Skip to content
You are reading the Teku development version documentation and some features may not be available in the stable release. You can switch to the stable version using the version box at the bottom of the screen.

Updated on May 17, 2022

Manage validator signing keys

You can manage the signing keys of validators using the key manager API endpoints. You can list keys, import keystores, and delete keys with the API.

Enable validator client API

To use the key manager API endpoints, enable the validator client API using the --validator-api-enabled option. You must also create a keystore to enable access.

Create a keystore

When enabling the validator client API, you must create a keystore.

  1. Use a tool such as keytool or openSSL to generate a keystore.

    keytool -keystore <keystore> -storetype PKCS12 -storepass <password>
    keytool -keystore validator_keystore.p12 -storetype PKCS12 -storepass changeit
  2. Create a plain text file (for example validator_keystore_pass.txt) that stores the password you defined in the keystore.

  3. Start Teku using --validator-api-keystore-file to define the keystore file and --validator-api-keystore-password-file to define the password file.


    teku --validator-api-enabled --validator-api-keystore-file=validator_keystore.p12 --validator-api-keystore-password-file=validator_keystore_pass.txt


Authentication verifies user access to requested validator client methods.

Upon startup of the validator client, Teku creates an API token at the path /opt/teku/data/validator/key-manager. When calling an endpoint that requires authorization, you must send the generated token in the Authorization request header field with the Bearer authentication scheme.


curl -H "Authorization: Bearer <TOKEN>" -X GET https://localhost:5052/eth/v1/keystores
Questions or feedback? You can discuss issues and obtain free support on Teku Discord channel.
For paid professional support by Consensys, contact us at [email protected].