Skip to content
You are reading Pantheon development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Getting Started with Onchain Permissioning

The following steps describe bootstrapping a local permissioned network using a Pantheon node and a development server to run the Permissioning Management Dapp.


In production, a webserver is required to host the Permissioning Management Dapp.

To start a network with onchain permissioning:

  1. Install pre-requisites
  2. Add the ingress contracts to the genesis file
  3. Set environment variables
  4. Start first node with onchain permissioning and the JSON-RPC HTTP service enabled
  5. Clone the permissioning contracts repository and install dependencies
  6. Build project
  7. Deploy the permissioning contracts
  8. Start the development server for the Permissioning Management Dapp
  9. Add the first node to the nodes whitelist


For the development server to run the dapp:

Add Ingress Contracts to Genesis File


If the network is using only account or nodes permissioning, add only the relevant ingress contract to the genesis file.

Add the Ingress contracts to the genesis file for your network by copying them from genesis.json in the permissioning-smart-contracts repository:

"0x0000000000000000000000000000000000008888": {
      "comment": "Account Ingress smart contract",
      "balance": "0",
      "code": <stripped>,
      "storage": {

"0x0000000000000000000000000000000000009999": {
      "comment": "Node Ingress smart contract",
      "balance": "0",
      "code": <stripped>,
      "storage": {


To support the permissioning contracts, ensure your genesis file includes at least the constantinopleFixBlock milestone.

Set Environment Variables

Create the following environment variables and set to the specified values:

  • PANTHEON_NODE_PERM_ACCOUNT - account to deploy the permissioning contracts and become the first admin account.

  • PANTHEON_NODE_PERM_KEY - private key of the account to deploy the permissioning contracts.

  • ACCOUNT_INGRESS_CONTRACT_ADDRESS - address of the Account Ingress contract in the genesis file.

  • NODE_INGRESS_CONTRACT_ADDRESS - address of the Node Ingress contract in the genesis file.

  • PANTHEON_NODE_PERM_ENDPOINT - required only if your node is not using the default JSON-RPC host and port ( Set to JSON-RPC host and port. When bootstrapping the network, the specified node is used to deploy the contracts and is the first node in the network.


The account specified must be a miner (PoW networks) or validator (PoA networks).

If your network is not a free gas network, the account used to interact with the permissioning contracts must have a balance.

Onchain Permissioning Command Line Options

All nodes participating in a permissioned network must include the command line options to enable account and/or node permissioning:

Start your first node with command line options to enable onchain permissioning and the JSON-RPC HTTP host and port matching environment variable PANTHEON_NODE_PERM_ENDPOINT.

Clone Project and Install Dependencies

  1. Clone the permissioning-smart-contracts repository:

    git clone
  2. Change into the permissioning-smart-contracts directory and run:

    yarn install

Build Project

In the permissioning-smart-contracts directory, build the project:

yarn run build

Deploy Contracts

In the permissioning-smart-contracts directory, deploy the Admin and Rules contracts:

yarn truffle migrate --reset

The Admin and Rules contracts are deployed and the Ingress contract updated with the name and version of the contracts. The migration logs the addresses of the Admin and Rules contracts.


The account that deploys the contracts is automatically an admin account.

Start the Development Server for the Permissioning Management Dapp


In production, a webserver is required to host the Permissioning Management Dapp.

  1. In the permissioning-smart-contracts directory, start the web server serving the Dapp:

    yarn start

    The Dapp is displayed at http://localhost:3000.

  2. Ensure MetaMask is connected to your local node (by default http://localhost:8545).

    A MetaMask notification is displayed requesting permission for Pantheon Permissioning to connect to your account.

  3. Click the Connect button.

    The Dapp is displayed with the account specified by the PANTHEON_NODE_PERM_ACCOUNT environment variable in the Whitelisted Accounts and Admin Accounts tabs.


Only admin accounts can add or remove nodes from the whitelist.

Add First Node to Whitelist

The first node must add itself to the whitelist before adding other nodes.

Questions or feedback? You can discuss issues and obtain free support on Pantheon Gitter channel.
For paid professional support by PegaSys, contact us at [email protected]