Skip to main content
Version: stable (24.6.0)

Start Web3Signer


This documentation has been updated in line with the name changes recommended by the Ethereum Foundation. The execution layer is formerly "Ethereum 1.0." The consensus layer is formerly "Ethereum 2.0."


Web3Signer supports consensus layer clients, and execution layer clients, so you must specify the signing mode, and the location of the signing key configuration files when starting Web3Signer.

web3signer --key-store-path=/Users/me/keyFiles/ eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" --slashing-protection-db-username=postgres --slashing-protection-db-password=password

In the command line:

  • Use the --key-store-path option to specify the location of the signing key configuration files.
  • Specify the subcommand to indicate which signing mode to use. Valid subcommands are eth2 and eth1. You can only specify one signing mode when starting Web3Signer.

Consensus layer considerations

Consensus layer slashing protection is enabled by default, and you must specify the details the slashing protection database, or disable slashing protection using the --slashing-protection-db-enabled command line option.


Web3Signer also allows you to bulk load signing keys stored in Azure Key Vault.

Start the client, for example Teku by specifying the Web3Signer details.


If Teku connects to a network other than mainnet, then the --network option must be specified, and it must match the network used by the Teku client.

Public testnets

If you are running Web3Signer eth2 mode on a public testnet, then you must specify the network option. It's important that this network matches the one you set up for your validator client. For example, if you have Teku set up to run on Holesky then you must configure Web3Signer with the Holesky network under the eth2 subcommand, as in the following example.

web3signer --key-store-path=/Users/me/keyFiles/ eth2 --network=holesky --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" --slashing-protection-db-username=postgres --slashing-protection-db-password=password

See the --network documentation for more information about this option and the supported networks.

Confirm Web3Signer is running

Use the upcheck endpoint to confirm Web3Signer is connected and running.

curl -X GET http://localhost:9000/upcheck

Web3Signer by default also performs a health check on the slashing protection database.