Web3Signer command line

This reference describes the syntax of the Web3Signer Command Line Interface (CLI) options.

Specify options

Web3Signer options can be specified:

• On the command line.
• As an environment variable. For each command line option, the equivalent environment variable is:
  • Upper-case.
  • _ replaces -.
  • Has a WEB3SIGNER_ prefix.
• In a YAML configuration file.

If you specify an option in more than one place, the order of priority is command line, environment variable, configuration file.

Options

config-file

Path to the YAML configuration file. The default is none.

Syntax

--config-file=<FILE>

Example

--config-file=/home/me/me_node/config.yaml

Environment variable

WEB3SIGNER_CONFIG_FILE=/home/me/me_node/config.yaml

data-path

Syntax

--data-path=<PATH>

Example

--data-path=/Users/me/my_node/data

Environment variable

WEB3SIGNER_DATA_PATH=/Users/me/my_node/data

Configuration file

data-path: "/Users/me/my_node/data"

Directory in which to store temporary files.

key-store-path

Syntax

--key-store-path=<PATH>

Example

--key-store-path=/Users/me/keys

Environment variable

WEB3SIGNER_KEY_STORE_PATH=/Users/me/keys

Configuration file

key-store-path: "/Users/me/keys"

Path to the directory containing the YAML files required to access keys.

logging

Syntax

-l, --logging=<LEVEL>

Example

--logging=DEBUG

Environment variable

WEB3SIGNER_LOGGING=DEBUG

Configuration file

logging: "DEBUG"

Sets logging verbosity. Log levels are OFF, FATAL, WARN, INFO, DEBUG, TRACE, ALL. The default is INFO.

http-cors-origins

A list of domain URLs for CORS validation. You must enclose the URLs in double quotes and separate them with commas.

Listed domains can access the node using REST API. If your client interacts with Web3Signer using a browser app, you must allow the client domains.

The default value is none. If you do not allow any domains, browser apps cannot interact with your Web3Signer node.

Tip

For testing and development purposes, use "all" or "*" to accept requests from any domain. We don’t recommend accepting requests from any domain for production environments.

Syntax

--http-cors-origins=<httpListenHost>

Example

--http-cors-origins=""http://medomain.com"

Environment variable

WEB3SIGNER_HTTP_CORS_ORIGINS=""http://medomain.com"

Configuration file

http-cors-origins=["https://meotherdomain.com"]

http-listen-host

Syntax

--http-listen-host=<httpListenHost>

Example

--http-listen-host=8.8.8.8

Environment variable

WEB3SIGNER_HTTP_LISTEN_HOST=8.8.8.8

Configuration file

http-listen-host: "8.8.8.8"

Host on which HTTP listens. The default is localhost.

http-listen-port

Syntax

--http-listen-port=<httpListenPort>

Example

--http-listen-port=6174

Environment variable

WEB3SIGNER_HTTP_LISTEN_PORT=6174

Configuration file

http-listen-port: 6174

Port on which HTTP listens. The default is 9000.

http-host-allowlist

Syntax

--http-host-allowlist=<hostname>[,<hostname>...]... or "*"

Example

--http-host-allowlist=medomain.com,meotherdomain.com

Environment variable

WEB3SIGNER_HTTP_HOST_ALLOWLIST=medomain.com,meotherdomain.com

Configuration file

http-host-allowlist: ["medomain.com", "meotherdomain.com"]

A comma-separated list of hostnames to allow access to the REST APIs. By default, Web3Signer accepts access from localhost and 127.0.0.1.

Tip

To allow all hostnames, use "*". We don’t recommend allowing all hostnames for production environments.

idle-connection-timeout-seconds

Syntax

--idle-connection-timeout-seconds=<TIMEOUT>

Example

--idle-connection-timeout-seconds=60

Environment variable

WEB3SIGNER_IDLE_CONNECTION_TIMEOUT_SECONDS=60

Configuration file

idle-connection-timeout-seconds: 60

Number of seconds to wait before terminating an idle connection. The default is 30.

metrics-enabled

Syntax

--metrics-enabled[=<BOOLEAN>]

Example

--metrics-enabled=true

Environment variable

WEB3SIGNER_METRICS_ENABLED=true

Configuration file

metrics-enabled: true

Enables the metrics exporter. The default is false.

metrics-host

Syntax

--metrics-host=<HOST>

Example

--metrics-host=186.10.10.1

Environment variable

WEB3SIGNER_METRICS_HOST=186.10.10.1

Configuration file

metrics-host: "186.10.10.1"

The host on which Prometheus accesses metrics. The default is 127.0.0.1.

metrics-port

Syntax

--metrics-port=<PORT>

Example

--metrics-port=6174

Environment variable

WEB3SIGNER_METRICS_PORT=6174

Configuration file

metrics-port: 6174

The port (TCP) on which Prometheus accesses metrics. The default is 9001.

metrics-category

Syntax

--metrics-category=<metrics-category>[,metrics-category...]...

