlOs1c
+yOvFQd7zQPZFWU31170626PUmv0zVE/s6nMbG7KDlxbEplC9yP+8gUosEIj6EA+M
+GjHgIqGAST0HsUystL4wg1U3S010GXuwq10kj+yKYZ5NHZbvqGkvgy8oH6cZSgXI
+P70YgYUm+/Z1pEYHZSrA7WRCdiAQaNt547enyRhlCgLoGg0E7oFKJSlzFqblNzzY
+k8h1FsCzeakIdsFpdpoEAKGD8PwgEgtnUTg/1qjolUqhrP81BgLYURIrnQfbAfzo
+MFNp+d7KNO5HKWVddAooXP/z7rbo+656ZaDh06TahcTm1gcjSgGcmc9GjBtw7iDh
+yRAZ66LRtjJxryrw3sdbIhf+mAudywIDAQABAoICAA60Wagtq0ggQq01bEy7ld2G
+DBfcS1LELKYGYOgZaUuC4cMnogB+SrQEDkEEaY6rXxy8OC38/1J42RAdP6O0F0Fd
+keFSqqFVYAnwvTZ5dpVgqHQoUDtnvnE142gfojW9pVE0MoegBlcyuiIN58ClqLeT
+67fhNEZp+5b/fUtcHNYeI5Rhh7FpbYna9ICsnVgb8x8afOyGppnP/pOKkyjsT6Tk
+dfY2ou2mrh/aiNUlrkxBJu6YPQcTosKkYHT7XzN8j39lW2tRXGC78xGvxdc9H3DF
+z8F+YwtpQxe8mMfaImS7v2gosZpc9hP3zLbkEGgKkoWlMhmmZ7dWynqL0r2Sg6Wv
+94MVWZY5uPj1lbkoc/9Vd3MOq5GxVt1XjgNrDz95ZFCZDmzICkSFtFPsgpf+ZaMp
+wnHQvym/UnxwMuzKwEWV0tACz4rZnjSDOQKyTq6lg7Nj+qjTcs5yIvOyJ3sNSOOn
+E7X43FaPEEbo2uLpXmuvvMxo/4v7UN9Gzt97MaJkiK8s5xd9Ea932AxyLyvSX5Rp
+Zq1Yy3YTc7DkkoVnWLZyx6j/uGZHJGtn1+4CuWdrygPOZFfC8lVi3OLVupprgNxP
+ejC+Rh3nZi4rto2cuEdHN7PxdgzTtJgta0VU+oC2njyc7i2PBWzlxUASc/+wNCcg
+Bn8Db0Py0yDhupcJTbGBAoIBAQD5n2uM96sys8mrHwCcZeZjWKl9ZP0AVIuPX7yg
+1Pj+ZQNTRvrmvOWsDNtBB9IA+eGinbY8htf3ADR8R8N8UJ175kKKnjwUs8Yq5zq/
+henj94z8bbLjOOWGg3p9s4ap8NLpAbeiYZKUESjpQkRTsOzu727ZJN91b/vwWwJK
+XyDSdPu2dSzMxv92OqKr2+W9jmgDG+LbqMW+uzsADvVtCArE/Hi7DErktg9mf7p2
+VNvgULKxYo/yMFOCZie53LFiQZmuTH605SU3WEitfVU7Wz+VD6btB18CYth6W4yE
+/9O5h8CyRTVGJ8FzJhZ0lhiiHkzNcb8/jMaMS8fZeFZs2x+hAoIBAQDWMp4M4elB
+GbdmhZBLianZnpJtdtmXEF2KlJPkC6muGQECkVlrGSuVkL+r3HYpxpqUHNhTUUnl
+H1DEnm5HN2j5qffbv9CPIx7nu7ygyrpMlKZtkEFMNUg9fqaxGuyuaf+E9D158Oqy
+UNtPYSVKpB9AMUcyTUNXRbp03LOmj0mGEolg7fSbs+zFXPcV/xdOzH6s3VWSnjHt
+QhTHH9GL78RS0pQSfNoBcfxYOFMJbGu5M6rfQvaWpAW2R8Kl4K+ZGLSrHLjIdHKF
+e/fFcQN/p1dQQv4Eh2hPWRh1hregKCyMNOFjVY2ZrVZOzob9sl5EFs94CBoVKiDi
+kZAhCbLT0XXrAoIBAFP6bhRevhmwoogPRgVXwsppaZvl/be+ubTiYHM7Mwlislux
+5Xb61cmsCZc3Kk9pwZ8Tr9ttAfr29rFY80s/U7v7GyfHVC8iy+hjIkCMrMMk5SmH
+PkdzPMSkNvFTFFrXyhzZlw3qBYYKv9i5koMVYqB/rKsg3IyFwBx8gajDmCc1c/lO
+MmQyDn+X+mIW+JNs9VEWcJu1i9E+6/p5DdhAfF8JERTcbdXD6ipxjimBIve0Lmm+
+3u57k5yrAXJl7MdBipI46eexr3OPH+Q95g6yBBIB0gasFCqZVnrTkdKsvm4MXaeb
+4PBZL5utlKBkXqUrzGrReaXHloRcej+PXIQCtAECggEAOoDgwkwB1ZIckZfxbXBQ
+P+wbumI31BbYNb2XFzZIRhD2QalJbwMU8Gj0sRAqBgcEuWeXfko5kKcY/Fr5a+Iq
+feZ6mD6vzCifjFOulYxJjhkby9kWvKXg8UriZIUiGBFDhSDgmam/sKx8+hVihhyF
+nJbZB1grCG83GiwdtWR1hHUTqLHVmaFvDgjyQ8PErfUUtEpP0Rf8Mv1Vh32dUkdO
+rABwCQyozrQ/ZCkeJPjEA3WlOg2kJEjwdnTrKTtROtOQpRvXLIkBrovJhNf1SKyA
+IJ/rmXkSeHmxQIhnJwtR/4mB9gur/UlmxWeLX0eUj6xbRkGQPi+fg8KWRy/K9CfF
+uQKCAQEAvOwa/glYewheexMC4PQrgIh49aod63bW+Ji1KPx/A7hKDnV+hkOFOs6g
+fZOIqYa+d9SraVJ1kD6hlrlwHRgll30tkWEbayShxXRDrSTMyW3eEE3Nh+8mnLn3
+T0Zb6arwa3ORjkNzu37vmfv8yU+UH41ePlqxSc7SBK9ahPaA9DajxbyCh9WBbUhc
+49RzJsJjPSGE8/QZvQs0GOlByX530uL46DU1QdhjwjyJhXMARGbU5ngaBwXNG+Hd
+MN8wgDtucToL2jeMV9bRXZYaB9AyFcBPpDxUU37EzltIN+7hlUZLcnXjBPepQEfN
+dYnwa0fikpJSrEfWt1kHxPnaKd0aag==
+-----END PRIVATE KEY-----
diff --git a/api/grpcserver/testdata/client.crt b/api/grpcserver/testdata/client.crt
new file mode 100644
index 00000000000..55a7b09a210
--- /dev/null
+++ b/api/grpcserver/testdata/client.crt
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF9DCCA9ygAwIBAgIUHqywzc+FUBOWvkd2Us+AQM3c7oUwDQYJKoZIhvcNAQEL
+BQAwgYExCzAJBgNVBAYTAkVOMRIwEAYDVQQIDAlTcGFjZW1lc2gxETAPBgNVBAcM
+CFRlbCBBdml2MRIwEAYDVQQKDAlTcGFjZW1lc2gxFTATBgNVBAMMDHNwYWNlbWVz
+aC5pbzEgMB4GCSqGSIb3DQEJARYRaW5mb0BzcGFjZW1lc2guaW8wHhcNMjMxMDEz
+MTU1MjQyWhcNMjMxMjEyMTU1MjQyWjCBhTELMAkGA1UEBhMCRU4xEjAQBgNVBAgM
+CVNwYWNlbWVzaDERMA8GA1UEBwwIVGVsIEF2aXYxDzANBgNVBAoMBkNsaWVudDEc
+MBoGA1UEAwwTY2xpZW50LnNwYWNlbWVzaC5pbzEgMB4GCSqGSIb3DQEJARYRaW5m
+b0BzcGFjZW1lc2guaW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCv
+MGj0wISkgZrNjAebemwQkx7GZKls/eWehAgFWRloS9gvD/FrIx3RK5GxlTcT/iFU
+YT7EQuEG+D4mXgSGO1wm1mJprB+alvkgX2gQDvF56dOPWRhPKzUiPQyCk8LpUU+s
+fSryWnP1Ric119I/S8HyZdQnYI95VEshaUHFHeiuluYW/jDEO9KZmxdvf+ny5eep
+1SMI3PdMIN9NkFxLN/UVaqmLiP5JjrcoPU/Q6H/uU95Fc8vPGbDJdNBRdni/gvOP
+AyP/2lbIZ2QyVQwyyf6yYTa4B7VYBymk+x5mgiR+w7BMJViak9Fir6sHCKn2L53l
+6rUsP0RjBYQgppklxB+dejCGlBUeEBHGGC+TkQqCgHlBWj8QVCyOrMIbfDVvLYYz
+QVz56EJapSXMEoHxjzqHwcOwVxM5ZpznDJgS/xkmbIHiVSd6zNJn6DNyE6WdX0/y
+hpetH1I5Y4FDmyzxZrq6FCbDN8vOPiK6Pdw9e4HFRADXJ6YSp0P6W2pCU6dbOY1G
+s52thQy7YJjoJjhtdrdd+w/fkGFQgfKaTxxzIXU1THUNJ5XwIkMUXmUN5uU9m23l
+6mX/4+Pd+bTeTZ3HSZRPCn9vRTpai9q7DsNOlcMY1e6vA9eYd+q+yhoJJi6OAZv/
+85lGQJRlJSPxIMn7XZMuXaXV4E4dkEbritPE3T5U6wIDAQABo14wXDAaBgNVHREE
+EzARgglsb2NhbGhvc3SHBH8AAAEwHQYDVR0OBBYEFDzgBkOSIlPrDbOfxz8IVWpN
+YDQwMB8GA1UdIwQYMBaAFHTA47i7SbpwnEMJSsFQmX8hjPvXMA0GCSqGSIb3DQEB
+CwUAA4ICAQCXA17tWCdjz5gmFweQUecdml4cfPIdE02O45uyjisYVB8MFgr1taZl
+ccvLMV6CA/OqaEnqmsdFeeGhZNrj+j043MuxEE3H9nA5YvepNzULI7JwUuQLDF5C
+FaB3c8scrZcb1clwgczD6g4CbGPxyV3QdSzUxndUFQR72bNENT/4iyCL0F1e8kDZ
+KEFLudacxaWQDriqy0EzqQHSdaFCowDHL2em5yYaA5pBuvaoUfCLtx1EIO1s3yWk
+mMm08/le5V5RhS86whqs9TuL52UWzvhJ2W2RxCidY5awuKhWW30QP9UNDuiUgzCM
+XaQYEtC7vXO1q+BK/yzMO3tPFkBlddtdy+h+esQkKn+HrzKuU0z+AzU0mNMvA+Gj
+r/UxYt0EBFYsD2yUk4ysLcrVm2RfhGmfCQeYedx8vPTQCtES+jY7AVVseT4a3aCa
+ij18HzHWQr3rmaYHHD2oIu0CEVP09bTn+5TcO0TRcSWqscdM/v55kqNT3gYvVvkF
