Config Reference

Complete config.toml schema with all fields, types, and defaults

merod init defaults

Running merod init generates a config.toml with these CLI-controllable defaults:

# Generate default config merod --home ~/.calimero --node-name my-node init # All flags and their defaults: --home ~/.calimero # base directory for data + config --node-name (required) # human-readable node name --swarm-port 2428 # libp2p swarm listen port --server-port 2528 # HTTP API listen port --server-host 127.0.0.1 # HTTP API listen host --mdns true # enable mDNS discovery --protocol /calimero/devnet/global # rendezvous namespace --boot-nodes [] # bootstrap multiaddrs

Top-Level Structure

# config.toml — Top-level sections [identity] # Ed25519 keypair + optional group identity [swarm] # libp2p listen addresses [bootstrap] # bootstrap node list [discovery] # mDNS, rendezvous, relay, autonat [server] # HTTP server config (listen, admin, jsonrpc, ws, sse, auth) [sync] # sync timeouts and intervals [datastore] # RocksDB data path [blobstore] # blob storage path [context] # context client config [tee] # optional TEE/KMS config [specialized_node] # specialized node settings

[identity] — Node Identity

Ed25519 keypair for the node. Generated automatically on merod init.

Rust type: IdentityConfig

FieldTypeDefaultDescription

mode

String

"Standard"

Node operation mode. Standard for full participation, ReadOnly for read-only sync.

secret_key

String (hex)

(generated)

Ed25519 secret key in hex. Auto-generated on init, never commit to source control.

group_identity

Option<GroupIdentity>

None

Optional group-scoped identity for specialized nodes.

[identity] mode = "Standard" secret_key = "a1b2c3...hex..."

[swarm] — libp2p Swarm

Multiaddrs the libp2p swarm listens on for peer connections.

Rust type: SwarmConfig

FieldTypeDefaultDescription

listen

Vec<Multiaddr>

(see below)

Array of multiaddrs to listen on. Supports TCP and QUIC transports.

[swarm] listen = [ "/ip4/0.0.0.0/tcp/2428", "/ip4/0.0.0.0/udp/2428/quic-v1" ]

[bootstrap] — Bootstrap Nodes

List of bootstrap peers to connect to on startup for peer discovery.

Rust type: BootstrapConfig

FieldTypeDefaultDescription

nodes

Vec<Multiaddr>

[]

Multiaddrs of bootstrap peers (e.g., /ip4/1.2.3.4/tcp/2428/p2p/12D3...).

[bootstrap] nodes = [ "/ip4/35.123.45.67/tcp/2428/p2p/12D3KooW..." ]

[discovery] — Peer Discovery

Configures mDNS, rendezvous, relay circuit, autonat, and address advertisement.

Rust type: DiscoveryConfig

FieldTypeDefaultDescription

mdns

bool

true

Enable mDNS for local network peer discovery.

advertise_address

bool

false

Whether to advertise external addresses to the network.

[discovery.rendezvous]

FieldTypeDefaultDescription

namespace

String

"/calimero/devnet/global"

Rendezvous namespace for peer discovery grouping.

registrations_limit

usize

Max concurrent rendezvous registrations.

[discovery.relay]

FieldTypeDefaultDescription

registrations_limit

usize

Max concurrent relay circuit registrations.

[discovery.autonat]

FieldTypeDefaultDescription

probe_interval

Duration

10s

Interval between autonat probes for NAT detection.

max_candidates

usize

Maximum number of autonat probe candidates.

[discovery] mdns = true advertise_address = false [discovery.rendezvous] namespace = "/calimero/devnet/global" registrations_limit = 3 [discovery.relay] registrations_limit = 3 [discovery.autonat] probe_interval = "10s" max_candidates = 5

[server] — HTTP Server

HTTP/WebSocket/SSE API server for meroctl and external clients.

Rust type: ServerConfig

FieldTypeDefaultDescription

listen

Vec<Multiaddr>

["/ip4/127.0.0.1/tcp/2528"]

Multiaddrs for the HTTP API server to listen on.

auth_mode

String

"Proxy"

Auth mode: Proxy (trust upstream headers) or Embedded (built-in JWT auth).

admin

AdminConfig

(enabled)

Admin API endpoint configuration.

jsonrpc

JsonRpcConfig

(enabled)

JSON-RPC endpoint configuration for application calls.

websocket

WsConfig

(enabled)

WebSocket endpoint for real-time event subscriptions.

sse

SseConfig

(enabled)

Server-Sent Events endpoint for event streaming.

