BE Custody provides a GraphQL API for approved customer integrations.
The API can support custody-related workflows such as transaction creation, transaction information retrieval, operational reporting, Travel Rule information submission where supported, and integration with webhook-based event notifications.
API availability, permissions, endpoints, and supported workflows depend on the organisation’s BE Custody configuration and agreed integration model.
How is the API typically used?
Organisations commonly use BE Custody APIs together with webhooks and approval workflows.
Depending on configuration, an integration may be used to:
- Create transaction requests
- Retrieve transaction information
- Receive webhook notifications
- Support internal reconciliation
- Submit Travel Rule information, where supported
- Connect custody workflows to internal systems
- Support signing or approval processes through configured BE Custody workflows
API-created activity may still be subject to BE Custody roles, permissions, approval workflows, quorum requirements, and signing controls.
Does the API expose all compliance or risk information?
No. Some compliance, screening, or risk processes may take place outside the API or behind the scenes.
For example, Travel Rule-related information may be supported through API workflows where configured, but KYT rule logic or internal risk rules are not exposed through the API.
Is a test environment available?
A sandbox or test environment may be available for approved customer testing and onboarding, depending on the organisation’s setup and agreed integration requirements.
Customers should use the sandbox to validate integration behaviour before using APIs for production custody workflows.
Is developer documentation available?
Developer documentation is available for approved API users.
Where applicable, Bitpanda Enterprise Custody may also provide SDKs, examples, or integration guidance through approved developer support channels.
Do not include API keys, API secrets, access tokens, private keys, seed phrases, passwords, PINs, or other sensitive authentication information in support requests, logs, screenshots, or shared examples.