BitGo API Reference (0.1.0)
Download OpenAPI specification:Download
BitGo provides a simple and robust RESTful API and client SDK to integrate digital currency wallets with your application. In Platform V2, we have extended our API and SDK to allow the management of multiple digital currencies and wallets through a single, unified interface.
The BitGo SDK enables the following:
- Creation of multi-signature wallets
- Wallet balance and transaction listing
- Transaction creation and signing
- Transaction monitoring and notifications
- Secure user authentication
- Multi-user workflows for use in enterprise environments
- Policies and spending limits
This is the latest documentation for the BitGo APIs, and is generated from OpenAPI 3.0 schema. OpenAPI technology provides improved validation of client requests, and more consistency between the API documentation and server-side implementation of API endpoints.
Legacy users may also refer to the V1 Bitcoin API, which is still available today. There is no dependency for developers to integrate with V1 or read the legacy documentation in order to take advantage of the newer version of our API.
The primary advantage of multi-signature wallets is the ability for multiple machines and people to work together to approve a given transaction. Without multiple signatures on a transaction, all credentials to approve a transaction must reside with a single person on a machine. If that person or machine is compromised by an attacker, all funds can be taken with no recourse and no ability to audit the individual that invoked the key.
BitGo's multi-signature wallets allow you to keep control of your Bitcoin or other cryptocurrency despite introducing the concept of a co-signer. This allows enterprises to set up and maintain roles, policies, and rules on the wallet, making digital currency usable for businesses.
For more information, please read the BitGo Whitepaper.
All calls to endpoints that require authentication must pass the client access
token via the Authorization HTTP header. The format of this header is
Authorization: Bearer <TOKEN>. Here's an example that uses
HTTPie to call the
Get session API from the command line:
$ http -v get https://app.bitgo-test.com/api/v2/user/me Authorization:"Bearer $TEST_TOKEN"
GET /api/v2/user/me HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Authorization: Bearer v2x83...
Connection: keep-alive
Host: app.bitgo-test.com
User-Agent: HTTPie/1.0.0
HTTP/1.1 200 OK
...You can create an access token in the "Developer Options" tab of the web UI, under "User Settings." An access token can limit access in several ways:
- Expiration date
- Allowed operations
- Allowed client IP addresses
Security note
Using the Authorization: Bearer <token> authentication method as described above sends your user access token in plain
text (although, still over HTTPS), and for this reason it's only recommended to use this method of authenticating for
testing purposes. For production uses, we strongly recommend using the Auth V2 or Auth V3 authentication schemes which
are described below.
Auth V2
BitGo's SDK and Express App secures tokens using our Auth V2 protocol, which does not send the access token over the wire. For this reason, we recommend that API requests from 3rd party clients should be proxied through BitGo Express.
When using the Authentication: Bearer <token> authentication method described above with a V2 access token (beginning
with the prefix v2x) to make requests to BitGo Express, the Auth V2 scheme will be used by default. BitGo Express uses
the provided token to calculate the correct authentication information, without exposing the token outside the BitGo
Express application process.
Auth V3
Auth V3 is similar to the Auth V2 scheme, with additional protections against replay attacks and protocol downgrades.
Specifically, the following additional verification steps are added to the existing Auth V2 scheme:
Request timestamp validity window
If the request timestamp on an incoming request is more than five minutes behind the server clock when a request is being checked for authenticity, it will be considered invalid and the request will be rejected with a 401 Unauthorized.
Request replay checking
In Auth V2, each incoming request must bear a valid hashed message authentication code (HMAC) which proves knowledge of the user's access token without revealing that access token to the BitGo server or to the transport layer carrying the request. However, if a previous request is replayed, the HMAC value would still be valid and the BitGo server could be instructed to repeat a previous action (for example, return a list of transfers or list wallet balances).
Auth V3 prevents this type of attack by saving all valid HMAC values up to the duration of the request validity window. Requests with HMAC values that were already used for a previous request will be rejected with a 401 Unauthorized and will not be processed.
Protocol Downgrade Protection
To prevent Auth V3 requests from being captured and modified in an attempt to downgrade them to Auth V2 for replay, the
authentication scheme version (in the bitgo-auth-version request header) has been added to the HMAC subject calculated
by the client and verified by the server. Since altering the auth version requires calculating a new HMAC value, which
requires knowledge of the user's access token, the bitgo-auth-version header cannot be altered by a man-in-the-middle
to downgrade the auth version and perform a request replay attack.
Currently, the Auth V3 scheme is not used by default, but can be enabled using a startup flag option in BitGo Express or the BitGo SDK. Please see the BitGo Express README for more details on enabling Auth V3.
The BitGo web APIs provide developers with the capability to create and manage multi-signature wallets, manipulate their policies and interact with multiple digital currencies over a single robust interface. Several sensitive operations, such as the creation of user private keys and signing of transactions, must to be performed client-side.