+K39cAQckqCiN7Rum5h7ViL3SFnkRfAd9F9rL+RWvoFCQyc8MnLETmHT7GGFvMHdA
+1Lc6Q+x/XT/h1xK1KMzNgVHDpoxHgkq3Xj2LZG5hCPM9C31bkSvqyqtBi+yQIRKK
+FHdHFiSLpxkf4mjC8ysAjuz9lKeLsNoqDd9gMjs2G4LiyX7T6NusJg==
+-----END CERTIFICATE-----
diff --git a/api/grpcserver/testdata/client.key b/api/grpcserver/testdata/client.key
new file mode 100644
index 00000000000..e3135a84ad8
--- /dev/null
+++ b/api/grpcserver/testdata/client.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCvMGj0wISkgZrN
+jAebemwQkx7GZKls/eWehAgFWRloS9gvD/FrIx3RK5GxlTcT/iFUYT7EQuEG+D4m
+XgSGO1wm1mJprB+alvkgX2gQDvF56dOPWRhPKzUiPQyCk8LpUU+sfSryWnP1Ric1
+19I/S8HyZdQnYI95VEshaUHFHeiuluYW/jDEO9KZmxdvf+ny5eep1SMI3PdMIN9N
+kFxLN/UVaqmLiP5JjrcoPU/Q6H/uU95Fc8vPGbDJdNBRdni/gvOPAyP/2lbIZ2Qy
+VQwyyf6yYTa4B7VYBymk+x5mgiR+w7BMJViak9Fir6sHCKn2L53l6rUsP0RjBYQg
+ppklxB+dejCGlBUeEBHGGC+TkQqCgHlBWj8QVCyOrMIbfDVvLYYzQVz56EJapSXM
+EoHxjzqHwcOwVxM5ZpznDJgS/xkmbIHiVSd6zNJn6DNyE6WdX0/yhpetH1I5Y4FD
+myzxZrq6FCbDN8vOPiK6Pdw9e4HFRADXJ6YSp0P6W2pCU6dbOY1Gs52thQy7YJjo
+Jjhtdrdd+w/fkGFQgfKaTxxzIXU1THUNJ5XwIkMUXmUN5uU9m23l6mX/4+Pd+bTe
+TZ3HSZRPCn9vRTpai9q7DsNOlcMY1e6vA9eYd+q+yhoJJi6OAZv/85lGQJRlJSPx
+IMn7XZMuXaXV4E4dkEbritPE3T5U6wIDAQABAoICAAhbpZDnuRb6x/PpK65ol3dC
++EORfIkio9h9hr8aknJotpZS4GWyyzK2LWvs09qJqUq+nkv8FNhMR6AfpCpInWDi
+TC0BH+Y0MGExrA6ivTU1HqQcJWNsNaC94OGUmHFL2809kNWh0x5vNmJZ5ZdMz01N
+O7iVNsMcbmktqGGgclVssEAwkwsJqkaBy7XEwy3qIgn24oZYZG6mstX0fogS0gfa
+NYnerfhnF/3neZix6Z3pNRWDLMS4qQ0zcYIxcMP872Rx9em4Sk5NVc5rmFAOqwQU
+9z4DFXfEVQxLSWwCkX3VauJ3IFRfm6xlonc3cURkM9hK66cswt/RMjiMj4npuB2r
+A9ua9eK6I9zE/PiijNo7gaHiVgMrzfd8wCHVbv0BKGsQES3fBHQOEGJAjFmATXEO
+uVEL/J/rVzkB9C1yYvSyjoM/iS9XmNOeWZ7sI3a6C/pa+1fWCMGx1MVct1O7ZZGo
+KR8uXnSVXe4Vb2oZ4J+lJqLXHbtzbWaaGVJHPJcKWhtLAST8BVfVPhF7wy0Vh3tW
+Zif3sOX4oIHtt+eOvZzD/JKUA8vgd/eL4thvsQH8teKKjlTJscpPonTuhS/Tx903
+OY0KGTHOkbcv+a7jnfDkRMG0fXJIgRc+t0aQuMiS9P+p7LRJdI/4nXmlFanD5fq+
+uuchk0ydzFj658Xi+lzBAoIBAQDLJVFL9AaejPCXpk7b+3i+PCw9DBjVv73OAaW6
+MVOs0kE++kRxJ7/tMh/khRg4Aru5N6WQGXwAV6jBbG01Gn8Xs/Iys1g0TF5kw4s1
+Xlv1fU5sl/O8A9ooYkwpXgv4JtZiK+xqGhdg8530M/HnTGKUUR1wTh2fmmJzswO+
+4hXtNmjS+2XRuaLd87nuGdI6FDWFD1aNNmV+SyEWliwUrtWnqo4ux30DA7VqPLFC
+uwfWDaIV1Q+yN1Z9o2XZfhUS/0cjk7Unli4Xe2LeN+j8ljPKvyWUCiL61WRKKGy3
+26Zpxj5SPAdhgVGrWWJV7tV1iSyZB3eLmP72FNNl22a2LaFJAoIBAQDcxQRAsWIc
+z3w96PxCM2+xVBzCKTyO0Ps5LKcVPogBE+LngqVKzz6zqInvALhtdzjAaSCBFH5p
+gbGykK1wcZLm773byUTrek+qvtXpi7AYfT0Fxdo+d8Tfi4vKuVp0sZssyQDEEAMv
+8j1O/j+u10RNI43L0gQAD2P7X1U+EwfQVtdYdwzfWOTFaOoqo0kxkKM7CbrcO5gH
+0Wc+fOTM0Mj4Mf76d8dg3t1iAOz4+s17zpYbdEfarIdeM8/tPIrxSRPETmTGV4uP
+RFhg8avn0V6x3DBcxH+XOdYYIvWfLOrHvYZUsqcPQebWrzCWuu2qfS54ENfL1GFu
+xuG7A9/ybPiTAoIBAFjFyvv0/HuGvZCXpXhuMPp40yAuTCAENU5z29c8vQMVslty
+BDyqkS13LQawvr+jOiObVKde65g+tkkoN6TwGj/ia+GKC+52vP0tkoTU4jyp8H51
+/JXZ3Rius/eT2Iktd5vY8+v90N+WNh1EId7gu2dy9vlfuYRIc+N5hBaDN++8ShyA
+raLzi1+QpVyOPhcRQ74M0NbOwZVqAWCcaVD0gftOBeodVNzfXwS41wGBN9BrjrwZ
+qk1H72zh3Z0ogs8VbSH35z8QWr36Nl9DcXYHsURVOXey4kxYugXKGpBR1Sv97LgE
+8XjDiUvmuJky0GcXdby9zZjcV/ZzbVnigcT0tbkCggEATVf4lXGPnehS7p2hQtAi
+YU3GhX9M5/vvB6jNIHQ30ajV5aWvovXYUbjKGiF2e2M5Tq+F47L6VpxJVPW6zZn8
+jUuQiF+K9bR0FK2m45s8ple5+TvHqfrrziVlZDBrsFZItvf0fLvfYfzL3dDVHrvs
+Adpi4vVA0YSS0o4jnwurwSGrcCLFL7pE66RF5YovKl4x0Y0nGeEG8jY6pXm77sV2
+ov1hBv7PqvBpPtx0KQY01xsZG6UxRzsKccZVIhgD1WR0uGF+jL4+9oJLNCt2vlBr
+jIRHrThqOuDYULxusMVbu356gVHVlVLRPIVD0IrMmN4iWY4NDCvrtpOWoZ5J5vSm
+YQKCAQEAupDa6LhUABYvX22YY6VTLp6/eFXRnl3VXHpxQnYzOBkAHY6b/6c+i43E
+9LAlTSgw99ySG2xhz2L8+fPRQB3Wa0Qz5XG0Y8l+QlvHokcSYiSFVeaYcPicWcxk
++YH3A8uIcAWdALGToxtLfPNukzGlSP8I9U7OUCG0UfFaGbVepzKIusVTzwV5YqmJ
+WuA4w35+sRwAccWDwzbIO4doG+QYs+qAKIhYSUp/m7zDlrMG9+8+hI5WEg/dzQli
+DzSB4w2eqZNZFFXFZE6Fqyz3mlurmr8nRosu2hC/2afDrdL3ngIY0LQNIB0q3qMQ
+CCs1A3x1zKNck0SIhewqgJ6bpen1ew==
+-----END PRIVATE KEY-----
diff --git a/api/grpcserver/testdata/domains.ext b/api/grpcserver/testdata/domains.ext
new file mode 100644
index 00000000000..e1037763590
--- /dev/null
+++ b/api/grpcserver/testdata/domains.ext
@@ -0,0 +1,6 @@
+[v3_req]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+IP.1 = 127.0.0.1
diff --git a/api/grpcserver/testdata/server.crt b/api/grpcserver/testdata/server.crt
new file mode 100644
index 00000000000..c7e5e4a91af
--- /dev/null
+++ b/api/grpcserver/testdata/server.crt
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF9DCCA9ygAwIBAgIUCr9o/MbCYj7sXIBvhfm0bqfpjn8wDQYJKoZIhvcNAQEL
+BQAwgYExCzAJBgNVBAYTAkVOMRIwEAYDVQQIDAlTcGFjZW1lc2gxETAPBgNVBAcM
+CFRlbCBBdml2MRIwEAYDVQQKDAlTcGFjZW1lc2gxFTATBgNVBAMMDHNwYWNlbWVz
+aC5pbzEgMB4GCSqGSIb3DQEJARYRaW5mb0BzcGFjZW1lc2guaW8wHhcNMjMxMDEz
+MTU1MjQxWhcNMjMxMjEyMTU1MjQxWjCBhTELMAkGA1UEBhMCRU4xEjAQBgNVBAgM
+CVNwYWNlbWVzaDERMA8GA1UEBwwIVGVsIEF2aXYxDzANBgNVBAoMBlNlcnZlcjEc
+MBoGA1UEAwwTc2VydmVyLnNwYWNlbWVzaC5pbzEgMB4GCSqGSIb3DQEJARYRaW5m
+b0BzcGFjZW1lc2guaW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDB
+1V7YcQvgzu7AQT5uZrSAkS3UtpaniU/XknJbmB7qU5Xfg+eJmlnArmK9P8cqOW6z
+XCMFyrn8EenCx5ByVfEKBgxHMf9p1sp/YR4G3Oq4Tm7lOfMGFZs1qJsTW+NGs3OB
++RervvPF1qWrSvdEncUIg052+kp68GneK54UCIoxMv2NDI+4bLq0R991G4UiHC/8
+l1DML9jLfBOTLvaLK4PTR4+PdTwK4O2wEA+zbjR1fSgtT2QeHuBSSwKbknWJpBd9
