Announcing HIP-540: Enhanced Token Key Management on Hedera | Hedera Hedera Network Services Token Service Mint and configure tokens and accounts. Consensus Service Verifiable timestamps and ordering of events. Smart Contracts Run Solidity smart contracts. HBAR The Hedera network's native cryptocurrency. Insights How It Works Learn about Hedera from end to end. Explorers View live and historical data on Hedera. Dashboards Analyze network activity and metrics. Network Nodes Understand networks and node types. Devs Start Building Get Started Learn core concepts and build the future. Documentation Review the API and build using your favorite language. Developer Resources Integrations Plugins and microservices for Hedera. Fee Estimator Understand and estimate transaction costs. Open Source Hedera is committed to open, transparent code. Learning Center Learn about web3 and blockchain technologies. Grants Grants & accelerators for your project. Bounties Find bugs. Submit a report. Earn rewards. Ecosystem ECOSYSTEM Hedera Ecosystem Applications, developer tools, network explorers, and more. NFT Ecosystem Metrics Analyze on-chain and market NFT ecosystem metrics. CATEGORIES Web3 Applications Connect into the innovative startups decentralizing the web on Hedera. Enterprise Applications Learn about the Fortune 500 companies decentralizing the web on Hedera. Wallets & Custodians Create a Hedera account to manage HBAR, fungible tokens, and NFTs. Network Explorers Hedera mainnet and testnet graphical network explorers. Developer Tooling Third-party APIs, integrations, and plugins to build apps on Hedera. Grants & Accelerators Boost your project with support from the Hedera ecosystem. Partner Program Explore our partners to bring your vision into reality. Hedera Council Over 30 highly diversified organizations govern Hedera. Use Cases Hedera Solutions Asset Tokenization Studio Open source toolkit for tokenizing assets securely. Stablecoin Studio All-in-one toolkit for stablecoin solutions. Hedera Guardian Auditable carbon markets and traceability. Functional Use Cases Data Integrity & AI Reliable, secure, and ethically governed insights. Sustainability Enabling fair carbon markets with trust. Real-World Asset Tokenization Seamless tokenization of real-world assets and digital at scale. Consumer Engagement & Loyalty Mint, distribute, and redeem loyalty rewards. Decentralized Identity Maintain the lifecycle of credentials. Decentralized Logs Scalable, real-time timestamped events. DeFi Dapps built for the next-generation of finance. NFTs Low, fixed fees. Immutable royalties. Payments Scalable, real-time, and affordable crypto-payments. HBAR Overview Learn about Hedera's token, HBAR. Treasury Management Hedera’s report of the HBAR supply. Governance Decentralized Governance Hedera Council See the world's leading organizations that own Hedera. About Meet Hedera's Board of Directors and team. Journey Watch Hedera's journey to build an empowered digital future for all. Transparent Governance Public Policy Hedera's mission is to inform policy and regulation that impact the industry. Meeting Minutes Immutably recorded on Hedera. Roadmap Follow Hedera's roadmap in its journey to build the future. Resources Company What's New Partners Papers Careers Media Blog Technical Press Podcast Community Events Meetups Store Brand Navigation QUICKSTART Announcing HIP-540: Enhanced Token Key Management on Hedera technical Jun 21, 2024 by Michiel Mulders Developer Relations HIP-540 aims to introduce more flexibility and security during token creation with the Hedera Token Service. While the Hedera Consensus Service and Hedera File Service allow for the removal of administrative keys by setting them to an empty KeyList (indicating immutability), the Hedera Token Service currently lacks this functionality. HIP-540 proposes enabling admin keys for tokens created with the Hedera Token Service to sign an update transaction that changes or permanently removes any key from the token. Additionally, HIP-540 allows lower privileged keys, like the Wipe, Freeze, and Pause keys, to update themselves to a usable or unusable key. This functionality lets users remove keys such as supply keys after NFT mints, enhancing security for the treasury and token holders. This added layer of security provides a practical solution for managing token risks in the Hedera ecosystem. Why is This Needed? Many token creators initially set keys like Admin, Wipe, Freeze, and Pause on their tokens to manage potential issues during the minting process. For instance, a Wipe key allows creators to destroy and remint tokens if problems arise. However, once the minting process is complete, these keys pose ongoing risks to token owners and create uncertainty among collectors who are unaware of the security implications. An NFT with a Wipe key, for example, means the key owner can erase a holder’s token balance without their consent. Currently, there is no way to remove such keys from a token. They can only be changed when the TokenUpdateTransaction is signed by the admin key. HIP-540 addresses these issues by allowing token creators to remove or change keys after they have served their initial purpose. This ensures greater security and trust in tokens, allowing creators to eliminate the risks associated with these keys and