Example

--metrics-category=HTTP,SIGNING,JVM

Environment variable

WEB3SIGNER_METRICS_CATEGORY=HTTP,SIGNING,JVM

Configuration file

metrics-category: ["HTTP", "SIGNING", "JVM"]

A comma-separated list of categories for which to track metrics. The defaults are HTTP, SIGNING, FILECOIN, ETH2_SLASHING_PROTECTION, JVM, PROCESS.

metrics-host-allowlist

Syntax

--metrics-host-allowlist=<hostname>[,<hostname>...]... or "*"

Example

--metrics-host-allowlist=medomain.com,meotherdomain.com

Environment variable

WEB3SIGNER_METRICS_HOST_ALLOWLIST=medomain.com,meotherdomain.com

Configuration file

metrics-host-allowlist: ["medomain.com", "meotherdomain.com"]

A comma-separated list of hostnames to allow access to the Web3Signer metrics. By default, Web3Signer accepts access from localhost and 127.0.0.1.

Tip

To allow all hostnames, use "*". We don’t recommend allowing all hostnames for production environments.

swagger-ui-enabled

Syntax

--swagger-ui-enabled[=<BOOLEAN>]

Example

--swagger-ui-enabled

Environment variable

WEB3SIGNER_SWAGGER-UI_ENABLED=true

Configuration file

swagger-ui-enabled: true

Set to true to interact with APIs using Swagger UI. The default is false.

Access Swagger UI at http:<interface>:<port>/swagger-ui where:

• interface is specified using --http-listen-host
• port is specified using http-listen-port

The default location is http://localhost:9000/swagger-ui.

tls-keystore-file

Syntax

--tls-keystore-file=<keystoreFile>

Example

--tls-keystore-file=/Users/me/my_node/certificate.pfx

Environment variable

WEB3SIGNER_TLS_KEYSTORE_FILE=/Users/me/my_node/certificate.pfx

Configuration file

tls-keystore-file: "/Users/me/my_node/certificate.pfx"

PKCS #12 formatted keystore. Used to enable TLS for client connections.

tls-keystore-password-file

Syntax

--tls-keystore-password-file=<passwordFile>

Example

--tls-keystore-password-file=/Users/me/my_node/password.txt

Environment variable

WEB3SIGNER_TLS_KEYSTORE_PASSWORD_FILE=/Users/me/my_node/password.txt

Configuration file

tls-keystore-password-file: "/Users/me/my_node/password.txt"

Password file used to decrypt the keystore.

tls-allow-any-client

Syntax

--tls-allow-any-client=<BOOLEAN>

Example

--tls-allow-any-client=true

Environment variable

WEB3SIGNER_TLS_ALLOW_ANY_CLIENT=true

Configuration file

tls-allow-any-client: true

Allows any client to connect. The default is false.

Important

You can’t use this option with --tls-allow-ca-clients and --tls-known-clients-file.

tls-known-clients-file

Syntax

--tls-known-clients-file=<clientsFile>

Example

--tls-known-clients-file=/Users/me/my_node/knownClients.txt

Environment variable

WEB3SIGNER_TLS_KNOWN_CLIENTS_FILE=/Users/me/my_node/knownClients.txt

Configuration file

tls-known-clients-file: "/Users/me/my_node/knownClients.txt"

File containing the Common Names and SHA-256 fingerprints of authorized clients.

tls-allow-ca-clients

Syntax

--tls-allow-ca-clients

Environment Variable

WEB3SIGNER_TLS_ALLOW_CA_CLIENTS

Configuration file

tls-allow-ca-clients

Allows clients signed with trusted CA certificates to connect.

help

Syntax

-h, --help

Displays the help and exits.

version

Syntax

-V, --version

Displays the version and exits.