+S6JV1iz7I4uH/Iffl1oRaieaNAISVe9olrxgO5xTK8wN0pltvtsp40Hm067voFI+
+eS5wMoy8YMBsL+536QWJ9rGxLUjhrk0/wBgoslCmdYx10M/ZbxH315fq78cacV3m
+22Aa6livQ2ihqhXaEasKAGNt8mtUgjmC62jUo9VXnOsInqtkBUW8RzzFFrLmp+ND
+at9WhWnD6HVUmlcLNOsJKi7bebMY8wvyNVeD7H0DiTrP68ACblLKrq9N0lFqwzJv
+BhMgXTtc5ck+yBw2AegjiJGWJDfZKenP0iwOOwizKpIFwXj/QtyWQkp9vRsFWrPN
+WoHjMkRsHbU0U65qtMidz1VYiLAWwRelfDUrGyKUueF5AE8B9jM/8CDCDCIVwjQH
+PZc3Bzd6LdCg9JuINwG1Otp9PdS/MMrk7P5VVFV1cwIDAQABo14wXDAaBgNVHREE
+EzARgglsb2NhbGhvc3SHBH8AAAEwHQYDVR0OBBYEFE3Iz2SHzqxPg4PkbK8eiewU
+Jj/VMB8GA1UdIwQYMBaAFHTA47i7SbpwnEMJSsFQmX8hjPvXMA0GCSqGSIb3DQEB
+CwUAA4ICAQCJFr/Zjccu/hyiLpm241t1pZK90NqALmNDqNL0xEcr6bH9Gl3aRyGV
+HCYItWjRzbvO0o27bE3GqBv7Of2OTdTumg24hI2sevDMxSZiuYJunibCwgCrqYde
+LOx3Y3lDpKWDTo04tYA7NvI4I4zEc3OU8siBZ9n2dkQ48hxVjOhShxxaUYqIKOPM
+kEqFT05LkLZTFa+IqgqCwd7zFKjK/usEX9nOpFx08h/08dqdE803MB+jnNqjUjWj
+ApYnXDEjIUGnUKJ2HawJBL1w+DamPznGYkpOKYz9LATsuftVEHf9DWVotLXfmGcu
+JtuANRlDhwqW9LaiBEivk71JMF25ct6RynlNmuEx71jBuUg5QF7zqd16lz09v6NM
+awd/RLYRv+hN5IAAboam7uUXXr10qHSkiwF/dsAr0XMxVp8TTcPcY/7C16JZCGoh
+gUeBlpXc8X3gl2lbPdb+D4l0EMa69RJQeYZPkpEWpM6Vp1Ba/jsu0J1LaXoJ1Tn+
+aLfkuFgvscOQHl8fWbLA3ubYOz9lQXOFMo4R7O7/o6WQmaDz6JV1bEk2+OhZy6JK
+LFakjv302loZRrFL5JsdR3h2Hyq2UpWdIctLIvx8KJ6aC9MQFmCe7Qt4YIayek9c
+tdo+AZmBfKQCWrfPflcLG4ZMyb0QuKV8mLAtr5YmWBnroyQTVwaMeg==
+-----END CERTIFICATE-----
diff --git a/api/grpcserver/testdata/server.key b/api/grpcserver/testdata/server.key
new file mode 100644
index 00000000000..659d6b54c39
--- /dev/null
+++ b/api/grpcserver/testdata/server.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDB1V7YcQvgzu7A
+QT5uZrSAkS3UtpaniU/XknJbmB7qU5Xfg+eJmlnArmK9P8cqOW6zXCMFyrn8EenC
+x5ByVfEKBgxHMf9p1sp/YR4G3Oq4Tm7lOfMGFZs1qJsTW+NGs3OB+RervvPF1qWr
+SvdEncUIg052+kp68GneK54UCIoxMv2NDI+4bLq0R991G4UiHC/8l1DML9jLfBOT
+LvaLK4PTR4+PdTwK4O2wEA+zbjR1fSgtT2QeHuBSSwKbknWJpBd9S6JV1iz7I4uH
+/Iffl1oRaieaNAISVe9olrxgO5xTK8wN0pltvtsp40Hm067voFI+eS5wMoy8YMBs
+L+536QWJ9rGxLUjhrk0/wBgoslCmdYx10M/ZbxH315fq78cacV3m22Aa6livQ2ih
+qhXaEasKAGNt8mtUgjmC62jUo9VXnOsInqtkBUW8RzzFFrLmp+NDat9WhWnD6HVU
+mlcLNOsJKi7bebMY8wvyNVeD7H0DiTrP68ACblLKrq9N0lFqwzJvBhMgXTtc5ck+
+yBw2AegjiJGWJDfZKenP0iwOOwizKpIFwXj/QtyWQkp9vRsFWrPNWoHjMkRsHbU0
+U65qtMidz1VYiLAWwRelfDUrGyKUueF5AE8B9jM/8CDCDCIVwjQHPZc3Bzd6LdCg
+9JuINwG1Otp9PdS/MMrk7P5VVFV1cwIDAQABAoICADV6apAZ5HaScUG+3nw0PvHH
+3Fa3R6qSkmI+J+oIduMcy5le+ac33DJyipB/Q7JtJRM8RPdontailJWmXL6G4plq
+4MFV1Iu9dKIfR9sJ4YKXNTZuPhQ8KtXrnlmBfRu5EBHYiUTbysMXPR8c8ErQopd+
+LsxZsunnYbYn35XUY1g+osDjKdXuvbZWrBrRzHIER+MPVn33Z3+AzJ/Lkb8E8vp8
+YGnqpPW1aC6ux74wFi4iKU8S++Lpjud1hZMpnd8rVEW/89pt3HwvquQKcuxoBDQQ
+zztWxQmNByAakn+UgsVZrJNVuvoR8cLFTh3i4n1/hKFy6rKO59Bje0N+F/OiaWHT
+kW3ODDKAd6tadEB9VtpoubQMreDFryoR+tYS1MvIOmKaiGqXd/tHzYM0BMtoTtIe
+W4LGv7WK6LQzZBr+6Npqrx/2g9SQp8hGjH2HwhKQOTDkAwXn2/XEEgUqBnl9fUjO
+wpgYgFcFGmSGcGtrZfPmZpIv35+DXJH8E0xJjzFcuH5naxnaUJ2M5VWC1fBM71i8
+sER+G4rhBPnVrSt23GcTjtK0vpOK0VyD4FZOO9ZbdeGQkfhjHd+75ZH984ZnzwIS
+hsCnQ5mWKGUOhgN5N0mbKqP6lSKCM6qnnIhoDxIVFMQZN7/D53OlAKhWp0Wy5r0B
+phHXml5oJwqvGej+Ix4lAoIBAQDVDmtAbk1KfmgCpbAl/tzwZXOCG42ag9HCO+Wv
+42+BPPB9/z47aLjv8TJM9ugpOOjF7yEktbEMkNWVfNgfYKq7225CtNGnnyB+e8jO
+fyhG+kyQ7ojAFZIp/uU9LWngy9MOgcQetmifETlRq+F4Vp5T5heCRdMlsIz+2CHB
+sqVaotTn0FQIOqPmvbIVbvsAdc1v4xsK0i2e7nsGa/JB5nhlaKC+U6zk+Sx2GWOu
+6oh7pS4Hk9NWOF11Dk/cL/VfmoVprSqH6GOap7JYfLP7MiX1hC7JeYYMeq4xQcJ8
+3GUAhLlaAmP8Ah+Kn+gChzcHyunai+dXRYt+ktcag/PaIOH3AoIBAQDo5xBi+Zeh
+N2VZB3qSShMXd8UlYoUFaKPrMqn0pdoOTe5RKN1r06u3P7HFnznCTPVtfEMWYFMc
+UVO4cZ6QXWit0Kdlmcc/IMl3vpIFmAOUSUXzKh/E65I1u9BEvOcX3j/tFxooSaqJ
+xj5L7K3RdCsykD1mZoyLIEzI0YoFLHPYQaGqbRzqBkgXmqAyx7CpUT1BaEZ32j+L
+PRkGds26WCbSakU58qciBag0B48tbWFr7VCl4cCHyAeVPnFIeYFI160DrZ0mr1JX
+ImjobOV76eiHCsgKkvQpAVnlHAiemxVIvcAEjslD83nDxV0axnpW8U7Fr2J9dB/Y
+n6MYpPPxQmllAoIBAAbxqV04OxyqcglkDRGv9NOA+vrKmxrmIPgLq7jH2OKFcfEp
+WIXnK9/mJJWNlpOBX1TULmhb46FdNxjgMMsVA3uL81QJQKwN66kzr5/LVSy7C7PN
+kndwPItR23ba/BBvlDls0U+O8mn8zblzuK2LZS2m2i1MyUz5LB9CPBdsEyeZFwdX
+KuX5w03J8Pvx2gxxynhTFpaLsyDy9N+ItSSgtlvXxSVu5Luxw1k2CqGw0zH0eEOW
+9dRhkeo2xTOP/JdZGfAPzMsRL+3ieVWY+uS9Ba+y1zOJ2mydsv+3/PbE2CXkLYZZ
+fZjBGPYTsCQk9A409tpApRGbGqjNcGVU16XMXJECggEAPhD9u/KZ5vu1RYGJt5yH
+8/QWFL1ph6R4MoCg7DKapr876GMEhuy00TPnMywYn2AU86Vu13K6E0zVC80znXNX
+JyL4yUmu4HLjXcbqcRUutwDD5GZwavEAWNOBUCArUaAH1y4V6XCgQvESvvcG50+X
+B3WK91QS1iy4abf1mSVcheAPrjQ/xVoBMlEhqgavXJ/qvBiG1v/ReVDB74gPkT5W
+sjJh2myA/78UMTFmhYulr7ZhjKNZxJWY97vZQqAmxPu8/sLwo1OLlO71mCMVEO2n
+6v0DjFXXPWo/w5+x6FqZ1HXEyzImDra+114sTqtgBPVvsZzomVgt+HOqajHjVIMH
+RQKCAQBouPh3wKA5iCsRWK9sND4A8dD9Ebdl0hC1/YQJm6nL4TK8oV+DvnYzWSRK
+X2rrNZXwL4s7ZUYp/fzaGXK1JfcvszsrG9x4E+PO9GlOuhTLdor4N7hSfiJMfiSW
+otiXq3TOeJeTFB9vo96DgW0j6q/ECWiWsNnvQt4DQbnrp712wJzKII1/x/dQQbKZ
+Ft1lu3QRd7mQrMRig8Ia/TOQgfvoUM7ZLGi3hbG6nAN65US93/1WFF3sUjJSBwsi
+6FW4XqnDze+9y/FWK89MCYsJY2aasAaBJA8q2zkI6RQ2+7of0M++YzbnQZBfJXGb
+HKOzMNmxpT5p888BCcJiqZ3Vt74b
+-----END PRIVATE KEY-----
diff --git a/api/grpcserver/transaction_service.go b/api/grpcserver/transaction_service.go
index e5fe2b34d31..c17f0f1260b 100644
--- a/api/grpcserver/transaction_service.go
+++ b/api/grpcserver/transaction_service.go
@@ -8,10 +8,12 @@ import (
 	"io"
 
