Institutional self-custody platform from Ledger built on hardware-secured key shares (HSM + Ledger devices) with policy governance, plus Ledger Enterprise Tradelink for tri-party off-exchange settlement and Ledger Enterprise Multisig for on-chain quorum.
- 01self-custody with HSM + Ledger devices
- 02policy-governed enterprise transfers
- 03off-exchange settlement (Tradelink)
- 04tokenization and asset issuance
- 05regulated EU/CH custody
| Variable | Scope | Description |
|---|---|---|
| LEDGER_ENTERPRISE_API_KEY | Server | API operator key from the Ledger Enterprise workspace (replaces the legacy 'Vault' naming). |
| LEDGER_ENTERPRISE_API_SECRET | Server | API operator secret used for request signing; never exposed to the client. |
| LEDGER_ENTERPRISE_BASE_URL | Server | `https://api.vault.ledger.com` (legacy host still in use) or the per-region URL provisioned for your tenant. |
Use Ledger Enterprise's REST API for hardware-secured institutional custody. Authenticate API operators via the `Authorization` header issued from the workspace, then call endpoints such as `POST /accounts/{id}/transactions` to draft a transfer, `POST /transactions/{id}/sign` to surface the signing request to designated approvers (each holding a Ledger device), and `GET /transactions/{id}` to poll until `BROADCAST` or `CONFIRMED`. For Tradelink, integrate as a Liquidity Provider via the Tradelink endpoints to manage pledges, collateral, and settlement instructions. Reporting/notification endpoints accept a separate read-only API key class — keep the operator key for write operations only.
- ⚑Ledger retired the standalone 'Vault' product naming in 2026 — endpoints still resolve under `api.vault.ledger.com`, but the product is now Ledger Enterprise / Tradelink / Multisig; code/comments referencing 'Vault' should be modernized to avoid confusion.
- ⚑Every transfer requires a quorum of human approvers each signing on a personal Ledger device — there is no purely server-side hot-signing path; design UX around an asynchronous approval queue.
- ⚑API operator credentials are IP-restricted; missing the allowlist update during deployment causes 403s that look like auth failures.
- ⚑Reporting API keys (read-only, per-account) and operator API keys (write, workspace-scoped) are different token classes — using one for the other returns 401.
- ⚑Tradelink integrations are tri-party (LP / Custodian / Client) — the API only succeeds once all three sides are onboarded and the collateral agreement is live; sandbox stubs the counterparty side.
- ⚑EU MiCA and FINMA constraints affect which assets and jurisdictions are supported; confirm asset whitelisting with your relationship manager before enabling withdrawals.