Module 7: Working with Bitcoin RPC
Learning Objectives
By the end of this module, you will:
Understand how bitcoin-cli and raw RPC calls work under the hood
Make authenticated JSON-RPC requests using curl
Configure and secure your RPC credentials
Learn best practices for securing RPC access in production environments
bitcoin-cli vs curl RPC Calls
When you run:
You’re using a thin wrapper around a JSON-RPC call that’s being sent to the local bitcoind daemon.
The same request using curl:
This shows you how clients communicate with bitcoind directly.
Key parts of the RPC call:
Method: what you want to execute (eg. getnewaddress )
params: arguments in array format
id: request ID (any unique string)
jsonrpc: always "1.0" for Bitcoin Core
Reading and Writing Raw JSON Requests
Example 1: Get a new address
Here is your updated code block using the exact JSON you provided:
Example 2: Send BTC
Authentication Options
Cookie-based (default & recommended)
Bitcoin Core writes an auth cookie to:
To use it with curl:
This is secure for local-only use.
Manual username/password
In bitcoin.conf:
Then restart bitcoind.
Now you can use:
Securing RPC on Real Nodes
Never expose RPC publicly. Always bind to localhost or use strict firewall rules.
Key configuration options:
To expose RPC over SSH securely:
Then curl to localhost on your own machine.
Production checklist:
Use cookie auth or a strong password
Disable or restrict RPC access by IP
Avoid exposing RPC over HTTP (use HTTPS reverse proxy if needed)
Regularly rotate rpcpassword if using manual auth
Activity
Create a JSON-RPC payload to get a new address.Use cookie auth or a strong password
Use curl to post the payload to your running regtest node.
Inspect the .cookie file and try using it for auth.
Update your bitcoin.conf with rpcuser and rpcpassword , restart, and authenticate manually
Attempt a bad request and read the JSON-RPC error response.
