Reference: Advanced Wallets Configuration Settings

Core Settings

Variable	Description	Default	Required
`APP_MODE`	Application mode	-	✅ `advanced-wallet-manager` or `master-express`
`BIND`	Address to bind to	`localhost`	❌
`TIMEOUT`	Request timeout (ms)	`305000`	❌
`NODE_ENV`	Node environment	`development`	❌
`LOG_LEVEL`	Log level	`info`	❌

Advanced Wallet Manager (AWM) Settings

Variable	Description	Default	Required
`ADVANCED_WALLET_MANAGER_PORT`	Port to listen on	`3080`	❌
`KMS_URL`	URL to your KMS API implementation	-	✅

Note: The KMS_URL points to your implementation of the KMS API interface. You must implement this interface to connect your KMS/HSM. See Prerequisites for the specification and examples.

Master BitGo Express (MBE) Settings

Variable	Description	Default	Required
`MASTER_EXPRESS_PORT`	Port to listen on	`3081`	❌
`BITGO_ENV`	BitGo environment (`prod`, `test`, `staging`, `dev`, `local`)	`test`	❌
`ADVANCED_WALLET_MANAGER_URL`	Advanced Wallet Manager URL	-	✅
`BITGO_CUSTOM_ROOT_URI`	Custom BitGo API root URI (overrides `BITGO_ENV`)	-	❌
`BITGO_DISABLE_ENV_CHECK`	Disable environment check	`true`	❌
`BITGO_AUTH_VERSION`	BitGo authentication version	`2`	❌
`BITGO_CUSTOM_BITCOIN_NETWORK`	Custom Bitcoin network	-	❌

Additional Settings

Variable	Description	Default	Applies To
`RECOVERY_MODE`	Enable recovery mode for wallet recovery operations	`false`	Both
`HTTP_LOGFILE`	Path to HTTP access log file	`logs/http-access.log`	Both
`KEEP_ALIVE_TIMEOUT`	Keep-alive timeout in milliseconds	-	Both
`HEADERS_TIMEOUT`	Headers timeout in milliseconds	-	Both
`IPC`	IPC socket path (alternative to TCP port binding)	-	Both

TLS/mTLS Configuration

Basic TLS Settings

Variable	Description	Default
`TLS_MODE`	TLS mode (`mtls` or `disabled`)	`mtls`
`CLIENT_CERT_ALLOW_SELF_SIGNED`	Allow self-signed client certificates	`false`

Server Certificates (for Incoming Connections)

Variable	Description	Format
`SERVER_TLS_KEY_PATH`	Server private key file path	File path
`SERVER_TLS_CERT_PATH`	Server certificate file path	File path
`SERVER_TLS_KEY`	Server private key (alternative)	PEM string
`SERVER_TLS_CERT`	Server certificate (alternative)	PEM string

Client Authentication

Variable	Description	Format
`MTLS_ALLOWED_CLIENT_FINGERPRINTS`	Allowed client certificate fingerprints	Comma-separated list

Outbound mTLS Certificates

For Master Express → Advanced Wallet Manager

Variable	Description	Format
`AWM_CLIENT_TLS_KEY_PATH`	Client private key file path	File path
`AWM_CLIENT_TLS_KEY`	Client private key (alternative)	PEM string
`AWM_CLIENT_TLS_CERT_PATH`	Client certificate file path	File path
`AWM_CLIENT_TLS_CERT`	Client certificate (alternative)	PEM string
`AWM_SERVER_CA_CERT_PATH`	AWM server CA certificate file path	File path (required)
`AWM_SERVER_CERT_ALLOW_SELF_SIGNED`	Allow self-signed AWM server certificates	Boolean (default: `false`)

For Advanced Wallet Manager → KMS

Variable	Description	Format
`KMS_CLIENT_TLS_KEY_PATH`	Client private key file path	File path
`KMS_CLIENT_TLS_KEY`	Client private key (alternative)	PEM string
`KMS_CLIENT_TLS_CERT_PATH`	Client certificate file path	File path
`KMS_CLIENT_TLS_CERT`	Client certificate (alternative)	PEM string
`KMS_SERVER_CA_CERT_PATH`	KMS server CA certificate file path	File path (required)
`KMS_SERVER_CERT_ALLOW_SELF_SIGNED`	Allow self-signed KMS server certificates	Boolean (default: `false`)

Note: For security reasons, when TLS_MODE=mtls, outbound client certificates are required and you can't reuse server certificates. When TLS_MODE=disabled, these certificates aren't required.