Skip to content
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
Cannot retrieve contributors at this time

Validator Keys Tool Guide

This guide explains how to set up a validator so its public key does not have to change if the rippled config and/or server are compromised.

A validator uses a public/private key pair. The validator is identified by the public key. The private key should be tightly controlled. It is used to:

  • sign tokens authorizing a rippled server to run as the validator identified by this public key.
  • sign revocations indicating that the private key has been compromised and the validator public key should no longer be trusted.

Each new token invalidates all previous tokens for the validator public key. The current token needs to be present in the rippled config file.

Servers that trust the validator will adapt automatically when the token changes.

Validator Keys

When first setting up a validator, use the validator-keys tool to generate its key pair:

  $ validator-keys create_keys

Sample output:

  Validator keys stored in /home/ubuntu/.ripple/validator-keys.json

Keep the key file in a secure but recoverable location, such as an encrypted USB flash drive. Do not modify its contents.

Validator Token

After first creating the validator keys or if the previous token has been compromised, use the validator-keys tool to create a new validator token:

  $ validator-keys create_token

Sample output:

  Update rippled.cfg file with these values:

  # validator public key: nHUtNnLVx7odrz5dnfb2xpIgbEeJPbzJWfdicSkGyVw1eE5GpjQr


For a new validator, add the [validator_token] value to the rippled config file. For a pre-existing validator, replace the old [validator_token] value with the newly generated one. A valid config file may only contain one [validator_token] value. After the config is updated, restart rippled.

There is a hard limit of 4,294,967,293 tokens that can be generated for a given validator key pair.

Key Revocation

If a validator private key is compromised, the key must be revoked permanently. To revoke the validator key, use the validator-keys tool to generate a revocation, which indicates to other servers that the key is no longer valid:

  $ validator-keys revoke_keys

Sample output:

  WARNING: This will revoke your validator keys!

  Update rippled.cfg file with these values and restart rippled:

  # validator public key: nHUtNnLVx7odrz5dnfb2xpIgbEeJPbzJWfdicSkGyVw1eE5GpjQr


Add the [validator_key_revocation] value to this validator's config and restart rippled. Rename the old key file and generate new validator keys and a corresponding validator token.


The validator-keys tool can be used to sign arbitrary data with the validator key.

  $ validator-keys sign "your data to sign"

Sample output: