Skip to content
You are reading Web3Signer development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Web3Signer command line

This reference describes the syntax of the Web3Signer Command Line Interface (CLI) options.

Specifying Options

Web3Signer options can be specified:

If you specify an option in more than one place, the order of priority is command line, environment variable, configuration file.

Web3Signer environment variables

For each command line option, the equivalent environment variable is:

  • Upper-case
  • _ replaces -
  • Has an WEB3SIGNER_ prefix

For example, set --data-path using the WEB3SIGNER_DATA_PATH environment variable.

Options

config-file

The path to the YAML configuration file. The default is none.

--config-file=<FILE>

--config-file=/home/me/me_node/config.yaml

WEB3SIGNER_CONFIG_FILE=/home/me/me_node/config.yaml

data-path

--data-path=<PATH>

--data-path=/Users/me/my_node/data

data-path: "/Users/me/my_node/data"

WEB3SIGNER_DATA_PATH=/Users/me/my_node/data

Directory in which to store temporary files.

key-store-path

--key-store-path=<PATH>

--key-store-path=/Users/me/keys

key-store-path: "/Users/me/keys"

WEB3SIGNER_KEY_STORE_PATH=/Users/me/keys

Path to the directory containing the YAML files required to access keys.

logging

-l, --logging=<LEVEL>

--logging=DEBUG

logging: "DEBUG"

WEB3SIGNER_LOGGING=DEBUG

Sets logging verbosity. Log levels are OFF, FATAL, WARN, INFO, DEBUG, TRACE, ALL. The default is INFO.

http-listen-host

--http-listen-host=<httpListenHost>

--http-listen-host=8.8.8.8

http-listen-host: "8.8.8.8"

WEB3SIGNER_HTTP_LISTEN_HOST=8.8.8.8

Host on which HTTP listens. Default is localhost.

http-listen-port

--http-listen-port=<httpListenPort>

--http-listen-port=6174

http-listen-port: 6174

WEB3SIGNER_HTTP_LISTEN_PORT=6174

Port on which HTTP listens. The default is 9000.

http-host-allowlist

--http-host-allowlist=<hostname>[,<hostname>...]... or "*"

--http-host-allowlist=medomain.com,meotherdomain.com

http-host-allowlist: ["medomain.com", "meotherdomain.com"]

WEB3SIGNER_HTTP_HOST_ALLOWLIST=medomain.com,meotherdomain.com

A comma-separated list of hostnames to allow access to the REST APIs. By default, Web3Signer accepts access from localhost and 127.0.0.1.

Tip

To allow all hostnames, use "*". We don’t recommend allowing all hostnames for production environments.

idle-connection-timeout-seconds

--idle-connection-timeout-seconds=<TIMEOUT>

--idle-connection-timeout-seconds=60

idle-connection-timeout-seconds: 60

WEB3SIGNER_IDLE_CONNECTION_TIMEOUT_SECONDS=60

Number of seconds to wait before terminating an idle connection. Defaults to 30.

metrics-enabled

--metrics-enabled[=<BOOLEAN>]

--metrics-enabled=true

metrics-enabled: true

WEB3SIGNER_METRICS_ENABLED=true

Enables the metrics exporter. The default is false.

metrics-host

--metrics-host=<HOST>

--metrics-host=186.10.10.1

metrics-host: "186.10.10.1"

WEB3SIGNER_METRICS_HOST=186.10.10.1

The host on which Prometheus accesses metrics. The default is 127.0.0.1.

metrics-port

--metrics-port=<PORT>

--metrics-port=6174

metrics-port: 6174

WEB3SIGNER_METRICS_PORT=6174

The port (TCP) on which Prometheus accesses metrics. The default is 9001.

metrics-category

--metrics-category=<metrics-category>[,metrics-category...]...

--metrics-category=HTTP,SIGNING,JVM

metrics-category: ["HTTP", "SIGNING", "JVM"]

WEB3SIGNER_METRICS_CATEGORY=HTTP,SIGNING,JVM

A comma-separated list of categories for which to track metrics. The defaults are HTTP, SIGNING, FILECOIN, ETH2_SLASHING_PROTECTION, JVM, PROCESS.

metrics-host-allowlist

--metrics-host-allowlist=<hostname>[,<hostname>...]... or "*"

--metrics-host-allowlist=medomain.com,meotherdomain.com

metrics-host-allowlist: ["medomain.com", "meotherdomain.com"]

WEB3SIGNER_METRICS_HOST_ALLOWLIST=medomain.com,meotherdomain.com

A comma-separated list of hostnames to allow access to the Web3Signer metrics. By default, Web3Signer accepts access from localhost and 127.0.0.1.

Tip

To allow all hostnames, use "*". We don’t recommend allowing all hostnames for production environments.

tls-keystore-file

--tls-keystore-file=<keystoreFile>

--tls-keystore-file=/Users/me/my_node/certificate.pfx

tls-keystore-file: "/Users/me/my_node/certificate.pfx"

WEB3SIGNER_TLS_KEYSTORE_FILE=/Users/me/my_node/certificate.pfx

PKCS #12 formatted keystore. Used to enable TLS for client connections.

tls-keystore-password-file

--tls-keystore-password-file=<passwordFile>

--tls-keystore-password-file=/Users/me/my_node/password.txt

tls-keystore-password-file: "/Users/me/my_node/password.txt"

WEB3SIGNER_TLS_KEYSTORE_PASSWORD_FILE=/Users/me/my_node/password.txt

Password file used to decrypt the keystore.

tls-allow-any-client

--tls-allow-any-client

tls-allow-any-client

WEB3SIGNER_TLS_ALLOW_ANY_CLIENT

Allows any client to connect.

Important

Cannot be used with --tls-allow-ca-clients and --tls-known-clients-file

tls-known-clients-file

--tls-known-clients-file=<clientsFile>

--tls-known-clients-file=/Users/me/my_node/knownClients.txt

tls-known-clients-file: "/Users/me/my_node/knownClients.txt"

WEB3SIGNER_TLS_KNOWN_CLIENTS_FILE=/Users/me/my_node/knownClients.txt

File containing the Common Names and SHA-256 fingerprints of authorized clients.

tls-allow-ca-clients

--tls-allow-ca-clients

tls-allow-ca-clients

WEB3SIGNER_TLS_ALLOW_CA_CLIENTS

Allows clients signed with trusted CA certificates to connect.

help

-h, --help

Displays the help and exits.

version

-V, --version

Displays the version and exits.

Questions or feedback? You can discuss issues and obtain free support on Web3Signer Discord channel.
For paid professional support by Consensys, contact us at quorum@consensys.net