Skip to main content

Configure JWT authentication


This guidance is relevant only if your beacon node is connecting to your execution node over HTTP. If you're using IPC, you can ignore this. If you want to learn how to use IPC, see our Quickstart.

First, select a configuration:

The HTTP connection between your beacon node and execution node needs to be authenticated using a JWT token. There are several ways to generate this JWT token:

  • Use a utility like OpenSSL to create the token via command: openssl rand -hex 32 | tr -d "\n" > "jwt.hex".
  • Use an execution client to generate the jwt.hex file.
  • Use Prysm to generate the jwt.hex file:
## Optional. This command is necessary only if you've previously configured USE_PRYSM_VERSION

## Required.
./ beacon-chain generate-auth-secret

Prysm will output a jwt.hex file path.


Ensure that the script, user, or terminal window used to create and access your JWT token has the permissions it needs. Windows users may need to run command windows as Administrator.

Configure execution node

Your execution node needs to expose a new port and then use the JWT token to authenticate your beacon node's connection to that port.

Using the latest version of your execution client software, issue the following command to configure your execution node's JWT token and Engine API endpoint:

Download and run the latest 64-bit stable release of the Geth installer for your operating system from the Geth downloads page.

Navigate to your execution directory and run the following command to start your execution node:

geth --http --http.api eth,net,engine,admin --authrpc.jwtsecret /path/to/jwt.hex 

See Geth's command-line options for parameter definitions.

Syncing can take a long time - from hours to days. You can proceed to the next step while your execution node syncs.

Configure beacon node

Next, we'll configure your beacon node to consume your JWT token so it can form an authenticated HTTP connection with your execution node.

In this step, you'll run a beacon node using Prysm.

Use the following command to start a beacon node that connects to your local execution node:

./ beacon-chain --execution-endpoint=http://localhost:8551 --jwt-secret=path/to/jwt.hex --suggested-fee-recipient=0x01234567722E6b0000012BFEBf6177F1D2e9758D9

If you're running a validator, specifying a suggested-fee-recipient wallet address will allow you to earn what were previously miner transaction fee tips. See How to configure Fee Recipient for more information about this feature.

Your beacon node will now begin syncing. This usually takes a couple days, but it can take longer depending on your network and hardware specs.

Congratulations - you’re now running a full, Merge-ready Ethereum node. To check the status of your node, visit Check node and validator status.


Congrats! You're now using JWT authentication.