For this reason, we provide and recommend the use of our Software Development Kit (SDK), which implements these client-side wallet features and interfaces with our APIs.
Currently, our SDK is available in JavaScript and runs in either Node.js or a browser. If your application does not use native JavaScript, you may refer to the BitGo Express REST API guide, which offers the same feature set via a local server daemon.
Installing the JavaScript SDK (via npm)
npm install --save bitgoTo initialize your environment and authenticate, use the following code:
const BitGoJS = require('bitgo');
// Read the user authentication section to get your API access token
const bitgo = new BitGoJS.BitGo({ env: 'test', accessToken: process.env.ACCESS_TOKEN });
const coin = bitgo.coin('tbtc');The BitGo Express REST API is a lightweight service for developers who want to use the BitGo service, but are developing in a language other than JavaScript.
BitGo Express runs as a service in your own data center, and handles the client-side operations involving your own keys, such as partially signing transactions before submitting them to BitGo. This ensures your keys never leave your network, and are never seen by BitGo. BitGo Express can also proxy the standard BitGo REST APIs, providing a unified interface to BitGo through a single REST API.
We recommend using Docker to run BitGo Express, and we also support running from the source code directly.
To try out BitGo Express, run this command:
docker run -it -p 3080:3080 bitgosdk/express:latestYou should see this output from BitGo Express:
BitGo-Express running
Environment: test
Base URI: http://0.0.0.0:3080Now you can send a ping request to BitGo Express using curl to make sure the service is up and running:
$ curl localhost:3080/api/v2/ping
{"status":"service is ok!","environment":"BitGo Testnet","configEnv":"testnet","configVersion":79}- Make all BitGo REST API calls to the machine on which bitgo-express is running. BitGo Express will either handle the request itself or proxy it to the BitGo service.
For more detailed information, please see the BitGo Express README.
BitGo has two separate environments available for development and production. For security reasons, all BitGo API requests are made using TLS over HTTPS.
Test Environment
The BitGo test environment is used by default in our examples and the SDK. It is entirely separate from BitGo's production environment and there is no overlap in either data or accounts. You will need to create accounts at app.bitgo-test.com.
- BitGo Test Site: https://app.bitgo-test.com/
- Test Environment API: https://app.bitgo-test.com/docs
In the test environment, you can use 0000000 in place of the OTP when authenticating.
This environment is connected to the TestNet networks of various digital currencies we support. Tokens on these networks can be obtained from faucets and do not represent real money.
Production Environment
The BitGo production endpoint is live and used by partners and our own web application on app.bitgo.com.
- Production Site: https://app.bitgo.com/
- Production API: https://app.bitgo.com/docs
To use this environment, specify { env: 'prod' } when using the SDK or -e prod when running BitGo Express. SSL certifications should be provided to secure traffic to and from the BitGo Express instances when operating on the Production environment.
BitGo Platform V2 supports a variety of digital currencies, with more being added every quarter.
To select the coin or token:
var bitgo = new BitGoJS.BitGo({ env: 'test', accessToken: process.env.ACCESS_TOKEN });
var coin = bitgo.coin('btc');(replace btc with your desired coin identifier)
| Identifier | Digital Currency | Family | BitGo Environment | Release status |
|---|---|---|---|---|
| algo | Algorand | Account | Production | Enterprise access |
| btc | Bitcoin | UTXO-based | Production | General availability |
| bch | Bitcoin Cash | UTXO-based | Production | General availability |
| btg | Bitcoin Gold | UTXO-based | Production | General availability |
| celo | CELO | Account | Production | Enterprise access |
| cspr | Casper | Account | Production | Enterprise access |
| dash | Dash | UTXO-based | Production | General availability |
| eth | Ethereum | Account | Production | Enterprise access |
| ltc | Litecoin | UTXO-based | Production | General availability |
| rmg | Royal Mint Gold | UTXO-based | Production | Enterprise access |
| trx | TRON | Account | Production | General availability |
| xlm | XLM | Account | Production | General availability |
| xrp | XRP | Account | Production | Enterprise access |
| zec | Zcash | UTXO-based | Production | General availability |
| cusd | Celo USD ERC20 Token | Account | Production | Enterprise access |
| ae | Aeternity ERC20 Token | Account | Production | Enterprise access |
| aergo | Aergo ERC20 Token | Account | Production | Enterprise access |
| 1inch | 1inch Token ERC20 token | Account | Production | Enterprise access |
| 1up | Uptrennd Token ERC20 token | Account | Production | Enterprise access |
