Configure JWT authentication
The HTTP connection between your beacon node and execution node needs to be authenticated using a JWT token. There are several ways to generate this JWT token:
- Use an online generator like this. Copy and paste this value into a
jwt.hexfile. - Use a utility like OpenSSL to create the token via command:
openssl rand -hex 32 | tr -d "\n" > "jwt.hex". - Use an execution client to generate the
jwt.hexfile. - Use Prysm to generate the
jwt.hexfile:
- Windows
- Linux, MacOS, Arm64
SET USE_PRYSM_VERSION=v2.1.4-rc.0prysm.bat beacon-chain generate-auth-secretUSE_PRYSM_VERSION=v2.1.4-rc.0./prysm.sh beacon-chain generate-auth-secretPrysm will output a jwt.hex file path.
Configure execution node#
Your execution node will need to expose a new port and then use the JWT token to authenticate your beacon node's connection to that port. This new port exposes your execution node's Engine API, a new API that facilitates Ethereum's transition to a proof-of-stake consensus mechanism.
Using the latest version of your execution client software, issue the following command to configure your execution node's JWT token and Engine API endpoint:
- Nethermind
- Besu
- Geth
- Ropsten
- Sepolia
- Goerli-Prater
- Mainnet
Nethermind.Runner --config ropsten --JsonRpc.Enabled true --JsonRpc.JwtSecretFile=path/to/jwt.hex --Merge.TerminalTotalDifficulty 50000000000000000Nethermind.Runner --config sepolia --JsonRpc.Enabled true --JsonRpc.JwtSecretFile=path/to/jwt.hex --Merge.TerminalTotalDifficulty 17000000000000000With JWT configured (see our v2.1.4-rc0 guide):
Nethermind.Runner --config goerli --JsonRpc.Enabled true --JsonRpc.Enabled true --JsonRpc.JwtSecretFile=path/to/jwt.hexWithout JWT configured:
Nethermind.Runner --config goerli --JsonRpc.Enabled trueMainnet isn't ready for Merge configuration yet, so JWT configuration isn't available.
Nethermind.Runner --config mainnet --JsonRpc.Enabled trueSee Nethermind's Running Nethermind Post Merge for more information.
- Ropsten
- Sepolia
- Goerli-Prater
- Mainnet
besu --network=ropsten --rpc-http-enabled --engine-jwt-enabled=true --engine-jwt-secret=path/to/jwt.hex --engine-host-allowlist="*" --override-genesis-config="terminalTotalDifficulty=50000000000000000"besu --network=sepolia --rpc-http-enabled --engine-jwt-enabled=true --engine-jwt-secret=path/to/jwt.hex --engine-host-allowlist="*" --override-genesis-config="terminalTotalDifficulty=17000000000000000"With JWT configured (see our v2.1.4-rc0 guide):
besu --network=goerli --rpc-http-enabled --engine-jwt-enabled=true --engine-jwt-secret=path/to/jwt.hex --engine-host-allowlist="*"Without JWT configured:
besu --network=goerli --rpc-http-enabledMainnet isn't ready for Merge configuration yet, so no changes are needed.
besu --network=mainnet --rpc-http-enabledSee Besu's command-line options for parameter definitions.
- Ropsten
- Sepolia
- Goerli-Prater
- Mainnet
geth --ropsten --http --http.api eth,net,engine,admin --authrpc.vhosts="localhost" --authrpc.jwtsecret=path/to/jwt.hex --override.terminaltotaldifficulty 50000000000000000geth --sepolia --http --http.api eth,net,engine,admin --authrpc.vhosts="localhost" --authrpc.jwtsecret=path/to/jwt.hex --override.terminaltotaldifficulty 17000000000000000With JWT configured (see our v2.1.4-rc0 guide):
geth --goerli --http --http.api eth,net,engine,admin --authrpc.vhosts="localhost" --authrpc.jwtsecret=path/to/jwt.hexWithout JWT configured:
geth --goerli --http --http.api eth,net,engine,adminMainnet isn't ready for Merge configuration yet, so no changes are needed.
geth --mainnet --http --http.api eth,net,engine,adminSee Geth's command-line options for parameter definitions.
Configure beacon node#
Next, we'll configure your beacon node to consume your JWT token so it can form an authenticated HTTP connection with your execution node.
If you're running a validator, specifying a suggested-fee-recipient wallet address will allow you to earn what were previously miner transaction fee tips. Note that transaction fee tips are forwarded to a Ethereum Mainnet address (liquid, withdrawable), not to your validator's account balance (illiquid, not yet withdrawable). This suggested-fee-recipient address must be specified if you're running a validator, otherwise the transaction fee tips that you earn will be permanently lost. See Configuring a Fee Recipient Address to learn more about this feature.
- Windows
- Linux, MacOS, Arm64
- Ropsten
- Sepolia
- Goerli-Prater
- Mainnet
Download the Ropsten genesis state from Github and run the following command:
prysm.bat beacon-chain --http-web3provider=http://localhost:8551 --ropsten --jwt-secret=path/to/jwt.hex --genesis-state=genesis.ssz --suggested-fee-recipient=0x01234567722E6b0000012BFEBf6177F1D2e9758D9Download the Sepolia genesis state from Github and run the following command:
prysm.bat beacon-chain --http-web3provider=http://localhost:8551 --sepolia --jwt-secret=path/to/jwt.hex --genesis-state=genesis.ssz --suggested-fee-recipient=0x01234567722E6b0000012BFEBf6177F1D2e9758D9Download the Prater genesis state from Github.
With JWT configured (see our v2.1.4-rc0 guide):
prysm.bat beacon-chain --http-web3provider=http://localhost:8551 --prater --jwt-secret=path/to/jwt.hex --genesis-state=genesis.ssz --suggested-fee-recipient=0x01234567722E6b0000012BFEBf6177F1D2e9758D9Without JWT configured:
prysm.bat beacon-chain --http-web3provider=http://localhost:8545 --prater --genesis-state=genesis.ssz --suggested-fee-recipient=0x01234567722E6b0000012BFEBf6177F1D2e9758D9Mainnet isn't ready for Merge configuration yet, so no changes are needed.
prysm.bat beacon-chain --http-web3provider=http://localhost:8545 --mainnet --suggested-fee-recipient=0x01234567722E6b0000012BFEBf6177F1D2e9758D9- Ropsten
- Sepolia
- Goerli-Prater
- Mainnet
Download the Ropsten genesis state from Githuband run the following command:
./prysm.sh beacon-chain --http-web3provider=http://localhost:8551 --ropsten --jwt-secret=path/to/jwt.hex --genesis-state=genesis.ssz --suggested-fee-recipient=0x01234567722E6b0000012BFEBf6177F1D2e9758D9Download the Sepolia genesis state from Github and run the following command:
./prysm.sh beacon-chain --http-web3provider=http://localhost:8551 --sepolia --jwt-secret=path/to/jwt.hex --genesis-state=genesis.ssz --suggested-fee-recipient=0x01234567722E6b0000012BFEBf6177F1D2e9758D9Download the Prater genesis state from Github.
With JWT configured (see our v2.1.4-rc0 guide):
./prysm.sh beacon-chain --http-web3provider=http://localhost:8551 --prater --jwt-secret=path/to/jwt.hex --genesis-state=genesis.ssz --suggested-fee-recipient=0x01234567722E6b0000012BFEBf6177F1D2e9758D9Without JWT configured:
./prysm.sh beacon-chain --http-web3provider=http://localhost:8545 --prater --genesis-state=genesis.ssz --suggested-fee-recipient=0x01234567722E6b0000012BFEBf6177F1D2e9758D9Mainnet isn't ready for Merge configuration yet, so no changes are needed.
./prysm.sh beacon-chain --http-web3provider=http://localhost:8545 --mainnet --suggested-fee-recipient=0x01234567722E6b0000012BFEBf6177F1D2e9758D9