[server.embedded_auth]

Embedded authentication settings (used when auth_mode = "Embedded").

FieldTypeDefaultDescription

jwt_secret

Option<String>

(generated)

HMAC secret for signing JWT tokens. Auto-generated if not set.

jwt_expiry_secs

u64

86400

JWT token expiry in seconds (default: 24 hours).

refresh_expiry_secs

u64

604800

Refresh token expiry in seconds (default: 7 days).

storage

String

"rocksdb"

Token storage backend: rocksdb or memory.

cors_origins

Vec<String>

["*"]

Allowed CORS origins for the auth endpoints.

secure_cookies

bool

false

Send cookies with the Secure flag (requires HTTPS).

[server] listen = ["/ip4/127.0.0.1/tcp/2528"] auth_mode = "Proxy" # Embedded auth (when auth_mode = "Embedded") [server.embedded_auth] jwt_expiry_secs = 86400 refresh_expiry_secs = 604800 storage = "rocksdb" cors_origins = ["*"] secure_cookies = false

[sync] — Sync Engine

Timeouts and intervals for the state synchronization engine.

Rust type: SyncConfig

FieldTypeDefaultDescription

timeout_ms

u64

30000

Maximum time in ms to wait for a sync response before timing out.

interval_ms

u64

5000

Base interval in ms between sync rounds for a context.

frequency_ms

u64

10000

Minimum ms between consecutive sync attempts for the same context.

[sync] timeout_ms = 30000 interval_ms = 5000 frequency_ms = 10000

[datastore] — RocksDB Storage

Path for the RocksDB persistent storage engine.

Rust type: DataStoreConfig

FieldTypeDefaultDescription

path

PathBuf

"data"

Relative or absolute path to the RocksDB data directory.

[datastore] path = "data"

[blobstore] — Blob Storage

Path for binary blob (WASM applications, large files) storage.

Rust type: BlobStoreConfig

FieldTypeDefaultDescription

path

PathBuf

"blobs"

Relative or absolute path to the blob storage directory.

[blobstore] path = "blobs"

[context] — Context Client

Configuration for the context management subsystem.

Rust type: ContextConfig

FieldTypeDefaultDescription

client

ContextClientConfig

(default)

Context client connection and retry settings.

[context] # Uses defaults — typically no manual configuration needed

[tee] — TEE / KMS

Optional Trusted Execution Environment and Key Management Service configuration. Only relevant for nodes running in secure enclaves.

Rust type: TeeConfig

FieldTypeDefaultDescription

enabled

bool

false

Enable TEE attestation and sealed storage.

kms_url

Option<String>

None

URL of the Key Management Service for key provisioning.

[tee] enabled = false # kms_url = "https://kms.example.com"

[specialized_node] — Specialized Node

Settings for specialized node roles (e.g., TEE nodes that handle key shares).

Rust type: SpecializedNodeConfig

FieldTypeDefaultDescription

invite_topic

String

"mero_specialized_node_invites"

Gossipsub topic for receiving specialized node invitations.

accept_mock_tee

bool

false

Accept mock TEE attestations (for development/testing only).

[specialized_node] invite_topic = "mero_specialized_node_invites" accept_mock_tee = false

Complete Example

A typical production config.toml with commonly customized fields:

[identity] mode = "Standard" [swarm] listen = [ "/ip4/0.0.0.0/tcp/2428", "/ip4/0.0.0.0/udp/2428/quic-v1" ] [bootstrap] nodes = [] [discovery] mdns = true advertise_address = false [discovery.rendezvous] namespace = "/calimero/devnet/global" registrations_limit = 3 [discovery.relay] registrations_limit = 3 [discovery.autonat] probe_interval = "10s" max_candidates = 5 [server] listen = ["/ip4/127.0.0.1/tcp/2528"] auth_mode = "Proxy" [sync] timeout_ms = 30000 interval_ms = 5000 frequency_ms = 10000 [datastore] path = "data" [blobstore] path = "blobs" [specialized_node] invite_topic = "mero_specialized_node_invites" accept_mock_tee = false

Governance Migration

Guide for migrating between group governance modes.

Default Configuration

merod init --group-governance local

Local governance is the default (and only) governance mode. Group operations are signed locally and propagated via gossip.

Backup

Back up the node data directory (RocksDB store path in config.toml) regularly. The group_store contains all governance state and can be rebuilt from the persistent op log, but a backup provides faster recovery.