Skip to main content
Autheo Chain uses eth_secp256k1 — the same elliptic curve as Ethereum. A single private key controls both your Cosmos address (autheo1...) and your Ethereum address (0x...), enabling native compatibility with hardware wallets and MetaMask.

Two key types

KeyPurposeLocation
Operator keySigns staking, governance, and all on-chain transactionsKeyring (file, OS, or hardware wallet)
Consensus keySigns block proposals for CometBFT consensusconfig/priv_validator_key.json
A compromised operator key allows an attacker to drain your delegated funds. A compromised consensus key can cause permanent tombstoning from double-signing.

Keyring backends

BackendSecurityUse case
fileMediumHeadless production servers (AES-encrypted, passphrase-protected)
osHighProduction with OS keystore integration
passHighAdvanced Linux setups using GPG
testNoneDevelopment only — never in production

Creating a key

autheod keys add mykey \
  --keyring-backend file \
  --home /path/to/node-home
Save the 24-word mnemonic phrase immediately. It is displayed only once. There is no way to recover it afterward. Store it offline in encrypted storage.

Restoring a key from mnemonic

autheod keys add <key-name> \
  --recover \
  --keyring-backend file \
  --home /path/to/node-home

Viewing address formats

Each key has three equivalent address representations: 
# Cosmos address (autheo1...)
autheod keys show mykey --keyring-backend file

# Validator operator address (autheovaloper1...)
autheod keys show mykey --bech val --keyring-backend file

# Ethereum hex address (0x...)
autheod keys show mykey --bech eth --keyring-backend file
The autheovaloper1... address is derived from the same 20 bytes as autheo1... — only the Bech32 prefix differs.

Consensus key

Generated automatically during autheod init, stored in config/priv_validator_key.json. 
# Get public key for MsgCreateValidator
autheod tendermint show-validator --home /path/to/node-home
Back up this file immediately to encrypted offline storage. If duplicated on another running node, double-signing causes permanent tombstoning.

Remote signing (production recommendation)

Keep the consensus key off the validator host entirely using tmkms or an HSM: 
# config/config.toml
[consensus]
priv_validator_laddr = "tcp://127.0.0.1:26658"

Hardware wallet support

Autheo Chain’s eth_secp256k1 key algorithm is compatible with Ledger and Trezor. Use the --ledger flag with key commands when a hardware wallet is connected.

Key security checklist

  • Mnemonic backed up to offline encrypted storage
  • priv_validator_key.json backed up separately from the mnemonic
  • --keyring-backend test never used in production
  • Consensus key protected by remote signer or HSM
  • Keyring password stored separately from the encrypted keystore file
  • No key files committed to version control