Web3Signer command line
This reference describes the syntax of the Web3Signer Command Line Interface (CLI) options.
Specifying Options
Web3Signer options can be specified:
- On the command line
- As an environment variable
- In a YAML configuration file.
If you specify an option in more than one place, the order of priority is command line, environment variable, configuration file.
Web3Signer environment variables
For each command line option, the equivalent environment variable is:
- Upper-case
_
replaces-
- Has an
WEB3SIGNER_
prefix
For example, set --data-path
using the WEB3SIGNER_DATA_PATH
environment variable.
Options
config-file
The path to the YAML configuration file.
The default is none
.
--config-file=<FILE>
--config-file=/home/me/me_node/config.yaml
WEB3SIGNER_CONFIG_FILE=/home/me/me_node/config.yaml
data-path
--data-path=<PATH>
--data-path=/Users/me/my_node/data
data-path: "/Users/me/my_node/data"
WEB3SIGNER_DATA_PATH=/Users/me/my_node/data
Directory in which to store temporary files.
key-store-path
--key-store-path=<PATH>
--key-store-path=/Users/me/keys
key-store-path: "/Users/me/keys"
WEB3SIGNER_KEY_STORE_PATH=/Users/me/keys
Path to the directory containing the YAML files required to access keys.
logging
-l, --logging=<LEVEL>
--logging=DEBUG
logging: "DEBUG"
WEB3SIGNER_LOGGING=DEBUG
Sets logging verbosity. Log levels are OFF
, FATAL
, WARN
, INFO
, DEBUG
, TRACE
,
ALL
. The default is INFO
.
http-listen-host
--http-listen-host=<httpListenHost>
--http-listen-host=8.8.8.8
http-listen-host: "8.8.8.8"
WEB3SIGNER_HTTP_LISTEN_HOST=8.8.8.8
Host on which HTTP listens. Default is localhost
.
http-listen-port
--http-listen-port=<httpListenPort>
--http-listen-port=6174
http-listen-port: 6174
WEB3SIGNER_HTTP_LISTEN_PORT=6174
Port on which HTTP listens. The default is 9000.
http-host-allowlist
--http-host-allowlist=<hostname>[,<hostname>...]... or "*"
--http-host-allowlist=medomain.com,meotherdomain.com
http-host-allowlist: ["medomain.com", "meotherdomain.com"]
WEB3SIGNER_HTTP_HOST_ALLOWLIST=medomain.com,meotherdomain.com
A comma-separated list of hostnames to allow access to the REST APIs. By default, Web3Signer
accepts access from localhost
and 127.0.0.1
.
Tip
To allow all hostnames, use "*"
. We don’t recommend allowing all hostnames for production
environments.
idle-connection-timeout-seconds
--idle-connection-timeout-seconds=<TIMEOUT>
--idle-connection-timeout-seconds=60
idle-connection-timeout-seconds: 60
WEB3SIGNER_IDLE_CONNECTION_TIMEOUT_SECONDS=60
Number of seconds to wait before terminating an idle connection. Defaults to 30.
metrics-enabled
--metrics-enabled[=<BOOLEAN>]
--metrics-enabled=true
metrics-enabled: true
WEB3SIGNER_METRICS_ENABLED=true
Enables the metrics exporter. The default is false
.
metrics-host
--metrics-host=<HOST>
--metrics-host=186.10.10.1
metrics-host: "186.10.10.1"
WEB3SIGNER_METRICS_HOST=186.10.10.1
The host on which Prometheus accesses metrics.
The default is 127.0.0.1
.
metrics-port
--metrics-port=<PORT>
--metrics-port=6174
metrics-port: 6174
WEB3SIGNER_METRICS_PORT=6174
The port (TCP) on which Prometheus accesses
metrics. The default is 9001
.
metrics-category
--metrics-category=<metrics-category>[,metrics-category...]...
--metrics-category=HTTP,SIGNING,JVM
metrics-category: ["HTTP", "SIGNING", "JVM"]
WEB3SIGNER_METRICS_CATEGORY=HTTP,SIGNING,JVM
A comma-separated list of categories for which to track metrics. The defaults are HTTP
, SIGNING
, FILECOIN
, ETH2_SLASHING_PROTECTION
, JVM
, PROCESS
.
metrics-host-allowlist
--metrics-host-allowlist=<hostname>[,<hostname>...]... or "*"
--metrics-host-allowlist=medomain.com,meotherdomain.com
metrics-host-allowlist: ["medomain.com", "meotherdomain.com"]
WEB3SIGNER_METRICS_HOST_ALLOWLIST=medomain.com,meotherdomain.com
A comma-separated list of hostnames to allow access to the Web3Signer metrics. By
default, Web3Signer accepts access from localhost
and 127.0.0.1
.
Tip
To allow all hostnames, use "*"
. We don’t recommend allowing all hostnames for production
environments.
swagger-ui-enabled
--swagger-ui-enabled[=<BOOLEAN>]
--swagger-ui-enabled
swagger-ui-enabled: true
WEB3SIGNER_SWAGGER-UI_ENABLED=true
Set to true to interact with APIs using Swagger UI. The default is false
.
Access Swagger UI at http:<interface>:<port>/swagger-ui
where:
interface
is specified using--http-listen-host
port
is specified usinghttp-listen-port
The default location is http://localhost:9000/swagger-ui
.
tls-keystore-file
--tls-keystore-file=<keystoreFile>
--tls-keystore-file=/Users/me/my_node/certificate.pfx
tls-keystore-file: "/Users/me/my_node/certificate.pfx"
WEB3SIGNER_TLS_KEYSTORE_FILE=/Users/me/my_node/certificate.pfx
PKCS #12 formatted keystore. Used to enable TLS for client connections.
tls-keystore-password-file
--tls-keystore-password-file=<passwordFile>
--tls-keystore-password-file=/Users/me/my_node/password.txt
tls-keystore-password-file: "/Users/me/my_node/password.txt"
WEB3SIGNER_TLS_KEYSTORE_PASSWORD_FILE=/Users/me/my_node/password.txt
Password file used to decrypt the keystore.
tls-allow-any-client
--tls-allow-any-client=<BOOLEAN>
tls-allow-any-client: true
WEB3SIGNER_TLS_ALLOW_ANY_CLIENT=true
Allows any client to connect. The default is false
.
Important
Cannot be used with --tls-allow-ca-clients
and --tls-known-clients-file
tls-known-clients-file
--tls-known-clients-file=<clientsFile>
--tls-known-clients-file=/Users/me/my_node/knownClients.txt
tls-known-clients-file: "/Users/me/my_node/knownClients.txt"
WEB3SIGNER_TLS_KNOWN_CLIENTS_FILE=/Users/me/my_node/knownClients.txt
File containing the Common Names and SHA-256 fingerprints of authorized clients.
tls-allow-ca-clients
--tls-allow-ca-clients
tls-allow-ca-clients
WEB3SIGNER_TLS_ALLOW_CA_CLIENTS
Allows clients signed with trusted CA certificates to connect.
help
-h, --help
Displays the help and exits.
version
-V, --version
Displays the version and exits.