APAC-headquartered institutional digital-asset custodian licensed across Hong Kong, Singapore, Dubai (VARA), Italy, and France, offering bank-grade custody, staking, and tokenization with API-driven transfers and multi-jurisdictional segregation.
- 01APAC and MENA institutional custody
- 02regulated stablecoin custody
- 03institutional staking
- 04tokenization and RWA custody
- 05Fireblocks Custody Network qualified custodian
| Variable | Scope | Description |
|---|---|---|
| HEX_TRUST_API_KEY | Server | Hex Trust API key issued per organization from the client portal. |
| HEX_TRUST_API_SECRET | Server | HMAC secret used to sign each request; never exposed to the client. |
| HEX_TRUST_BASE_URL | Server | Production or UAT base URL provisioned for your tenant (region-specific). |
Use Hex Trust's REST API for APAC-regulated institutional custody. There is no public JS SDK — sign each request with HMAC over `timestamp + method + path + body` and submit headers `X-API-Key`, `X-Timestamp`, `X-Signature`. Common flows: `POST /v1/wallets/{id}/withdrawals` to draft a withdrawal to an allowlisted address, `GET /v1/wallets/{id}/balance` for balances, `POST /v1/staking/positions` to delegate, and `GET /v1/transactions/{id}` to poll until quorum approval and broadcast. All withdrawals route through Hex Trust's segregated cold-storage architecture and require human quorum approval per the workspace policy.
- ⚑Withdrawals are restricted to pre-allowlisted addresses; address registration is an out-of-band KYC-gated process, not an API call.
- ⚑Each Hex Trust legal entity (Hex Trust HK, Hex Safe Singapore, Hex Trust Dubai under VARA, Hex Trust Italy, Hex Trust France) onboards clients separately — confirm which licensed entity holds your assets and which products are available in your jurisdiction.
- ⚑Operations are asynchronous and quorum-gated; the API returns a `pending` operation that must be polled or webhook-driven — never assume synchronous settlement.
- ⚑API keys are IP-allowlisted by default; serverless deployments require a static egress IP and an explicit allowlist update by Hex Trust ops.
- ⚑UAT (sandbox) and production are fully isolated tenants with different wallet IDs, asset codes, and approver lists — credentials are not portable.
- ⚑Hex Trust is closed-source — no public GitHub SDK; the integration GitHub org publishes draft specs only, so treat the OpenAPI provided by your account manager as authoritative.