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	pb "github.com/spacemeshos/api/release/go/spacemesh/v1"
 	"go.uber.org/zap"
 	"google.golang.org/genproto/googleapis/rpc/code"
 	rpcstatus "google.golang.org/genproto/googleapis/rpc/status"
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
@@ -35,8 +37,17 @@ type TransactionService struct {
 }
 
 // RegisterService registers this service with a grpc server instance.
-func (s TransactionService) RegisterService(server *Server) {
-	pb.RegisterTransactionServiceServer(server.GrpcServer, s)
+func (s TransactionService) RegisterService(server *grpc.Server) {
+	pb.RegisterTransactionServiceServer(server, s)
+}
+
+func (s TransactionService) RegisterHandlerService(mux *runtime.ServeMux) error {
+	return pb.RegisterTransactionServiceHandlerServer(context.Background(), mux, s)
+}
+
+// String returns the name of this service.
+func (s TransactionService) String() string {
+	return "TransactionService"
 }
 
 // NewTransactionService creates a new grpc service using config data.
diff --git a/api/grpcserver/transaction_service_test.go b/api/grpcserver/transaction_service_test.go
index 7e4a21bacc8..8c62f841796 100644
--- a/api/grpcserver/transaction_service_test.go
+++ b/api/grpcserver/transaction_service_test.go
@@ -51,7 +51,7 @@ func TestTransactionService_StreamResults(t *testing.T) {
 	cfg, cleanup := launchServer(t, svc)
 	t.Cleanup(cleanup)
 
-	conn := dialGrpc(ctx, t, cfg.PublicListener)
+	conn := dialGrpc(ctx, t, cfg)
 	client := pb.NewTransactionServiceClient(conn)
 
 	t.Run("All", func(t *testing.T) {
@@ -167,7 +167,7 @@ func BenchmarkStreamResults(b *testing.B) {
 	cfg, cleanup := launchServer(b, svc)
 	b.Cleanup(cleanup)
 
