Generate NATS seed and Keypair using Python nkeys

This blog post about generate a seed, private key and public key using Python nkeys.py

I couldn’t find any direct example to create seed for user, account or cluster as like Golang or Java.

🐎Golang Example

From their source code to create new user seed

// Create a new User KeyPair
user, _ := nkeys.CreateUser()

// Access the seed, the only thing that needs to be stored and kept safe.
seed, _ := user.Seed()

// Access the public key which can be shared.
publicKey, _ := user.PublicKey()

☕Java Example

From their javadoc to create new user seed

The pseudo code for create user is look like

import io.nats.client.NKey;

NKey nkey = NKey.createUser(null);
System.out.println(nkey.getPublicKey());
System.out.println(nkey.getSeed());

The source code is in here

🐍Python Example

The source code is in here . But there is no reference to create user, account or cluster.

Their documentation talks about from a seed file how we can decode user. Doesn’t talks about create new one in anywhere.

So I have create an example for creating seed for different purposes.

First of all you have to install nkeys

pip install nkeys

Create User

Create seed for User

import nkeys
from nacl.signing import SigningKey

signing_key = SigningKey.generate().encode()

# Nats encoded seed for user
src = nkeys.encode_seed(signing_key, prefix=nkeys.PREFIX_BYTE_USER)

# Seed
seed = nkeys.from_seed(src).seed

# Private Key
private_key = nkeys.from_seed(src).private_key

# Public Key
public_key = nkeys.from_seed(src).public_key

Create Account

Create seed for Account

import nkeys
from nacl.signing import SigningKey

signing_key = SigningKey.generate().encode()

# Nats encoded seed for account
src = nkeys.encode_seed(signing_key, prefix=nkeys.PREFIX_BYTE_ACCOUNT)

# Seed
seed = nkeys.from_seed(src).seed

# Private Key
private_key = nkeys.from_seed(src).private_key

# Public Key
public_key = nkeys.from_seed(src).public_key

Create Cluster

Same way just change the prefix for others

Create seed for Cluster

# Nats encoded seed for cluster
src = nkeys.encode_seed(signing_key, prefix=nkeys.PREFIX_BYTE_CLUSTER)

Create Server

Create seed for Server

# Nats encoded seed for server
src = nkeys.encode_seed(signing_key, prefix=nkeys.PREFIX_BYTE_SERVER)

Create Operator

Create seed for Operator

# Nats encoded seed for server
src = nkeys.encode_seed(signing_key, prefix=nkeys.PREFIX_BYTE_OPERATOR)

You can find all the prefix in their source code.

💡How I found

I am always a believer of the show me the code principle. Also we learn more by seeing others code.

In this code they do padding with given binary array. Also they check the first byte against the predefined byte. Its all start from there.

📖 Learnings in the process

• As you know the keys used by NATS are ED25519. There is an python lib for that
• Python Nkeys earlier used that only and they switch over to PyNacl. Since the above lib is not working with latest Python.
• Lot of the things get from their PyNacl doc
• Got to know about nats-box docker and nsc command line binary tool available to create creds file and other stuff.
• The output of seed, private and public key starts with specific prefixes