Skip to main content

Provider key management

This guide explains how to manage provider keys for signing operations in the Directory chain and Economy chain, excluding FT4 authentication. It covers listing, adding, revoking, and setting thresholds for provider keys.

The key used during provider registration initially serves two purposes:

  1. Signing provider operations in the Directory and Economy chains.
  2. Signing FT4 financial transactions in the Economy chain.

Keys for these purposes can be changed and isolated. This guide focuses on managing keys for provider operations.

note

Even if replaced or removed, the initial provider key will remain as the provider's unique identifier.

Prerequisites

Ensure you have the latest version of Postchain Management Console installed and configured to access the Chromia network.

Listing provider keys

To list the public keys associated with your provider account, run:

pmc provider keys
pmc provider key list

By default, you will see the initial public key (of type main) with a threshold set to 1.

To list keys for all providers, add the -a flag:

pmc provider key list -a

Adding a key

To add a new key for signing provider operations:

pmc provider key add --pubkey <new-public-key>

Replace <new-public-key> with the public key you want to add.

This operation requires the PMC configuration file to include both the current key (or any of the current keys) and the new key being added. For more details, see the Configure provider key pair documentation or refer to this example.

info

If no threshold is set, each key can independently sign provider operations.

Revoking a key

To revoke an existing key:

pmc provider key revoke --pubkey <key-to-revoke>

To replace keys, first add a new key and then revoke the old key:

  1. Add the new key:
pmc provider key add --pubkey <new-key>
  1. Revoke the old key:
pmc provider key revoke --pubkey <old-key>
warning

Revoked keys cannot be re-enabled or added again.

Example

  1. Create a new key using:

You can choose either of these commands, as both work equally well.

pmc keygen
chr keygen
  1. Combine the existing key and the new key in a multi-key configuration file:
privkey = init-key,new-key
pubkey = init-pub-key,new-pub-key
  1. Add the new key:
pmc provider key add --pubkey <new-pub-key> -cfg <multi-key-config>
  1. Verify the new key:
pmc provider key list
  1. Revoke the original key:
pmc provider key revoke --pubkey <original-pub-key> -cfg <multi-key-config>
  1. Confirm the changes:
pmc provider key list

Setting a threshold

The threshold determines the number of keys required to sign provider operations. By default, the threshold is 1, allowing any individual key to sign operations. To update the threshold, run:

pmc provider key threshold --value <threshold>

Threshold values:

  • 1: Default. Any single key can sign.
  • 2: Two keys are required to sign.
  • 3: Three keys are required, and so on.

Chromia supports dynamic thresholds:

  • -1 (Simple Majority): Requires keys /2 + 1 keys to sign.
  • 0 (Super-Majority): Requires keys - (keys - 1) / 3 keys to sign.