Skip to main content

Configure JWT authentication

The HTTP connection between your beacon node and execution node needs to be authenticated using a JWT token. There are several ways to generate this JWT token:

  • Use an online generator like this. Copy and paste this value into a jwt.hex file.
  • Use a utility like OpenSSL to create the token via command: openssl rand -hex 32 | tr -d "\n" > "jwt.hex".
  • Use an execution client to generate the jwt.hex file.
  • Use Prysm to generate the jwt.hex file:
USE_PRYSM_VERSION=v2.1.4-rc.0./prysm.sh beacon-chain generate-auth-secret

Prysm will output a jwt.hex file path.

Configure execution node#

Your execution node will need to expose a new port and then use the JWT token to authenticate your beacon node's connection to that port. This new port exposes your execution node's Engine API, a new API that facilitates Ethereum's transition to a proof-of-stake consensus mechanism.

Using the latest version of your execution client software, issue the following command to configure your execution node's JWT token and Engine API endpoint:

Mainnet isn't ready for Merge configuration yet, so JWT configuration isn't available.

Nethermind.Runner --config mainnet --JsonRpc.Enabled true

See Nethermind's Running Nethermind Post Merge for more information.

Configure beacon node#

Next, we'll configure your beacon node to consume your JWT token so it can form an authenticated HTTP connection with your execution node.

If you're running a validator, specifying a suggested-fee-recipient wallet address will allow you to earn what were previously miner transaction fee tips. Note that transaction fee tips are forwarded to a Ethereum Mainnet address (liquid, withdrawable), not to your validator's account balance (illiquid, not yet withdrawable). This suggested-fee-recipient address must be specified if you're running a validator, otherwise the transaction fee tips that you earn will be permanently lost. See Configuring a Fee Recipient Address to learn more about this feature.

Mainnet isn't ready for Merge configuration yet, so no changes are needed.

./prysm.sh beacon-chain --http-web3provider=http://localhost:8545 --mainnet --suggested-fee-recipient=0x01234567722E6b0000012BFEBf6177F1D2e9758D9