Skip to main content

EthSigner command line

This reference describes the syntax of the EthSigner Command Line Interface (CLI) options.

Specifying options

EthSigner options can be specified:

If you specify an option in more than one place, the order of priority is command line, environment variable, configuration file.

Environment variables

For each command line option, the equivalent environment variable is:

  • Upper-case
  • _ replaces -
  • Has an ETHSIGNER_ prefix

For example, set --data-path using the ETHSIGNER_DATA_PATH environment variable.

You can include subcommand options as environment variables as well, for example set multikey-signer --directory using the ETHSIGNER_MULTIKEY_SIGNER_DIRECTORY environment variable.

Options

config-file

The path to the TOML configuration file. The default is none.

--config-file=<FILE>

chain-id

Chain ID of the network to receive the signed transactions.

--chain-id=<chainId>

data-path

Directory in which to store temporary files.

--data-path=<PATH>

downstream-http-host

Host to which received requests are forwarded. Default is localhost.

--downstream-http-host=<downstreamHttpHost>

downstream-http-path

Path to which received requests are forwarded. Default is /.

Might be required if connecting to a cloud-based Ethereum client such as Infura.

--downstream-http-path=<downstreamHttpPath>

downstream-http-port

Port to which received requests are forwarded.

--downstream-http-port=<downstreamHttpPort>

downstream-http-request-timeout

Timeout period (in milliseconds) for downstream requests. Default is 5000.

--downstream-http-request-timeout=<downstreamHttpRequestTimeout>

downstream-http-tls-enabled

Enable or disable TLS for server connections. Defaults to false.

--downstream-http-tls-enabled[=<true|false>]

downstream-http-tls-ca-auth-enabled

Allow connections to servers with trusted CAs.

Defaults to true.

--downstream-http-tls-ca-auth-enabled[=<true|false>]

downstream-http-tls-keystore-file

Keystore file (in PKCS #12 format) that contains the private key and certificate presented to the server during authentication.

--downstream-http-tls-keystore-file=<keystoreFile>

downstream-http-tls-keystore-password-file

Password file used to decrypt the keystore.

--downstream-http-tls-keystore-password-file=<passwordFile>

downstream-http-tls-known-servers-file

File containing the hostnames, ports, and SHA256 certificate fingerprints of trusted servers.

--downstream-http-tls-known-servers-file=<serversFile>

http-cors-origins

A list of domain URLs for CORS validation. You must enclose the URLs in double quotes and separate them with commas.

Listed domains can access the node using JSON-RPC. If your client interacts with EthSigner using a browser app (such as Remix or a block explorer), you must allow the client domains.

The default value is none. If you do not allow any domains, browser apps cannot interact with your EthSigner node.

tip

For testing and development purposes, use "all" or "*" to accept requests from any domain. We don't recommend accepting requests from any domain for production environments.

--http-cors-origins=<httpListenHost>

http-listen-host

Host on which JSON-RPC HTTP listens. Default is localhost.

--http-listen-host=<httpListenHost>

http-listen-port

Port on which JSON-RPC HTTP listens. Default is 8545.

--http-listen-port=<httpListenPort>

logging

Logging verbosity levels. Options are: OFF, FATAL, WARN, INFO, DEBUG, TRACE, ALL. Default is INFO.

-l, --logging=<LOG VERBOSITY LEVEL>

metrics-enabled

Enables the metrics exporter. The default is false.

--metrics-enabled[=<true|false>]

metrics-category

Categories for which to track metrics. Options are HTTP, SIGNING, JVM, and PROCESS. All categories are enabled by default.

note

There are currently no metrics available for the HTTP and SIGNING categories.

--metrics-category=<metrics-category>[,metrics-category...]...

metrics-host

The host on which Prometheus accesses EthSigner metrics. The default is 127.0.0.1.

--metrics-host=<HOST>

metrics-host-allowlist

A comma-separated list of hostnames to allow access to the EthSigner metrics. By default, EthSigner accepts access from localhost and 127.0.0.1.

tip

To allow all hostnames, use "*". We don’t recommend allowing all hostnames for production environments.

--metrics-host-allowlist=<hostname>[,<hostname>...]... or "*"

metrics-port

The port (TCP) on which Prometheus accesses EthSigner metrics. The default is 9546.

--metrics-port=<PORT>

tls-allow-any-client

Allows any client to connect.

caution

Cannot be used with --tls-allow-ca-clients and --tls-known-clients-file

--tls-allow-any-client

tls-allow-ca-clients

Allows clients signed with trusted CA certificates to connect.

--tls-allow-ca-clients

tls-keystore-file

PKCS #12 formatted keystore. Used to enable TLS for client connections.

--tls-keystore-file=<keystoreFile>

tls-keystore-password-file

Password file used to decrypt the keystore.

--tls-keystore-password-file=<passwordFile>

tls-known-clients-file

File containing the SHA-256 fingerprints of authorized clients.

--tls-known-clients-file=<clientsFile>

help

Displays the help and exits.

-h, --help

version

Displays the version and exits.

-V, --version