| abt | ArcBlock ERC20 token | Account | Production | Enterprise access |
| ace | Ace Token | Account | Production | Enterprise access |
| acxt | Ac Exchange Token | Account | Production | Enterprise access |
| agwd | AGARWOOD ERC20 token | Account | Production | Enterprise access |
| aion | AION ERC20 token | Account | Production | Enterprise access |
| alpha | Alpha Finance | Account | Production | Enterprise access |
| amn | Amon ERC20 token | Account | Production | Enterprise access |
| amo | AMO Token ERC20 token | Account | Production | Enterprise access |
| amp | AMP Token ERC20 token | Account | Production | Enterprise access |
| amon | AmonD ERC20 token | Account | Production | Enterprise access |
| ampx | Amplify Exchange ERC20 token | Account | Production | Enterprise access |
| ana | ANA ERC20 token | Account | Production | Enterprise access |
| ant | Aragon ERC20 token | Account | Production | Enterprise access |
| aoa | Aurora ERC20 Token | Account | Production | Enterprise access |
| appc | AppCoins ERC20 token | Account | Production | Enterprise access |
| aqt | Alpha Quark Token | Account | Production | Enterprise access |
| arct | ArCoin US Treasury ERC20 token | Account | Production | Enterprise access |
| arst | Stellar Argentine Stable Coin | Account | Production | Enterprise access |
| ast | AirSwap ERC20 token | Account | Production | Enterprise access |
| atri | Atari Token ERC20 token | Account | Production | Enterprise access |
| audio | Audio ERC20 token | Account | Production | Enterprise access |
| audx | eToro Australian Dollar ERC20 token | Account | Production | Enterprise access |
| aust | Wrapped Anchor UST token | Account | Production | Enterprise access |
| axpr | aXpire ERC20 token | Account | Production | Enterprise access |
| axs | Axie Infinity Shards ERC20 token | Account | Production | Enterprise access |
| badger | Badger ERC20 token | Account | Production | Enterprise access |
| bal | Balancer ERC20 token | Account | Production | Enterprise access |
| band | Band Protocol ERC20 token | Account | Production | Enterprise access |
| basic | BASIC Token ERC20 token | Account | Production | Enterprise access |
| bat | Basic Attention Token ERC20 token | Account | Production | Enterprise access |
| bax | BABB ERC20 token | Account | Production | Enterprise access |
| bbx | BBX ERC20 token | Account | Production | Enterprise access |
| bcap | BCAP ERC20 token | Account | Production | Enterprise access |
| bcc | Basiscoin Cash | Account | Production | Enterprise access |
| bcio | Blockchain.io ERC20 Token | Account | Production | Enterprise access |
| bepro | BetProtocol ERC20 token | Account | Production | Enterprise access |
| bid | Blockbid ERC20 token | Account | Production | Enterprise access |
| bidl | Blockbid Liquidity ERC20 token | Account | Production | Enterprise access |
| bird | BirdCoin ERC20 token | Account | Production | Enterprise access |
| bnk | Bankera ERC20 token | Account | Production | Enterprise access |
| bnl | BitNational ERC20 token | Account | Production | Enterprise access |
| bnt | Bancor ERC20 token | Account | Production | Enterprise access |
| bnty | Bounty0x ERC20 token | Account | Production | Enterprise access |
| box | ContentBox ERC20 Token | Account | Production | Enterprise access |
| brlt | Stellar Brazilian Stable coin | Account | Production | Enterprise access |
| brz | Brazilian Digital Token ERC20 token | Account | Production | Enterprise access |
| bsx | Bistox Exchange Token ERC20 token | Account | Production | Enterprise access |
| btt | Blocktrade ERC20 token | Account | Production | Enterprise access |
| btu | BTU Protocol ERC20 token | Account | Production | Enterprise access |
| brd | Bread ERC20 token | Account | Production | Enterprise access |
| busd | Binance USD ERC20 token | Account | Production | Enterprise access |
| buy | Buying.com ERC20 token | Account | Production | Enterprise access |
| c8p | C8 Plus ERC20 token | Account | Production | Enterprise access |
| cadx | eToro Canadian Dollar ERC20 token | Account | Production | Enterprise access |
| cag | Change ERC20 token | Account | Production | Enterprise access |
| cbat | Compound BAT ERC20 token | Account | Production | Enterprise access |
| cbc | CashBet Coin ERC20 token | Account | Production | Enterprise access |
| cbrl | Crypto BRL ERC20 token | Account | Production | Enterprise access |
| cct | Cyber Credit Token ERC20 token | Account | Production | Enterprise access |
| cdag | CannDollar ERC20 token | Account | Production | Enterprise access |
| cdai | Compound DAI ERC20 token | Account | Production | Enterprise access |
| cdt | Blox ERC20 token | Account | Production | Enterprise access |
| cel | Celsius ERC20 token | Account | Production | Enterprise access |
| ceth | Compound Ether ERC20 token | Account | Production | Enterprise access |
| chfx | eToro Swiss Frank ERC20 token | Account | Production | Enterprise access |
| chsb |