-	conn := dialGrpc(ctx, b, cfg.PublicListener)
+	conn := dialGrpc(ctx, b, cfg)
 	client := pb.NewTransactionServiceClient(conn)
 
 	b.Logf("setup took %s", time.Since(start))
@@ -224,7 +224,7 @@ func TestParseTransactions(t *testing.T) {
 	cfg, cleanup := launchServer(t, NewTransactionService(db, nil, nil, txs.NewConservativeState(vminst, db), nil, nil))
 	t.Cleanup(cleanup)
 	var (
-		conn     = dialGrpc(ctx, t, cfg.PublicListener)
+		conn     = dialGrpc(ctx, t, cfg)
 		client   = pb.NewTransactionServiceClient(conn)
 		keys     = make([]signing.PrivateKey, 4)
 		accounts = make([]types.Account, len(keys))
diff --git a/cmd/bootstrapper/generator_test.go b/cmd/bootstrapper/generator_test.go
index 6c2edb6639a..41c389e1c58 100644
--- a/cmd/bootstrapper/generator_test.go
+++ b/cmd/bootstrapper/generator_test.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
-	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"os"
@@ -15,6 +14,7 @@ import (
 	pb "github.com/spacemeshos/api/release/go/spacemesh/v1"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/require"
+	"go.uber.org/zap/zaptest"
 
 	"github.com/spacemeshos/go-spacemesh/api/grpcserver"
 	"github.com/spacemeshos/go-spacemesh/bootstrap"
@@ -32,9 +32,6 @@ func TestMain(m *testing.M) {
 
 const (
 	epochLayers      = 3
-	grpcPort         = 9992
-	jsonport         = 9993
-	target           = "localhost"
 	activeSetSize    = 11
 	bitcoinResponse1 = `
 {
@@ -133,9 +130,10 @@ func createAtxs(tb testing.TB, db sql.Executor, epoch types.EpochID, atxids []ty
 	}
 }
 
-func launchServer(tb testing.TB, cdb *datastore.CachedDB) func() {
-	grpcService := grpcserver.New(fmt.Sprintf("127.0.0.1:%d", grpcPort), logtest.New(tb).Named("grpc"))
-	jsonService := grpcserver.NewJSONHTTPServer(fmt.Sprintf("127.0.0.1:%d", jsonport), logtest.New(tb).WithName("grpc.JSON"))
+func launchServer(tb testing.TB, cdb *datastore.CachedDB) (grpcserver.Config, func()) {
+	cfg := grpcserver.DefaultTestConfig()
+	grpcService := grpcserver.New("127.0.0.1:0", zaptest.NewLogger(tb).Named("grpc"), cfg)
+	jsonService := grpcserver.NewJSONHTTPServer("127.0.0.1:0", zaptest.NewLogger(tb).Named("grpc.JSON"))
 	s := grpcserver.NewMeshService(cdb, &MeshAPIMock{}, nil, nil, 0, types.Hash20{}, 0, 0, 0)
 
 	pb.RegisterMeshServiceServer(grpcService.GrpcServer, s)
@@ -145,7 +143,11 @@ func launchServer(tb testing.TB, cdb *datastore.CachedDB) func() {
 	err = jsonService.StartService(context.Background(), s)
 	require.NoError(tb, err)
 
-	return func() {
+	// update config with bound addresses
+	cfg.PublicListener = grpcService.BoundAddress
+	cfg.JSONListener = jsonService.BoundAddress
+
+	return cfg, func() {
 		err := jsonService.Shutdown(context.Background())
 		if !errors.Is(err, http.ErrServerClosed) {
 			require.NoError(tb, err)
@@ -169,7 +171,8 @@ func TestGenerator_Generate(t *testing.T) {
 	targetEpoch := types.EpochID(3)
 	db := sql.InMemory()
 	createAtxs(t, db, targetEpoch-1, types.RandomActiveSet(activeSetSize))
-	t.Cleanup(launchServer(t, datastore.NewCachedDB(db, logtest.New(t))))
+	cfg, cleanup := launchServer(t, datastore.NewCachedDB(db, logtest.New(t)))
+	t.Cleanup(cleanup)
 
 	for _, tc := range []struct {
 		desc            string
@@ -208,7 +211,7 @@ func TestGenerator_Generate(t *testing.T) {
 			fs := afero.NewMemMapFs()
 			g := NewGenerator(
 				ts.URL,
-				fmt.Sprintf("%s:%d", target, grpcPort),
+				cfg.PublicListener,
 				WithLogger(logtest.New(t)),
 				WithFilesystem(fs),
 				WithHttpClient(ts.Client()),
diff --git a/cmd/bootstrapper/server_test.go b/cmd/bootstrapper/server_test.go
index 013499f5032..5e416872a38 100644
--- a/cmd/bootstrapper/server_test.go
+++ b/cmd/bootstrapper/server_test.go
@@ -98,12 +98,13 @@ func updateCheckpoint(t *testing.T, ctx context.Context, data string) {
 
 func TestServer(t *testing.T) {
 	db := sql.InMemory()
-	t.Cleanup(launchServer(t, datastore.NewCachedDB(db, logtest.New(t))))
+	cfg, cleanup := launchServer(t, datastore.NewCachedDB(db, logtest.New(t)))
+	t.Cleanup(cleanup)
 
 	fs := afero.NewMemMapFs()
 	g := NewGenerator(
 		"",
-		fmt.Sprintf("%s:%d", target, grpcPort),
+		cfg.PublicListener,
 		WithLogger(logtest.New(t)),
 		WithFilesystem(fs),
 	)
diff --git a/cmd/root.go b/cmd/root.go
index 0d989b7cd87..246966dfc89 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -284,6 +284,12 @@ func AddCommands(cmd *cobra.Command) {
 		cfg.POSTService.PostServiceCmd, "")
 	cmd.PersistentFlags().StringVar(&cfg.POSTService.NodeAddress, "post-opts-node-address",
 		cfg.POSTService.NodeAddress, "")
+	cmd.PersistentFlags().StringVar(&cfg.POSTService.CACert, "post-opts-ca-cert",
+		cfg.POSTService.CACert, "")
+	cmd.PersistentFlags().StringVar(&cfg.POSTService.Cert, "post-opts-cert",
+		cfg.POSTService.Cert, "")
+	cmd.PersistentFlags().StringVar(&cfg.POSTService.Key, "post-opts-key",
+		cfg.POSTService.Key, "")
 
 	/**======================== Consensus Flags ========================== **/
 
diff --git a/config/config.go b/config/config.go
index 322c94541bf..42588ca750a 100644
--- a/config/config.go
+++ b/config/config.go
@@ -15,6 +15,7 @@ import (
 	"github.com/spacemeshos/go-spacemesh/beacon"
 	"github.com/spacemeshos/go-spacemesh/bootstrap"
 	"github.com/spacemeshos/go-spacemesh/checkpoint"
+	"github.com/spacemeshos/go-spacemesh/common/types"
 	"github.com/spacemeshos/go-spacemesh/datastore"
 	"github.com/spacemeshos/go-spacemesh/fetch"
 	vm "github.com/spacemeshos/go-spacemesh/genvm"
@@ -171,6 +172,7 @@ func DefaultConfig() Config {
 func DefaultTestConfig() Config {
 	conf := DefaultConfig()
 	conf.BaseConfig = defaultTestConfig()
+	conf.Genesis = DefaultTestGenesisConfig()
 	conf.P2P = p2p.DefaultConfig()
 	conf.API = grpcserver.DefaultTestConfig()
 	conf.POSTService = activation.DefaultTestPostServiceConfig()
@@ -184,7 +186,7 @@ func defaultBaseConfig() BaseConfig {
 		FileLock:                     filepath.Join(os.TempDir(), "spacemesh.lock"),
 		CollectMetrics:               false,
 		MetricsPort:                  1010,
-		ProfilerName:                 "gp-spacemesh",
+		ProfilerName:                 "go-spacemesh",
 		LayerDuration:                30 * time.Second,
 		LayersPerEpoch:               3,
 		PoETServers:                  []string{"127.0.0.1"},
@@ -214,6 +216,7 @@ func defaultTestConfig() BaseConfig {
 	conf := defaultBaseConfig()
 	conf.MetricsPort += 10000
 	conf.NetworkHRP = "stest"
+	types.SetNetworkHRP(conf.NetworkHRP)
 	return conf
 }
 
diff --git a/config/presets/fastnet.go b/config/presets/fastnet.go
index 414747e79d2..df2c984a883 100644
--- a/config/presets/fastnet.go
+++ b/config/presets/fastnet.go
@@ -18,9 +18,8 @@ func init() {
 
 func fastnet() config.Config {
 	conf := config.DefaultConfig()
-
 	conf.NetworkHRP = "stest"
-	types.SetNetworkHRP(conf.NetworkHRP) // set to generate coinbase
+
 	conf.BaseConfig.OptFilterThreshold = 90
 	conf.BaseConfig.DatabasePruneInterval = time.Minute
 
@@ -70,6 +69,7 @@ func fastnet() config.Config {
 	conf.POST.MaxNumUnits = 4
 	conf.POST.MinNumUnits = 2
 
