bitcoind.app
CommandsGuidesContact ↗
Home/Guides/Bitcoin RPC Authentication Guide
Security

Bitcoin RPC Authentication Guide

How to configure and secure RPC authentication for Bitcoin Core. Covers rpcauth, cookie-based auth, IP whitelisting, and best practices for production deployments.

In this guide
Why RPC Authentication MattersCookie-Based AuthenticationUsername and Password AuthenticationIP WhitelistingProduction Security Checklist

Why RPC Authentication Matters

The RPC interface gives full control over your Bitcoin node — and potentially your wallet. Anyone with RPC access can send transactions, dump private keys, and shut down your node. Securing this interface is not optional; it's the most important security decision you'll make when running bitcoind.

Bitcoin Core supports two authentication methods: username/password pairs and cookie-based authentication. Both have their place depending on your deployment.

Username and Password Authentication

For remote access or multi-user setups, you'll need explicit credentials. The recommended approach uses the rpcauth option instead of plain-text rpcuser/rpcpassword.

Bitcoin Core ships with a Python script (share/rpcauth/rpcauth.py) that generates a salted hash:

python3 rpcauth.py myusername

This outputs a line like: rpcauth=myusername:salt$hash

Add this line to your bitcoin.conf. The advantage over rpcuser/rpcpassword is that the actual password never appears in your config file — only the hash.

You can create multiple rpcauth entries for different users, each with their own password.

IP Whitelisting

Always restrict which IP addresses can connect to your RPC port. By default, Bitcoin Core only listens on 127.0.0.1 (localhost). If you need remote access, explicitly whitelist only the IPs that need it:

rpcallowip=192.168.1.100 rpcbind=0.0.0.0

Never set rpcallowip=0.0.0.0/0 in production — this allows anyone on the internet to attempt authentication against your node.

For remote access, strongly consider tunneling through SSH or a VPN rather than exposing the RPC port directly.

Production Security Checklist

When running a Bitcoin node in production, follow these security practices:

Use rpcauth instead of plain-text credentials. Keep the RPC port behind a firewall. Run bitcoind as a dedicated non-root user. Use SSL/TLS for remote connections (rpcssl option or reverse proxy). Disable wallet functionality if not needed (-disablewallet). Monitor the debug.log for unauthorized access attempts. Set permissions on bitcoin.conf to 600 (owner-read-write only). Consider using a separate watch-only wallet for monitoring.

For the highest security, run your wallet on an air-gapped machine and use PSBT (Partially Signed Bitcoin Transactions) to transfer unsigned transactions between machines.

Related RPC Commands

getnetworkinfoReturns an object containing various state info regarding P2P networking.getrpcinfoReturns details of the RPC server.helpList all commands, or get help for a specified command.loggingGets and sets the logging configuration.
← Previous Guide
How to Set Up a Bitcoin Full Node
Next Guide →
Understanding PSBT: Partially Signed Bitcoin Transactions

bitcoind.app — Bitcoin Core RPC Reference

Contact ↗