Why SPOs Need a Better Key for Day-to-Day Operations
Stake Pool Operators have always been responsible for securing Cardano's network. With the arrival of on-chain governance under CIP-1694, SPOs are now expected to vote on protocol parameter changes, treasury withdrawals and hard fork proposals alongside DReps and the Constitutional Committee.
But until recently, the tooling didn't match the responsibility. To prove pool ownership and authenticate third-party services, SPOs had to sign with their VRF key, a process that created three problems:
- Security exposure. Cold keys and VRF secrets are critical operational keys. Using them for routine authentication means moving them into enviroments where they are vulnerable
- Hardware and light wallet exclusion. VRF signing only works on the CLI. SPOs using hardware wallets or browser-based light wallets had no way to participate.
- Poor web integration. Governance platforms, voting tools and dApps need browser-compatible signing. VRF-based flows down support that.
This created a gap: SPOs were being asked to do more, with tools that made it harder and riskier to do so.
What Is a Calidus Pool Key?
A Calidus Pool Key is a hot key, a standard Ed25519 key pair, that an SPO registers on-chain to act on behalf of their pool. The name comes from the Latin word "calidus" (meaning hot or quick), chosen because the key is designed for frequent, low-risk operations.
Once registered, the Calidus Key can be used for:
- Authentication: proving pool ownership to services, platforms and APIs
- Governance voting: signing votes and governance action rationales
- dApp interaction: browser-based signing via CIP-30 compatible wallets
- Voucher issuance: generating redeemable tokens for delegators
The critical difference: your cold keys, KES keys and VRF key never leave cold storage. The Calidus Key handles daily interactions. If it's compromised, you revoke it and register a new one, without affecting pool operations.
How It Relates to Cardano's Key Hierarchy:
| Key | Purpose | Exposure level |
|---|---|---|
| Cold Key | Pool registration, certificate signing | Offline / air-gapped |
| KES Key | Block signing (rotates periodically) | Block producer node only |
| VRF Key | Slot leader verification | Block producer node only |
| Calidus Key | Authentication, governance, services | Hot / daily use |
Calidus Keys slot into the existing hierarchy without replacing anything. They add a dedicated layer for interaction so that operational keys stay isolated.
How Calidus Key Registration Works
Registration follows the CIP-151 standard (extending CIP-88 Version 2). The process requires one cold-key signature and then the Calidus Key operates independently.
Step 1: Generate a Calidus Key Pair
Use cardano-signer (v1.34.0 or later) to generate a new key pair:
cardano-signer keygen \
--out-skey calidus.skey \
--out-vkey calidus.vkey
This produces a standard Ed25519 key pair. Optionally generate with a mnemonic for backup and recovery.
Step 2: Create the Registration Metadata
Sign the registration with your pool cold key:
cardano-signer sign --cip88 \
--calidus-public-key calidus.vkey \
--secret-key pool-cold.skey \
--out-file calidus-registration.json
You can also use the `--cip151` flag (added in v1.34.0) as an alias. The output can be JSON, CBOR hex, or binary CBOR.
Note: The
--nonceparameter is optional. If omitted, cardano-signer calculates the current mainnet slot height automatically. The nonce matters for key rotation — the highest nonce value is always treated as the active registration.
Step 3: Submit On-Chain
Submit the registration metadata as a Cardano transaction. This is the only step that requires your cold key. After submission, all further operations use the Calidus Key alone.
Step 4: Verify via Blockfrost API
Confirm your Calidus Key is live by querying the Blockfrost API:
curl -H "project_id: YOUR_PROJECT_ID" \
https://cardano-mainnet.blockfrost.io/api/v0/pools/{pool_id}
The response includes your registered Calidus Key data, confirming the on-chain registration without exposing any sensitive key material.
If you don't have a Blockfrost project yet, create a free account to get started.
Key Rotation and Revocation
Calidus Keys are designed to be replaceable:
- Rotation: Submit a new registration with a higher nonce value. The new key automatically supersedes the previous one.
- Revocation without replacement: Submit a registration with an all-zeroes key to explicitly deactivate all previous keys.
- Multi-pool linking: Use the same Calidus Key across multiple pools by generating separate registrations signed with each pool's cold key.
This design means a compromised key is an inconvenience, not a catastrophe. No pool re-registration, no downtime, no cold key exposure.