+	types.SetNetworkHRP(conf.NetworkHRP) // ensure that the correct HRP is set when generating the address below
 	conf.SMESHING.CoinbaseAccount = types.GenerateAddress([]byte("1")).String()
 	conf.SMESHING.Start = false
 	conf.SMESHING.Opts.ProviderID.SetInt64(int64(initialization.CPUProviderID()))
diff --git a/config/presets/presets.go b/config/presets/presets.go
index 0a4196fa6a0..28f3838d116 100644
--- a/config/presets/presets.go
+++ b/config/presets/presets.go
@@ -28,8 +28,7 @@ func Options() []string {
 func Get(name string) (config.Config, error) {
 	config, exists := presets[name]
 	if !exists {
-		return config, fmt.Errorf("preset %s is not registered. select one from the options %+s",
-			name, Options())
+		return config, fmt.Errorf("preset %s is not registered. select one from the options %+s", name, Options())
 	}
 	return config, nil
 }
diff --git a/config/presets/standalone.go b/config/presets/standalone.go
index f91690035a2..35fa04b6b43 100644
--- a/config/presets/standalone.go
+++ b/config/presets/standalone.go
@@ -20,7 +20,6 @@ func init() {
 func standalone() config.Config {
 	conf := config.DefaultConfig()
 	conf.NetworkHRP = "standalone"
-	types.SetNetworkHRP(conf.NetworkHRP) // set to generate coinbase
 
 	conf.TIME.Peersync.Disable = true
 	conf.Standalone = true
@@ -56,6 +55,7 @@ func standalone() config.Config {
 	conf.POST.MaxNumUnits = 2
 	conf.POST.MinNumUnits = 1
 
+	types.SetNetworkHRP(conf.NetworkHRP) // ensure that the correct HRP is set when generating the address below
 	conf.SMESHING.CoinbaseAccount = types.GenerateAddress([]byte("1")).String()
 	conf.SMESHING.Start = true
 	conf.SMESHING.Opts.ProviderID.SetInt64(int64(initialization.CPUProviderID()))
diff --git a/go.mod b/go.mod
index fc516e695e3..318b8edd4dd 100644
--- a/go.mod
+++ b/go.mod
@@ -1,11 +1,11 @@
 module github.com/spacemeshos/go-spacemesh
 
-go 1.21.1
+go 1.21.3
 
 require (
 	cloud.google.com/go/storage v1.33.0
 	github.com/ALTree/bigfloat v0.2.0
-	github.com/chaos-mesh/chaos-mesh/api v0.0.0-20230921024434-5dc1c2e7b958
+	github.com/chaos-mesh/chaos-mesh/api v0.0.0-20231016140705-13ea12f85a58
 	github.com/cosmos/btcutil v1.0.5
 	github.com/go-llsqlite/crawshaw v0.4.0
 	github.com/gofrs/flock v0.8.1
@@ -33,13 +33,13 @@ require (
 	github.com/prometheus/common v0.45.0
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
 	github.com/seehuhn/mt19937 v1.0.0
-	github.com/spacemeshos/api/release/go v1.21.1-0.20231004094005-50f3a79535bf
+	github.com/spacemeshos/api/release/go v1.22.0
 	github.com/spacemeshos/economics v0.1.1
 	github.com/spacemeshos/fixed v0.1.1
 	github.com/spacemeshos/go-scale v1.1.12
 	github.com/spacemeshos/merkle-tree v0.2.3
 	github.com/spacemeshos/poet v0.9.7
-	github.com/spacemeshos/post v0.9.5
+	github.com/spacemeshos/post v0.10.0
 	github.com/spf13/afero v1.10.0
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
@@ -50,9 +50,9 @@ require (
 	go.uber.org/atomic v1.11.0
 	go.uber.org/mock v0.3.0
 	go.uber.org/zap v1.26.0
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9
+	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
 	golang.org/x/sync v0.4.0
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b
 	google.golang.org/grpc v1.59.0
 	google.golang.org/protobuf v1.31.0
 	k8s.io/api v0.28.3
@@ -63,9 +63,9 @@ require (
 
 require (
 	cloud.google.com/go v0.110.8 // indirect
-	cloud.google.com/go/compute v1.23.0 // indirect
+	cloud.google.com/go/compute v1.23.1 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v1.1.2 // indirect
+	cloud.google.com/go/iam v1.1.3 // indirect
 	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
 	github.com/anacrolix/chansync v0.3.0 // indirect
 	github.com/anacrolix/missinggo v1.2.1 // indirect
@@ -207,14 +207,14 @@ require (
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.13.0 // indirect
+	golang.org/x/tools v0.14.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	gonum.org/v1/gonum v0.13.0 // indirect
 	google.golang.org/api v0.143.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230920204549-e6e6cdab5c13 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20230920204549-e6e6cdab5c13 // indirect
+	google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
diff --git a/go.sum b/go.sum
index fbff5cfcb94..239a4e6889a 100644
--- a/go.sum
+++ b/go.sum
@@ -27,14 +27,14 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY=
-cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
+cloud.google.com/go/compute v1.23.1 h1:V97tBoDaZHb6leicZ1G6DLK2BAaZLJ/7+9BB/En3hR0=
+cloud.google.com/go/compute v1.23.1/go.mod h1:CqB3xpmPKKt3OJpW2ndFIXnA9A4xAy/F3Xp1ixncW78=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/iam v1.1.2 h1:gacbrBdWcoVmGLozRuStX45YKvJtzIjJdAolzUs1sm4=
-cloud.google.com/go/iam v1.1.2/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU=
+cloud.google.com/go/iam v1.1.3 h1:18tKG7DzydKWUnLjonWcJO6wjSCAtzh4GcRKlH/Hrzc=
+cloud.google.com/go/iam v1.1.3/go.mod h1:3khUlaBXfPKKe7huYgEpDn6FtgRyMEqbkvBxrQyY5SE=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
@@ -93,8 +93,8 @@ github.com/c0mm4nd/go-ripemd v0.0.0-20200326052756-bd1759ad7d10/go.mod h1:mYPR+a
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chaos-mesh/chaos-mesh/api v0.0.0-20230921024434-5dc1c2e7b958 h1:ZbUxM01X+rNdowNAY0V+pEmPwClZ3Yk3jeEXZnlBIsQ=
-github.com/chaos-mesh/chaos-mesh/api v0.0.0-20230921024434-5dc1c2e7b958/go.mod h1:D0MCl3VJDwy+kjliAbf/RIBk1aeE5fOsvjzNSmZHF6E=
+github.com/chaos-mesh/chaos-mesh/api v0.0.0-20231016140705-13ea12f85a58 h1:RC50yuqq3d3APo7l67UXLdNXTcNrEwSbmWzZ5ESjD7I=
+github.com/chaos-mesh/chaos-mesh/api v0.0.0-20231016140705-13ea12f85a58/go.mod h1:D0MCl3VJDwy+kjliAbf/RIBk1aeE5fOsvjzNSmZHF6E=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@@ -641,8 +641,8 @@ github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d/go.mod h1:Udh
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e/go.mod h1:HuIsMU8RRBOtsCgI77wP899iHVBQpCmg4ErYMZB+2IA=
-github.com/spacemeshos/api/release/go v1.21.1-0.20231004094005-50f3a79535bf h1:V28Dks9MHBCHtikkSIms07labbSlGjd29CILPqV3LCw=
-github.com/spacemeshos/api/release/go v1.21.1-0.20231004094005-50f3a79535bf/go.mod h1:FevAAtamzj+f/PkXdAyLVB0yHG5CG5rp/TPmutmj2GA=
+github.com/spacemeshos/api/release/go v1.22.0 h1:a90pk3CK2QQdJRhHkjKB5dz8xdJV4ILxQRZj5bZdtLc=
+github.com/spacemeshos/api/release/go v1.22.0/go.mod h1:SwqQxbhAF7tN3Qr34eVzczCB3KyTbkHH12U82eqfy6M=
 github.com/spacemeshos/economics v0.1.1 h1:BPgMoTaeQ05ME6wEA1+MvXMp+wvXr51bIuN23thrCAk=
 github.com/spacemeshos/economics v0.1.1/go.mod h1:76nTjugYRiQ5/eD/DQs2dXPPilp28URMswUKncfdanY=
 github.com/spacemeshos/fixed v0.1.1 h1:N1y4SUpq1EV+IdJrWJwUCt1oBFzeru/VKVcBsvPc2Fk=
@@ -653,8 +653,8 @@ github.com/spacemeshos/merkle-tree v0.2.3 h1:zGEgOR9nxAzJr0EWjD39QFngwFEOxfxMloE
 github.com/spacemeshos/merkle-tree v0.2.3/go.mod h1:VomOcQ5pCBXz7goiWMP5hReyqOfDXGSKbrH2GB9Htww=
 github.com/spacemeshos/poet v0.9.7 h1:FmKhgUKj//8Tzn8czWSIrn6+FVUFZbvLh8zqLfB8dfE=
 github.com/spacemeshos/poet v0.9.7/go.mod h1:wGCdhs2jnfQ52Amcmygv9uEEwYpdHAPjbiPg0Uf6cNQ=
-github.com/spacemeshos/post v0.9.5 h1:seIRBKt22Y2C6k/grRPl9KgR7XmTMwp+kIuBY/c7VQM=
-github.com/spacemeshos/post v0.9.5/go.mod h1:jGwvAiJAnThEx1eNCvHszgoIpiXiWHxjEv4YIcjBhLQ=
+github.com/spacemeshos/post v0.10.0 h1:A0+Jb0srOhaPRrQDPpZjJjLVexswt2lC7bjlmHk4oaw=
+github.com/spacemeshos/post v0.10.0/go.mod h1:FPa130ioHforcqca0vqJrYjgUsYzTBwivy6lyLy7sKA=
 github.com/spacemeshos/sha256-simd v0.1.0 h1:G7Mfu5RYdQiuE+wu4ZyJ7I0TI74uqLhFnKblEnSpjYI=
 github.com/spacemeshos/sha256-simd v0.1.0/go.mod h1:O8CClVIilId7RtuCMV2+YzMj6qjVn75JsxOxaE8vcfM=
 github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI=
@@ -779,8 +779,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1016,8 +1016,8 @@ golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
-golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc=
+golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1104,12 +1104,12 @@ google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20230920204549-e6e6cdab5c13 h1:vlzZttNJGVqTsRFU9AmdnrcO1Znh8Ew9kCD//yjigk0=
-google.golang.org/genproto v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:CCviP9RmpZ1mxVr8MUjCnSiY09IbAXZxhLE6EhHIdPU=
-google.golang.org/genproto/googleapis/api v0.0.0-20230920204549-e6e6cdab5c13 h1:U7+wNaVuSTaUqNvK2+osJ9ejEZxbjHHk8F2b6Hpx0AE=
-google.golang.org/genproto/googleapis/api v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:RdyHbowztCGQySiCvQPgWQWgWhGnouTdCflKoDBt32U=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 h1:N3bU/SQDCDyD6R528GJ/PwW9KjYcJA3dgyH+MovAkIM=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:KSqppvjFjtoCI+KGd4PELB0qLNxdJHRGqRI09mB6pQA=
+google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b h1:+YaDE2r2OG8t/z5qmsh7Y+XXwCbvadxxZ0YY6mTdrVA=
+google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:CgAqfJo+Xmu0GwA0411Ht3OU3OntXwsGmrmjI8ioGXI=
+google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b h1:CIC2YMXmIhYw6evmhPxBKJ4fmLbOFtXQN/GV3XOZR8k=
+google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:IBQ646DjkDkvUIsVq/cc03FUFQ9wbZu7yE396YcL870=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b h1:ZlWIi1wSK56/8hn4QcBp/j9M7Gt3U/3hZw3mC7vDICo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:swOH3j0KzcDDgGUWr+SNpyTen5YrXjS3eyPzFYKc6lc=
 google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.16.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
diff --git a/node/bad_peer_test.go b/node/bad_peer_test.go
index 3666f5756dc..17e8db0ceff 100644
--- a/node/bad_peer_test.go
+++ b/node/bad_peer_test.go
@@ -38,11 +38,11 @@ func TestPeerDisconnectForMessageResultValidationReject(t *testing.T) {
 	conf1.API.PublicListener = "0.0.0.0:0"
 	conf1.API.PrivateListener = "0.0.0.0:0"
 	app1 := NewApp(t, &conf1, l)
-	conf2 := config.DefaultTestConfig()
 
