Guide · Payments

How to automate crypto payment forwarding — non-custodially

Auto-forward incoming deposits to your treasury without handing anyone your keys. Watch the addresses customers pay into, and on every confirmed payment prepare a sweep, sign it offline with your own key, and broadcast it. It's an automation you own — CryptoAPIs never holds a private key.

Automated, but still your keys

"Auto-forwarding" usually means a service takes custody of incoming funds and moves them for you — which means it holds the keys. That's a custodial arrangement, and the counterparty risk that comes with it.

You can get the same automation without giving that up. CryptoAPIs tells you the instant a deposit confirms and prepares the sweep transaction for you — but the transaction is unsigned. Your service signs it offline with a key that never leaves your infrastructure, then broadcasts it. Run that on every incoming payment and deposits forward themselves, non-custodially.

The principle: we automate the watching and the building; you keep the signing. Fully hands-off forwarding, zero custody.

The forwarding loop

Triggered by a webhook, on any of 20+ supported chains — and it runs on a loop, so deposits forward themselves.

1
Watch
webhook
Deposit confirmed
2
Prepare
POST /prepare-transactions
Build unsigned sweep
3
Sign offline
@cryptoapis-io/offline-signer
Your key, locally
4
Broadcast
POST /broadcast-transactions
Sweep on-chain

Watch your deposit addresses

Subscribe to confirmed incoming transactions on the addresses customers pay into. Your service is notified the moment funds land — no polling, and the subscription is read-only, so no keys are involved.

# Notify your server whenever a deposit confirms
curl -X POST \
  https://rest.cryptoapis.io/blockchain-events/ethereum/mainnet/address-coins-transactions-confirmed \
  -H "x-api-key: YOUR_API_KEY" \
  -d '{ "data": { "item": {
      "address": "{depositAddress}",
      "callbackUrl": "https://your-service.com/webhooks/deposit" } } }'

Prepare the forwarding transaction

In your webhook handler, build an unsigned transaction that sends the received amount (minus network fee) from the deposit address to your treasury. No keys are sent — only the details needed to sign.

# On each deposit webhook, prepare a sweep to treasury (UNSIGNED)
curl -X POST \
  https://rest.cryptoapis.io/prepare-transactions/evm/ethereum/mainnet/native-coins \
  -H "x-api-key: YOUR_API_KEY" \
  -d '{ "data": { "item": {
      "senderAddress": "{depositAddress}",
      "recipients": [{ "address": "{treasury}", "amount": "{received-fee}" }] } } }'
# → returns the unsigned transaction + the sighash(es) to sign

Sign offline and broadcast

Sign the prepared transaction offline, in your own environment, with the key for that deposit address — then broadcast the signed result. The private key never touches the API, so the whole automation stays non-custodial.

# Sign OFFLINE in your service — e.g. our open-source @cryptoapis-io/offline-signer
# (no HTTP, no API key; key stays in your infrastructure)
# → returns signedTransactionHex, ready to broadcast

# Broadcast the locally signed sweep
curl -X POST \
  https://rest.cryptoapis.io/broadcast-transactions/ethereum/mainnet \
  -H "x-api-key: YOUR_API_KEY" \
  -d '{ "data": { "item": { "signedTransactionHex": "{signedTx}" } } }'
Tokens too: to auto-forward USDT, USDC or other tokens, swap the prepare step for the token endpoints (ERC-20 / TRC-20). The watch → sign-offline → broadcast loop is identical.

Why build it this way

You get the operational win of automatic forwarding — deposits land in treasury with no manual step — while keeping the security property that matters most: no third party can ever move your funds, because no third party has your keys. The nodes, indexing, fee estimation and confirmation tracking are the API's job; signing is yours alone.

Frequently asked questions

Does CryptoAPIs hold my keys when forwarding payments?

No. This is a non-custodial pattern you build and run yourself: CryptoAPIs notifies you of deposits and prepares unsigned transactions, but you sign every sweep offline with your own key. Private keys never reach our servers.

How do I auto-forward incoming crypto to a treasury wallet?

Watch your deposit addresses with a confirmed-transaction webhook, and on each notification prepare a transaction that sends the received funds to your treasury, sign it offline, and broadcast it. Running that on every webhook forwards deposits automatically.

Can I automate forwarding for tokens like USDT and USDC?

Yes. Use the token prepare-transaction endpoints (ERC-20, TRC-20 and more) to build the sweep; the rest of the loop — watch, sign offline, broadcast — is identical.

What do I need to run the automation?

A webhook endpoint to receive payment notifications, your own signing key held in your environment, and the CryptoAPIs prepare-transactions and broadcast endpoints. No nodes, indexers or custodian required.

How do I sign the transactions offline?

Take the unsigned transaction returned by /prepare-transactions and sign it in your own environment, with the private key for that deposit address. Our open-source @cryptoapis-io/offline-signer signs EVM, UTXO, Tron and XRP transactions entirely on your machine — no HTTP calls, no API key — and returns a signed hex ready for /broadcast-transactions. Your private key never leaves your process; any signing library works.

Automate forwarding, keep your keys

Build the non-custodial forwarding loop on a free tier — watch deposits, prepare sweeps, sign offline and broadcast, across 20+ chains.