Hardware Wallet and Browser Support
CIP-88 Version 2 introduced CIP-8 signing support, which means Calidus Keys work with:
- Hardware wallets: Ledger, Trezor, and other CIP-8 compatible devices
- Light wallets: Typhon Wallet (full support since March 2025), with more integrations underway
- dApp bridges: any application supporting CIP-30 can interact with Calidus Keys directly in the browser
This is a significant shift. SPOs can now participate in governance votes and authenticate with services from a browser tab — no CLI session, no air-gapped machine required for routine tasks.
Ecosystem Tooling Support
Calidus Key support has been adopted across the Cardano tooling ecosystem:
| Tool | Version | Capabilities |
|---|---|---|
| cardano-signer | v1.34.0+ | Key generation, registration signing, verification (CLI) |
| CNTools (Guild Operators) | v13.4.0+ | Pool Calidus key management, status display |
| Typhon Wallet | Current | Browser-based Calidus Key operations |
| Blockfrost API | Current | On-chain Calidus Key queries and verification |
| Koios API | Current | REST-based Calidus Key lookups |
| Cardanoscan, Cexplorer, AdaStat | Current | Explorer display of Calidus Key registrations |
How Blockfrost Supports Calidus Keys
The Blockfrost API provides endpoints for retrieving stake pool information, including associated Calidus Keys. This allows services to:
- Verify SPO identity without the operator sharing any sensitive key material
- Query Calidus Key registrations programmatically for governance platforms and dApps
- Monitor key rotations to track when an SPO updates or revokes their Calidus Key
Example API response showing pool data with Calidus Key information:
{
"pool_id": "pool1...",
"hex": "abc123...",
"vrf_key": "vrf_vk1...",
"calidus_key": "calidus_vk1...",
"calidus_nonce": 142857,
"active_epoch": 500,
...
}
This is relevant for any developer building governance tooling, SPO dashboards, or authentication flows on Cardano. If you're building on the Blockfrost API, Calidus Key data is available through the pools endpoints — no additional setup required.
Already using Blockfrost? Calidus Key data is available on your current plan. Not yet? Sign up for free and start querying pool data in minutes.
Want to run your own Blockfrost infrastructure? Learn how through the IceBreakers program, where SPOs help decentralize the Blockfrost API network — a natural complement to Calidus Key adoption.
What This Means for Cardano's Governance
The Voltaire era introduced on-chain governance at scale in 2025: a functioning constitutional committee, DRep delegation, and SPO voting on security-critical protocol parameters. The ecosystem passed a $150M community budget and ratified its constitution.
Calidus Keys are the infrastructure layer that makes SPO participation in this system practical. Without them, SPOs face an uncomfortable choice between security and participation. With them, the two are no longer in conflict.
As governance matures through 2026 — with new budget cycles, protocol upgrades, and the continued rollout of governance tooling — Calidus Keys provide the authentication foundation that SPOs need to participate safely and consistently.
Getting Started
| If you want to... | Go here |
|---|---|
| Generate and register a Calidus Key | cardano-signer on GitHub |
| Use CNTools for key management | Guild Operators CNTools |
| Read the original forum walkthrough | Cardano Forum: Calidus Pool Key for SPOs |
| Read the CIP-151 specification | CIP-0151: On-Chain Registration |
| Read the CIP-88 specification | CIP-88: Token Policy Registration |
| Query Calidus Keys via API | Blockfrost API Docs |
| Start building with Blockfrost | Sign up free |
| Pay for Blockfrost with ADA | Pay-As-You-Go with ADA |
FAQ
What is a Calidus Pool Key?
A Calidus Pool Key is a hot key (Ed25519) that lets Cardano Stake Pool Operators authenticate, sign governance votes, and interact with services without using their cold, KES, or VRF keys.
How do I register one?
Generate a key pair with cardano-signer, sign the registration metadata with your pool cold key, and submit it on-chain. After that one-time step, the Calidus Key handles daily operations independently.
Can I use a hardware wallet?
Yes. CIP-88 Version 2 added CIP-8 signing support, enabling hardware wallets and CIP-30 web wallets to perform Calidus Key operations.
What if my Calidus Key is compromised?
Submit a new registration with a higher nonce value to replace it, or submit an all-zeroes key to revoke without replacement. Pool operations are unaffected.
Can I use one Calidus Key for multiple pools?
Yes. Generate separate registrations for each pool, each signed with that pool's cold key, but using the same Calidus Key.
Does Blockfrost support Calidus Keys?
Yes. The Blockfrost API returns Calidus Key data through the pools endpoints. Sign up to start querying.