providing reassurance to new users and collectors in the broader NFT ecosystem. Implemented Solution Hedera's current approach often forces users to choose between an administrative and an admin-less world. Many projects launch with administrative oversight to ensure smooth operations, intending to transition to a more decentralized model over time. Allowing the removal or modification of keys aligns with this approach and provides a solution for correcting initial setup requirements or mistakes. HIP-540 Solution Overview Admin Key Management: An admin key can remove itself or other keys. Benefit: Removing the admin key prevents administrative control over the token, meaning the admin key can’t remove or update keys. The decision power to change or remove themselves is given to the keys on the token instead of the admin key. This supports our vision of transitioning to an admin-less world. Key Modification: All keys can change themselves to another valid or unusable key, except the admin key, which should be removed if no longer needed. Unusable Key: Refers to an Ed25519 0x0000000000000000000000000000000000000000000000000000000000000000 public key, which is practically impossible to derive a matching private key for. Benefit: Ensures that individual keys can change or remove themselves independently of the admin key, providing better token management capabilities. We will have to add an enum field in the update transaction about whether the system should require signatures from the updated keys. The current policy is to require a new key to sign an update transaction unless it is being changed by the Admin Key. This protects users from accidentally updating to a public key unless they definitely have the matching private key. With this enum field, the user will be able to tell the system to omit the new key from the signing requirements. The default value of the field will maintain the current behavior of requiring new keys to sign unless the update already has a higher-privilege key signature. Here’s a simple code example illustrating this boolean when updating a key to an unusable key. const newSupplyKey = "0x0000000000000000000000000000000000000000000000000000000000000000"; let tokenUpdateTx = await new TokenUpdateTransaction() .setTokenId(tokenId) .setSupplyKey(newSupplyKey) // When set to NO_VALIDATION, the TokenUpdateTransaction won't require the new key's signature .setKeyVerificationMode(NO_VALIDATION) .freezeWith(client) .sign(oldSupplyKey) Copy Practical Examples To better understand the implications and benefits of key immutability, let’s consider the following examples: Example 1: Mutable Supply Key without an Admin Key Scenario: The Supply Key has been set to a usable key, and there’s no Admin Key set. Outcome: The Supply Key remains mutable since the Supply Key is not set to an unusable key. Example 2: Mutable Supply Key with an Admin Key Scenario: The Supply Key is set to an unusable key, and there’s an Admin Key set. Outcome: The Supply Key remains mutable, as the Admin Key can still alter the Supply Key. Example 3: Immutable Supply and Admin Keys Scenario: The Supply and Admin Keys are set to an unusable key. Outcome: The Supply Key becomes immutable as nobody can change the Supply Key. Please refer to the flow diagram below to help visualize these different scenarios. The yellow line represents Example 1, the green line represents Example 2, and the blue line represents Example 3. HIP-540 decision flow Conclusion HIP-540 provides a robust solution for enhancing token management on Hedera. Enabling the removal and modification of keys addresses critical security concerns and aligns with the evolving needs of token creators and holders. This proposal ensures that tokens can be securely managed, with the flexibility to adapt to changing requirements while maintaining the integrity of the token ecosystem. To try out this functionality, please update your SDK to the following versions: Hedera Java SDK: v2.34.0 Hedera Go SDK: v2.39.0 Hedera JavaScript SDK: v2.47.0 Share This Back to blog What is gRPC, gRPC-Web, and Proxies? Ed Marquez Pragmatic Blockchain Design Patterns – Integrating Blockchain into Business Processes Michiel Mulders Zero Cost EthereumTransaction on Success: Hedera's New Fee Model for Relay Operators Oliver Thorn Hedera Adopts Chainlink Standard for Cross-Chain Interoperability To Accelerate Ecosystem Adoption Hedera Team Hedera Developer Highlights March 2025 Michiel Mulders Hedera Release Cycle Overview Ed Marquez View All Posts Sign up for the newsletter CONNECT WITH US Transparency Open Source Audits & Standards Sustainability Commitment Carbon Offsets Governance Hedera Council Public Policy Treasury Management Meeting Minutes LLC Agreement Node Requirements Community Events Meetups HBAR Telegram Developer Discord Twitter Community Support FAQ Network Status Developer Discord StackOverflow Brand Brand Guidelines Built on Hedera Logo Hedera Store About Team Partners Journey Roadmap Careers Contact General Inquiry Public Relations © 2018-2025 Hedera Hashgraph, LLC. All trademarks and company names are the property of their respective owners. All rights in the Deutsche Telekom mark are protected by Deutsche Telekom AG. All rights reserved. Hedera uses the third party marks with permission. Terms of Use  |  Privacy Policy