Skip to main content

BLS Credential Generator

BLS Credential Generator is a tool to mitigate the BLS credential generation process for the users that are not willing or able to use the official EF Foundation CLI tooling. The Generator is an essential piece in allowing users to perform validator staking in around 60 seconds. The Generator provides stakehouse-ready credentials with no additional operations left to perform. The BLS Credential Generator is non custodial and does not store BLS credentials or any other information. After the credentials are generated by using well known and tested tools, the Keystore file is returned to the user. The credentials can never be accessed by the Generator. BLS credential software is Stakehouse independent and can be run by any external party to generate credentials on their own.

In summary:

  • No information is stored
  • Stakehouse independent
  • Secure tooling and official standards
  • Non custodial
  • Credential generation

Credential generation can be performed by calling the following endpoint:



password - Password in the request JSON body, is used to encrypt the generated keystore file. The password needs to be at least 8 characters.


depositObject - [
pubkey - BLS public key used,
withdrawal_credentials - encoding scheme specifying withdrawal address (Official Stakehouse Contract),
amount - Amount being deposited (32 ETH in ETH2 units),
signature - BLS signature formed over the SSZ container of the deposit message,
deposit_message_root - Context-dependent Merkle root of the deposit SSZ container,
deposit_data_root - Context-independent deposit data SSZ container root,
fork_version - Fork version of the beacon chain,
eth2_network_name - Name of the network where deposit will take place,
deposit_cli_version - CLI version standard used in creating the credentials,

keystore - Keystore file encrypted by the provided password

Inner workings

The credentials are generated to comply with the Beacon chain specification standards and act as a complete replacement for the Deposit CLI tool.
The credential generation process starts by confirming if the provided password is at least 8 characters long. This is done in order to protect a user’s keys from being stolen in the unlikely event of a malicious party obtaining the keystore files. The password can contain any unicode characters, hence it can even be emojis: πŸš€πŸ›°πŸ›ΈπŸ’°
After the password checks have passed, NPM packages by chainsafe are used to generate a BLS public/private key pair.
Furthermore, the credentials are used to form a context independent deposit message root of the following SSZ container:

class DepositMessage(Container):
pubkey: BLSPubkey
withdrawal_credentials: Bytes32
amount: Gwei

And context dependent roof of the fork data SSZ container:

class ForkData(Container):
current_version: Version
genesis_validators_root: Root

Further, the domain is assigned to the collection, and the signature of the BLS signing key is formed over the root of the signing data container:

class SigningData(Container):
object_root: Root
domain: Domain

Finally, the BLS credentials, deposit message root, signature and the deposit data root are collected together to produce the deposit_data object along with the keystore. Instructions to generate equivalent credentials by using the deposit CLI can be found here.