 	// We need to copy the genesis config to ensure that both nodes share the
-	// same gnenesis ID, otherwise they will not be able to connect to each
+	// same genesis ID, otherwise they will not be able to connect to each
 	// other.
+	conf2 := config.DefaultTestConfig()
 	*conf2.Genesis = *conf1.Genesis
 	conf2.DataDirParent = t.TempDir()
 	conf2.FileLock = filepath.Join(conf2.DataDirParent, "LOCK")
@@ -56,12 +56,12 @@ func TestPeerDisconnectForMessageResultValidationReject(t *testing.T) {
 		app1.Cleanup(ctx)
 		app2.Cleanup(ctx)
 	})
-	g, grpContext := errgroup.WithContext(ctx)
-	g.Go(func() error {
+	eg, grpContext := errgroup.WithContext(ctx)
+	eg.Go(func() error {
 		return app1.Start(grpContext)
 	})
 	<-app1.Started()
-	g.Go(func() error {
+	eg.Go(func() error {
 		return app2.Start(grpContext)
 	})
 	<-app2.Started()
@@ -121,7 +121,7 @@ func TestPeerDisconnectForMessageResultValidationReject(t *testing.T) {
 	// Stop the nodes by canceling the context
 	cancel()
 	// Wait for nodes to finish
-	require.NoError(t, g.Wait())
+	require.NoError(t, eg.Wait())
 }
 
 func getStream(c network.Conn, p protocol.ID, dir network.Direction) network.Stream {
diff --git a/node/node.go b/node/node.go
index e329ecc10e6..0a8aac4a221 100644
--- a/node/node.go
+++ b/node/node.go
@@ -19,8 +19,6 @@ import (
 	pyroscope "github.com/grafana/pyroscope-go"
 	grpc_logsettable "github.com/grpc-ecosystem/go-grpc-middleware/logging/settable"
 	grpczap "github.com/grpc-ecosystem/go-grpc-middleware/logging/zap"
-	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
-	grpctags "github.com/grpc-ecosystem/go-grpc-middleware/tags"
 	"github.com/mitchellh/mapstructure"
 	"github.com/spacemeshos/poet/server"
 	"github.com/spacemeshos/post/verifying"
@@ -30,7 +28,6 @@ import (
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 	"golang.org/x/sync/errgroup"
-	"google.golang.org/grpc"
 
 	"github.com/spacemeshos/go-spacemesh/activation"
 	"github.com/spacemeshos/go-spacemesh/api/grpcserver"
@@ -317,48 +314,49 @@ func New(opts ...Option) *App {
 // App is the cli app singleton.
 type App struct {
 	*cobra.Command
-	fileLock           *flock.Flock
-	edSgn              *signing.EdSigner
-	Config             *config.Config
-	db                 *sql.Database
-	dbMetrics          *dbmetrics.DBMetricsCollector
-	grpcPublicService  *grpcserver.Server
-	grpcPrivateService *grpcserver.Server
-	jsonAPIService     *grpcserver.JSONHTTPServer
-	grpcPostService    *grpcserver.PostService
-	pprofService       *http.Server
-	profilerService    *pyroscope.Profiler
-	syncer             *syncer.Syncer
-	proposalListener   *proposals.Handler
-	proposalBuilder    *miner.ProposalBuilder
-	mesh               *mesh.Mesh
-	cachedDB           *datastore.CachedDB
-	clock              *timesync.NodeClock
-	hare               *hare.Hare
-	hare3              *hare3.Hare
-	hOracle            *eligibility.Oracle
-	blockGen           *blocks.Generator
-	certifier          *blocks.Certifier
-	postSetupMgr       *activation.PostSetupManager
-	atxBuilder         *activation.Builder
-	nipostBuilder      *activation.NIPostBuilder
-	atxHandler         *activation.Handler
-	txHandler          *txs.TxHandler
-	validator          *activation.Validator
-	edVerifier         *signing.EdVerifier
-	beaconProtocol     *beacon.ProtocolDriver
-	log                log.Log
-	svm                *vm.VM
-	conState           *txs.ConservativeState
-	fetcher            *fetch.Fetch
-	ptimesync          *peersync.Sync
-	tortoise           *tortoise.Tortoise
-	updater            *bootstrap.Updater
-	poetDb             *activation.PoetDb
-	postVerifier       *activation.OffloadingPostVerifier
-	postSupervisor     *activation.PostSupervisor
-	preserve           *checkpoint.PreservedData
-	errCh              chan error
+	fileLock          *flock.Flock
+	edSgn             *signing.EdSigner
+	Config            *config.Config
+	db                *sql.Database
+	dbMetrics         *dbmetrics.DBMetricsCollector
+	grpcPublicServer  *grpcserver.Server
+	grpcPrivateServer *grpcserver.Server
+	grpcTLSServer     *grpcserver.Server
+	jsonAPIServer     *grpcserver.JSONHTTPServer
+	grpcPostService   *grpcserver.PostService
+	pprofService      *http.Server
+	profilerService   *pyroscope.Profiler
+	syncer            *syncer.Syncer
+	proposalListener  *proposals.Handler
+	proposalBuilder   *miner.ProposalBuilder
+	mesh              *mesh.Mesh
+	cachedDB          *datastore.CachedDB
+	clock             *timesync.NodeClock
+	hare              *hare.Hare
+	hare3             *hare3.Hare
+	hOracle           *eligibility.Oracle
+	blockGen          *blocks.Generator
+	certifier         *blocks.Certifier
+	postSetupMgr      *activation.PostSetupManager
+	atxBuilder        *activation.Builder
+	nipostBuilder     *activation.NIPostBuilder
+	atxHandler        *activation.Handler
+	txHandler         *txs.TxHandler
+	validator         *activation.Validator
+	edVerifier        *signing.EdVerifier
+	beaconProtocol    *beacon.ProtocolDriver
+	log               log.Log
+	svm               *vm.VM
+	conState          *txs.ConservativeState
+	fetcher           *fetch.Fetch
+	ptimesync         *peersync.Sync
+	tortoise          *tortoise.Tortoise
+	updater           *bootstrap.Updater
+	poetDb            *activation.PoetDb
+	postVerifier      *activation.OffloadingPostVerifier
+	postSupervisor    *activation.PostSupervisor
+	preserve          *checkpoint.PreservedData
+	errCh             chan error
 
 	host *p2p.Host
 
@@ -1314,58 +1312,17 @@ func (app *App) initService(
 	return nil, fmt.Errorf("unknown service %s", svc)
 }
 
-func unaryGrpcLogStart(
-	ctx context.Context,
-	req any,
-	_ *grpc.UnaryServerInfo,
-	handler grpc.UnaryHandler,
-) (any, error) {
-	ctxzap.Info(ctx, "started unary call")
-	return handler(ctx, req)
-}
-
-func streamingGrpcLogStart(
-	srv any,
-	stream grpc.ServerStream,
-	_ *grpc.StreamServerInfo,
-	handler grpc.StreamHandler,
-) error {
-	ctxzap.Info(stream.Context(), "started streaming call")
-	return handler(srv, stream)
-}
-
-func (app *App) newGrpc(logger log.Log, endpoint string) *grpcserver.Server {
-	return grpcserver.New(
-		endpoint,
-		logger,
-		grpc.ChainStreamInterceptor(
-			grpctags.StreamServerInterceptor(),
-			grpczap.StreamServerInterceptor(logger.Zap()),
-			streamingGrpcLogStart,
-		),
-		grpc.ChainUnaryInterceptor(
-			grpctags.UnaryServerInterceptor(),
-			grpczap.UnaryServerInterceptor(logger.Zap()),
-			unaryGrpcLogStart,
-		),
-		grpc.MaxSendMsgSize(app.Config.API.GrpcSendMsgSize),
-		grpc.MaxRecvMsgSize(app.Config.API.GrpcRecvMsgSize),
-	)
-}
-
 func (app *App) startAPIServices(ctx context.Context) error {
 	logger := app.addLogger(GRPCLogger, app.log)
 	grpczap.SetGrpcLoggerV2(grpclog, logger.Zap())
 	var (
-		unique = map[grpcserver.Service]struct{}{}
-		public []grpcserver.ServiceAPI
+		unique        = map[grpcserver.Service]struct{}{}
+		public        []grpcserver.ServiceAPI
+		private       []grpcserver.ServiceAPI
+		authenticated []grpcserver.ServiceAPI
 	)
-	if len(app.Config.API.PublicServices) > 0 {
-		app.grpcPublicService = app.newGrpc(logger, app.Config.API.PublicListener)
-	}
-	if len(app.Config.API.PrivateServices) > 0 {
-		app.grpcPrivateService = app.newGrpc(logger, app.Config.API.PrivateListener)
-	}
+
+	// check services for uniques across all endpoints
 	for _, svc := range app.Config.API.PublicServices {
 		if _, exists := unique[svc]; exists {
 			return fmt.Errorf("can't start more than one %s", svc)
@@ -1375,7 +1332,6 @@ func (app *App) startAPIServices(ctx context.Context) error {
 			return err
 		}
 		logger.Info("registering public service %s", svc)
-		gsvc.RegisterService(app.grpcPublicService)
 		public = append(public, gsvc)
 		unique[svc] = struct{}{}
 	}
@@ -1388,48 +1344,84 @@ func (app *App) startAPIServices(ctx context.Context) error {
 			return err
 		}
 		logger.Info("registering private service %s", svc)
-		gsvc.RegisterService(app.grpcPrivateService)
+		private = append(private, gsvc)
 		unique[svc] = struct{}{}
 	}
-	if len(app.Config.API.JSONListener) > 0 {
-		if len(public) == 0 {
-			return fmt.Errorf("can't start json server without public services")
+	for _, svc := range app.Config.API.TLSServices {
+		if _, exists := unique[svc]; exists {
+			return fmt.Errorf("can't start more than one %s", svc)
 		}
-		app.jsonAPIService = grpcserver.NewJSONHTTPServer(
-			app.Config.API.JSONListener,
-			logger.WithName("JSON"),
-		)
-		app.jsonAPIService.StartService(ctx, public...)
+		gsvc, err := app.initService(ctx, svc)
+		if err != nil {
+			return err
+		}
+		logger.Info("registering authenticated service %s", svc)
+		authenticated = append(authenticated, gsvc)
+		unique[svc] = struct{}{}
 	}
-	if app.grpcPublicService != nil {
-		if err := app.grpcPublicService.Start(); err != nil {
+
+	// start servers if at least one endpoint is defined for them
+	if len(public) > 0 {
+		var err error
+		app.grpcPublicServer, err = grpcserver.NewPublic(logger.Zap(), app.Config.API, public)
+		if err != nil {
+			return err
+		}
+		if err := app.grpcPublicServer.Start(); err != nil {
 			return err
 		}
 	}
-	if app.grpcPrivateService != nil {
-		if err := app.grpcPrivateService.Start(); err != nil {
+	if len(private) > 0 {
+		var err error
+		app.grpcPrivateServer, err = grpcserver.NewPrivate(logger.Zap(), app.Config.API, private)
+		if err != nil {
+			return err
+		}
+		if err := app.grpcPrivateServer.Start(); err != nil {
 			return err
 		}
 	}
+	if len(authenticated) > 0 {
+		var err error
+		app.grpcTLSServer, err = grpcserver.NewTLS(logger.Zap(), app.Config.API, authenticated)
+		if err != nil {
+			return err
+		}
+	}
+
+	if len(app.Config.API.JSONListener) > 0 {
+		if len(public) == 0 {
+			return fmt.Errorf("start json server without public services")
+		}
+		app.jsonAPIServer = grpcserver.NewJSONHTTPServer(
+			app.Config.API.JSONListener,
+			logger.Zap().Named("JSON"),
+		)
+		if err := app.jsonAPIServer.StartService(ctx, public...); err != nil {
+			return fmt.Errorf("start listen server: %w", err)
+		}
+	}
 	return nil
 }
 
 func (app *App) stopServices(ctx context.Context) {
-	if app.jsonAPIService != nil {
-		if err := app.jsonAPIService.Shutdown(ctx); err != nil {
+	if app.jsonAPIServer != nil {
+		if err := app.jsonAPIServer.Shutdown(ctx); err != nil {
 			app.log.With().Error("error stopping json gateway server", log.Err(err))
 		}
 	}
 
-	if app.grpcPublicService != nil {
+	if app.grpcPublicServer != nil {
 		app.log.Info("stopping public grpc service")
-		// does not return any errors
-		_ = app.grpcPublicService.Close()
+		app.grpcPublicServer.Close() // err is always nil
 	}
-	if app.grpcPrivateService != nil {
+	if app.grpcPrivateServer != nil {
 		app.log.Info("stopping private grpc service")
-		// does not return any errors
-		_ = app.grpcPrivateService.Close()
+		app.grpcPrivateServer.Close() // err is always nil
+	}
+	if app.grpcTLSServer != nil {
+		app.log.Info("stopping tls grpc service")
+		app.grpcTLSServer.Close() // err is always nil
 	}
 
 	if app.updater != nil {
diff --git a/node/node_test.go b/node/node_test.go
index 50dded11a62..3fac5f276a1 100644
--- a/node/node_test.go
+++ b/node/node_test.go
@@ -450,6 +450,7 @@ func TestSpacemeshApp_NodeService(t *testing.T) {
 
 	app := New(WithLog(logger))
 	app.Config = getTestDefaultConfig(t)
+	types.SetNetworkHRP(app.Config.NetworkHRP) // ensure that the correct HRP is set when generating the address below
 	app.Config.SMESHING.CoinbaseAccount = types.GenerateAddress([]byte{1}).String()
 	app.Config.SMESHING.Opts.DataDir = t.TempDir()
 	app.Config.SMESHING.Opts.Scrypt.N = 2
@@ -1179,7 +1180,7 @@ func TestAdminEvents(t *testing.T) {
 		app.eg.Wait() // https://github.com/spacemeshos/go-spacemesh/issues/4653
 		return nil
 	})
-	t.Cleanup(func() { eg.Wait() })
+	t.Cleanup(func() { assert.NoError(t, eg.Wait()) })
 
 	grpcCtx, cancel := context.WithTimeout(ctx, 20*time.Second)
 	defer cancel()
diff --git a/node/util_test.go b/node/test_network.go
similarity index 97%
rename from node/util_test.go
rename to node/test_network.go
index aa55b35990a..00eefa91caa 100644
--- a/node/util_test.go
+++ b/node/test_network.go
@@ -64,7 +64,7 @@ func NewTestNetwork(t *testing.T, conf config.Config, l log.Log, size int) []*Te
 
 		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 		defer cancel()
-		conn, err := grpc.DialContext(ctx, app.grpcPublicService.BoundAddress,
+		conn, err := grpc.DialContext(ctx, app.grpcPublicServer.BoundAddress,
 			grpc.WithTransportCredentials(insecure.NewCredentials()),
 			grpc.WithBlock(),
 		)