Kaleido Resource Model

The Kaleido platform exposes several key resources that function in tandem to create bespoke blockchain networks. The orchestration is a logical hierarchy, where provisioned resources maintain a one-to-one relationship with their parent resource and inherit any configurations or specifications defined by the parent. This document summarizes these resources and maps their relationship within the scope of a bootstrapped network. The diagram below shows the Kaleido object model against each of the two available membership approaches - single-org and multi-org.

NOTE: Single-org and multi-org are not consortia parameters. Rather, they are arbitrary terms used in this document to delineate the ownership orchestration of the consortium’s memberships.



An organization is the top level resource that can access the Kaleido platform and is a prerequisite for any administrative operations (e.g. environment creation, node generation, etc). Dependent on the consortium membership approach, resources in a blockchain network exist within the purview of either a single organization or multiple organizations.

Via the Kaleido console, organizations are able to generate “admin credentials” (aka an APIKEY) which can be subsequently leveraged to perform administrative resource management ops through the Kaleido API. The administrator of an organization can extend invitations to additional users, whereby they are granted the same level of administrative authority. Note though that these invitations should be provisioned carefully, as any onboarded users will possess the same root privileges as the organizational admin.


At its core, a consortium is simply a grouping of member organizations that will participate to some degree in the blockchain network. The key configuration of a consortium is the ownership of its underlying memberships.

Single-org means that a single Kaleido Organization will manage ALL network resources on behalf of the consortium’s memberships, granting access to the blockchain through the dispersement of node endpoints and authorization credentials. In other words, this organization will serve as a proxy to the network. The memberships will have a direct relationship to core resources (nodes and auth credentials), however the true control of these resources lays with the Kaleido organization managing the consortium. Single-org ownership means that no invitations have been extended and all existing memberships are bound to the founding Kaleido Organization.

Multi-org ownership entails collective control of the consortium, where the memberships and provisioned resources are managed separately by the individual Kaleido Organizations in the consortium. An organization cannot take resource management actions against another organization in the consortium. In a multi-org orchestration resources are independently managed. Fellow organizations must be invited to the consortium by the founding Kaleido Organization.

An organization can be privy to up to 2 consortia per the resource limitations of the default plan.

Organization -> Consortia


A consortium is comprised of a grouping of member organizations (i.e. memberships), with each membership defined as a unique entity within the context of the consortium. Memberships are used as the distinct identifier when creating nodes and authentication credentials (the member resource ID is in the body of the API call). A consortium must contain at minimum one member, and at maximum up to 4 members per the resource limitations of the default plan.

A helpful phrase for understanding membership - An organization is represented in a consortium through a single membership or a collection of memberships.

Organization -> Consortia (memberships)


An environment is an isolated domain within a consortium that is used to host nodes and provision application credentials. Environments inherit the consortium’s membership list, meaning that any organizations defined within the consortium configuration are whitelisted to the environment. As such, nodes and application credentials can be provisioned against any of the consortium’s memberships. Environments have three pieces of configuration:

  • client protocol - Geth or Quorum
  • consensus algorithm - Raft, IBFT or PoA
  • region - US, EU or AP

Each consortium can host up to 3 total environments per the resource limitations of the default plan.

Organization -> Consortia -> Environments


Nodes are the network entities that maintain the blockchain ledger and accept connections from external applications. The node runtime inherits the protocol and consensus configurations specified in the environment. Every node is created against a specific consortium membership and every node is isolated to the environment within which it is created. Nodes have:

  • a name
  • a unique Kaleido node ID
  • a unique Ethereum node ID
  • RPC and web socket endpoints for external connection
  • a private address (if Quorum is chosen as the protocol)
  • an Ethereum account for sending transactions

Environments can host up to 4 nodes per the resource limitations of the default plan.

Organization -> Consortia -> Environments -> Nodes

Application credentials

Application credentials, specified as username:password, are used as a security mechanism to protect external access to a node’s endpoint. App creds are created against a member of the consortium and are isolated to the environment within which they are created. The Kaleido platform does not store the authentication password, ensuring that the secret is confined solely to the member organization that generated the credentials. Environments can host up to 10 sets of active credentials per the resource limitations of the default plan, with member nodes accepting connections from any credentials correlating to their membership. Application credentials are bundled with a node endpoint and passed to an Ethereum accessible API (e.g. web3.providers.HttpProvider).

Organization -> Consortia -> Environments -> app creds

Kaleido resource limitations

The following table serves to outline the current resource allocations across a Kaleido organization. The limitations are hierarchical and use a parent resource ID as the contextual parameter.

Resource ID Parent Limitation
Consortia Organization 2
Users Organization 100
Memberships Consortium 4
Environments Consortium 3
Nodes Environment 4
Authorization Credentials Environment 10
Requests per second Node 5
Connections Node 5