Skip to main content

Configure JWT authentication

HTTP-JWT only

This guidance is relevant only if your beacon node is connecting to your execution node over HTTP. If you're using IPC, you can ignore this. If you want to learn how to use IPC, see our Quickstart.

First, select a configuration:

The HTTP connection between your beacon node and execution node needs to be authenticated using a JWT token. There are several ways to generate this JWT token:

  • Use a utility like OpenSSL to create the token via command: openssl rand -hex 32 | tr -d "\n" > "jwt.hex".
  • Use an execution client to generate the jwt.hex file.
  • Use Prysm to generate the jwt.hex file:

Optional - This command is necessary only if you've previously configured USE_PRYSM_VERSION

export USE_PRYSM_VERSION=v5.0.0

Required

./prysm.sh beacon-chain generate-auth-secret

Prysm will output a jwt.hex file path.

Move your jwt.hex file in your ethereum directory:

📂ethereum
┣ 📂consensus
┣ 📂execution
┣ 📄jwt.hex
caution

Ensure that the script, user, or terminal window used to create and access your JWT token has the permissions it needs. Windows users may need to run command windows as Administrator.

Configure an execution node

Your execution node needs to expose a new port and then use the JWT token to authenticate your beacon node's connection to that port.

Using the latest version of your execution client software, issue the following command to configure your execution node's JWT token and Engine API endpoint:

Download and run the latest 64-bit stable release of Geth for your operating system from the Geth downloads page.

Move the geth executable into your execution directory.

Navigate to your execution directory and run the following command to start your execution node by replacing <PATH_TO_JWT_FILE> by the path to the JWT file generated during the previous step:

./geth --mainnet --http --http.api eth,net,engine,admin --authrpc.jwtsecret=<PATH_TO_JWT_FILE>

The execution layer client cannot sync without an attached beacon node. We'll see how to setup a beacon node in the next step.

Configure beacon node

Next, we'll configure your beacon node to consume your JWT token so it can form an authenticated HTTP connection with your execution node.

In this step, you'll run a beacon node using Prysm.

There is two main ways to sync a beacon node: from genesis, and from a checkpoint. It is safer and a considerably faster to sync from a checkpoint. When syncing from a checkpoint, the simplest is to connect to a checkpoint sync endpoint. A non exhaustive list of checkpoint sync endpoints is available.

In the following examples, we'll use the checkpoint sync endpoint provided by beaconstate.info. Feel free to use the one you want.

Navigate to your consensus directory and run the following command to start your beacon node that connects to your local execution node by replacing <PATH_TO_JWT_FILE> by the path to the JWT file generated during the previous step:

./prysm.sh beacon-chain --execution-endpoint=http://localhost:8551 --mainnet --jwt-secret=<PATH_TO_JWT_FILE> --checkpoint-sync-url=https://beaconstate.info --genesis-beacon-api-url=https://beaconstate.info

Syncing from a checkpoint usually takes a couple of minutes. See Sync from a checkpoint for more information about this feature.

If you wish to sync from genesis, you need to remove --checkpoint-sync-url and --genesis-beacon-api-url flags from the previous command. Syncing from genesis usually takes a couple days, but it can take longer depending on your network and hardware specs.

If you are planning to run a validator, it is strongly advised to use the --suggested-fee-recipient=<WALLET ADDRESS> option. When your validator proposes a block, it will allow you to earn block priority fees, also sometimes called "tips".

Congratulations - you’re now running a full Ethereum node. To check the status of your node, visit Check node and validator status.

Congratulations

Congrats! You're now using JWT authentication.