Institutional digital-asset custody, qualified-custodian services, and a multi-sig + MPC wallet platform with on/off-chain settlement, staking, and Lloyd's-backed insurance across 100+ chains.
- 01qualified custodian (US trust)
- 02institutional multi-sig and MPC wallets
- 03staking-as-a-service
- 04OTC and exchange settlement
- 05regulated treasury operations
- pnpm add @bitgo/sdk-core @bitgo/sdk-api
| Variable | Scope | Description |
|---|---|---|
| BITGO_ACCESS_TOKEN | Server | Long-lived API access token for the BitGo enterprise/user; provisioned from the dashboard with scoped IP whitelist. |
| BITGO_ENV | Server | `prod` for mainnet (api.bitgo.com) or `test` for testnet (app.bitgo-test.com). |
| BITGO_WALLET_PASSPHRASE | Server | User-controlled wallet passphrase used to decrypt the encrypted user-key share when signing. |
Use BitGo for institutional multi-sig / MPC custody. Server-side, import `BitGoAPI` from `@bitgo/sdk-api` and the per-coin module from `@bitgo/sdk-coin-eth` (or relevant coin), then `const bitgo = new BitGoAPI({ accessToken, env: process.env.BITGO_ENV }); bitgo.register('eth', Eth.createInstance);`. Fetch a wallet via `bitgo.coin('eth').wallets().get({ id: walletId })` and send funds with `wallet.sendMany({ recipients: [{ address, amount }], walletPassphrase: process.env.BITGO_WALLET_PASSPHRASE, type: 'transfer' })`. For approvals beyond policy thresholds, build the prebuild, surface the approval request to the second signer, and only then call `wallet.submitTransaction`.
- ⚑BitGo is a 2-of-3 multi-sig (user / BitGo / backup) by default — losing the user key share without an active KRS recovery plan locks the wallet.
- ⚑Per-wallet velocity and policy rules (whitelisted addresses, daily caps, multi-user approvals) trigger `pendingApproval` responses; the SDK surfaces them as a separate object that must be approved before broadcast.
- ⚑API access tokens are IP-locked when the IP whitelist is enabled — serverless functions need a static egress IP, otherwise requests will return 401 with 'IP address not whitelisted'.
- ⚑Testnet (`env: 'test'`) and production are entirely separate environments with different coin tickers (e.g., `tbtc` vs `btc`) — never reuse wallet IDs across environments.
- ⚑Qualified-custody (BitGo Trust Company) wallets are governed by NY/SD trust rules: certain jurisdictions are blocked and withdrawals to non-whitelisted addresses require manual review.
- ⚑The legacy `bitgo` megapackage is deprecated in favor of `@bitgo/sdk-core` + per-coin modules — pin coin module versions to match `sdk-core` to avoid runtime ABI mismatches.