The Bitcoin Connections System

What Bitcoin Connections is

It's the BitBooks feature that lets you link a wallet provider (Blink today, more on the way) to your books for auto-sync. You set it up once per organization, then any number of wallets can connect through it.

If you've already connected a wallet, you've used Bitcoin Connections. This article explains what's happening behind the scenes and the design choices that make it different from other accounting tools.

For the step-by-step setup walkthrough, see Connecting Your Bitcoin Wallet.

The big design decision: passwords stay on your device

Most accounting tools that integrate with bank accounts or wallets do the following:

1. You give them your provider's username and password
2. They store it on their server (encrypted, but they have the key)
3. Their server signs in to the provider on your behalf

This works, but it has a real privacy and risk trade-off: the accounting tool's server holds the keys to your wallet. If the server is hacked, attackers get every customer's wallet credentials.

BitBooks takes a different approach for wallet credentials specifically:

1. You pick a vault password that locks your wallet credentials
2. The password never leaves your device. Ever. Not even during signup.
3. Your browser uses the password (locally, on your device) to derive a small key
4. That key locks the actual wallet credentials and BitBooks stores the locked version
5. To use the wallet credentials, the browser unlocks them on your device, sends a one-time-use unlock key for that one operation
6. The server never holds the unlocked credentials, never sees your password

The trade-off: if you forget your vault password, no one at BitBooks can recover it for you. Your 12-word recovery code is the only way back in.

What "vault password" means in practice

When you click Add Connection for the first time, BitBooks asks you to pick a vault password. This password:

• Is just for your wallet credentials (separate from your sign-in password)
• Never leaves your device
• Encrypts your wallet sign-in details (Blink password, Coinbase API key, etc.) before they're stored
• Is used every time you add a NEW wallet connection (you re-enter to unlock the safe)
• Is NOT used for ongoing auto-sync (already-connected wallets keep syncing without re-entry)

The password is yours alone. We can't see it. We can't reset it. We can't recover from it if you lose it.

If that sounds restrictive: it is, by design. The same trade-off Bitwarden, 1Password, and similar tools make.

The 12-word recovery code

Right after you set the vault password, BitBooks shows you 12 random English words. This is your recovery code.

It's the only backup for the vault password. If you forget the password, the recovery code lets you set a new one and recover access to all connected wallets without losing them.

If you lose BOTH the password AND the recovery code, the locked wallet credentials inside the vault are unrecoverable. You'd have to disconnect every wallet and reconnect, signing in to each provider fresh. The wallets themselves and their transaction history stay in BitBooks (no data loss); only the saved sign-in details are gone.

Save the recovery code. The article Connecting Your Bitcoin Wallet lists where to save it.

What the server actually stores

For each Bitcoin Connection, the server stores:

• A per-organization random salt (used in the browser-side key derivation; useless without the password)
• A password verifier (a hash of the password-derived key; used to fail-fast on a wrong password without holding the password)
• The encrypted wallet credentials (only the encrypted form; the unlocked form never reaches the server)
• The opaque user ID at the wallet provider (so we know which provider account this connection belongs to)

What the server does NOT store:

• Your vault password
• The unlocked wallet credentials
• Your seed phrase (we never see it)
• Your provider's master key (we use scoped read-only credentials)

If a malicious actor got into the BitBooks server, they'd see the encrypted credentials but couldn't unlock them without the password (which isn't on the server).

What happens during a sync

When auto-sync runs:

1. Your browser (when you signed in earlier) had derived a per-wallet credentials key from your vault password
2. That credentials key is held in a secure session for the duration of your browser session
3. Sync uses the key to fetch wallet data from the provider
4. The provider returns transaction data
5. BitBooks records the transactions

For server-side scheduled sync (when you're not online), the system uses a slightly different mechanism: a long-lived credential held by the provider that's scoped read-only. The vault password isn't needed for these scheduled fetches because the provider's own credential system handles it.

The exact mechanism is provider-specific. The principle is consistent: minimize what the server holds, maximize what the user controls.

Multiple wallets, one vault

You can connect multiple wallets through the same Bitcoin Connections vault. Setup the vault once (with your password). Each subsequent connection just asks you to type your vault password to add the new wallet's credentials to the safe.

You don't have a separate password per wallet. One password, one safe, many wallets.

This is convenient and scales. It also means: if the vault password is compromised, all connected wallets' credentials are at risk. Pick a strong password.

What happens if the underlying provider changes

If your wallet provider (Blink, etc.) rotates an API key, changes their authentication system, or has a major breach, you may need to:

1. Reconnect the affected wallet (sign in to the provider again)
2. The reconnection updates the credentials inside your vault (you re-enter your vault password to authorize)
3. Sync resumes

This is the normal flow. See Disconnecting or Re-syncing a Connected Wallet.

The supported provider list

Today: Blink (Lightning custodial). Plus the "xpub" mode for self-custody software wallets where you give us a public key only (we can read addresses, can't move anything).

Coming: Strike, Coinbase, Kraken, others. Each one requires custom integration work; we add them based on customer demand.

For unsupported providers, you can use manual wallets (no auto-sync, you enter transactions yourself or import CSV). The Bitcoin Connections system is opt-in.

Common questions

"Why does BitBooks use this complicated flow instead of just storing my Blink password?"

For privacy. The server never sees your provider credentials. Most accounting tools choose convenience over this; we chose privacy where we could.

"Can my BitBooks team see my wallet credentials?"

No. The credentials are encrypted under your vault password, which only you have. Even other team members in your organization can't see them (each member has their own browser-side derivation).

"What if BitBooks goes out of business?"

The wallet data in your books is yours and exportable. The provider connections are just a fast way to import transactions; you'd lose those connections, but the underlying wallets at the providers (Blink, etc.) are unaffected. You'd reconnect to a new tool or do manual entry.

Where to go next

• Connecting Your Bitcoin Wallet for the setup walkthrough
• Disconnecting or Re-syncing for managing connections
• How Auto-Sync Works for the sync mechanics
• Bitcoin Connection Sync Stopped Working for sync error recovery