The leo account command provides tools for managing Aleo accounts, including generating keys, importing accounts, signing messages, and verifying signatures.
Syntax
leo account <SUBCOMMAND> [OPTIONS]
Subcommands
new
Generate a new Aleo account with a random private key.
leo account new [OPTIONS]
import
Import an Aleo account from a private key.
leo account import [PRIVATE_KEY] [OPTIONS]
sign
Sign a message using your Aleo private key.
leo account sign [OPTIONS]
verify
Verify a signature from an Aleo address.
leo account verify [OPTIONS]
decrypt
Decrypt a record ciphertext using your private or view key.
leo account decrypt [OPTIONS]
New Options
Seed the RNG with a numeric value for reproducible key generation.Only use --seed for testing. Production keys should use secure randomness.
Write the private key to the .env file in the current directory.
Print sensitive information (private key) to an alternate screen for privacy.
Network type: mainnet, testnet, or canary.
-e, --endpoint
string
default:"https://api.explorer.provable.com/v1"
Network endpoint URL.
Import Options
Private key to import. If not provided, will prompt interactively.
Write the private key to the .env file.
Print sensitive information discreetly.
-e, --endpoint
string
default:"https://api.explorer.provable.com/v1"
Network endpoint URL.
Sign Options
Private key to use for signing.
Path to file containing the private key.
Message (Aleo value) to sign.
Parse the message as bytes instead of Aleo literals.
Verify Options
Address to use for verification.
Message (Aleo value) to verify against.
Parse the message as bytes instead of Aleo literals.
Decrypt Options
Private key or view key to use for decryption.
Path to file containing the private key or view key.
Record ciphertext to decrypt (starts with record1).
Examples
Generate New Account
Output:
🔑 New Aleo Account Generated
──────────────────────────────────────────────
Private Key: APrivateKey1zkp...
View Key: AViewKey1...
Address: aleo1...
──────────────────────────────────────────────
⚠️ Save your private key securely. It cannot be recovered if lost.
Store your private key securely. Anyone with your private key can access your account.
Generate and Write to .env
Creates or updates .env:
PRIVATE_KEY=APrivateKey1zkp...
Generate with Seed (Testing)
leo account new --seed 12345
Private Key: APrivateKey1zkp... (deterministic)
Generate Discreetly
leo account new --discreet
Import Account
leo account import APrivateKey1zkp...
✅ Account Imported Successfully
──────────────────────────────────────────────
Private Key: APrivateKey1zkp...
View Key: AViewKey1...
Address: aleo1...
──────────────────────────────────────────────
Import Interactively
Prompts for private key:
Enter your private key: [hidden]
Import and Write to .env
leo account import APrivateKey1zkp... --write
Sign a Message
Sign Aleo Literal
leo account sign \
--private-key APrivateKey1zkp... \
--message 1u32
Sign from File
leo account sign \
--private-key-file ~/.leo/private_key \
--message "hello world"
Sign Raw Bytes
leo account sign \
--private-key APrivateKey1zkp... \
--message "Hello, Aleo!" \
--raw
Verify a Signature
leo account verify \
--address aleo1... \
--signature sign1... \
--message 1u32
Verify Raw Message
leo account verify \
--address aleo1... \
--signature sign1... \
--message "Hello, Aleo!" \
--raw
Decrypt Record with Private Key
leo account decrypt \
--key APrivateKey1zkp... \
--ciphertext record1zy9q3y...
{
owner: aleo1...,
amount: 100u64,
_nonce: 1234567890field
}
Decrypt Record with View Key
leo account decrypt \
--key AViewKey1... \
--ciphertext record1zy9q3y...
View keys can decrypt records but cannot spend them.
Decrypt from File
leo account decrypt \
--key-file ~/.leo/private_key \
--ciphertext record1zy9q3y...
Private Key
Format: APrivateKey1zkp...
A private key allows:
- Signing transactions
- Decrypting records
- Deriving view key and address
- Full account control
View Key
Format: AViewKey1...
A view key allows:
- Decrypting records
- Viewing transaction details
- Cannot spend funds
Derived from private key:
Address
Format: aleo1...
A public address for:
- Receiving funds
- Identifying accounts
- Public visibility
Derived from private key:
Private Key → View Key → Address
Key Derivation
The relationship between keys:
Private Key (secret)
↓ derive
View Key (semi-private)
↓ derive
Address (public)
- Private Key: Full control, keep secret
- View Key: Read-only access, can share selectively
- Address: Public identifier, safe to share
Security Best Practices
1. Generate Securely
# Good: Use system randomness
leo account new
# Bad: Use predictable seed (testing only)
leo account new --seed 12345
2. Store Safely
# Good: Use secure storage
leo account new > account.txt
chmod 600 account.txt
# Better: Use password manager or hardware wallet
3. Never Share Private Keys
# Good: Share address only
Address: aleo1...
# Bad: Share private key
Private Key: APrivateKey1zkp... ❌
4. Use View Keys for Read-Only Access
# Share view key for auditing (not private key)
View Key: AViewKey1...
5. Backup Securely
# Write to encrypted backup
leo account new --discreet > backup.txt.gpg
6. Test with Small Amounts
# Test new accounts with minimal funds first
leo execute transfer_public test_address 1u64 --broadcast
Message Signing Use Cases
Authentication
Prove account ownership without revealing private key:
# Sign challenge
leo account sign --private-key APrivateKey1zkp... --message "auth-challenge-123"
# Service verifies signature
leo account verify --address aleo1... --signature sign1... --message "auth-challenge-123"
Data Integrity
Sign data to prove authenticity:
leo account sign --private-key APrivateKey1zkp... --message '{"action":"transfer","amount":100}' --raw
Timestamping
Create unforgeable timestamps:
leo account sign --private-key APrivateKey1zkp... --message "document-hash:abc123 timestamp:$(date +%s)" --raw
Record Decryption
Records are encrypted on-chain. Decrypt them with your key:
# Get record ciphertext from transaction
leo query transaction at1abc... --network testnet | jq .execution.transitions[0].outputs[0]
# Decrypt the record
leo account decrypt \
--key APrivateKey1zkp... \
--ciphertext record1zy9q3y...
- Credits records (from
credits.aleo)
- Custom program records
- Fee records
Environment Variables
Store account info in .env:
PRIVATE_KEY=APrivateKey1zkp...
NETWORK=testnet
ENDPOINT=https://api.explorer.provable.com/v1
leo deploy --broadcast # Uses PRIVATE_KEY from .env
Add .env to .gitignore to prevent committing private keys to version control.
Troubleshooting
Failed to parse private key.
- Private key starts with
APrivateKey1
- Full key is provided (not truncated)
- No extra whitespace
Signature Verification Failed
Check:
- Address matches the signing private key
- Message exactly matches signed message
- Signature is complete and correct
Decryption Failed
Failed to decrypt record.
- Ciphertext starts with
record1
- Key corresponds to the record owner
- Record ciphertext is complete
Next Steps
