Creating "wallets" for users with BlockCypher

Question

I'm new to the world of Bitcoin, and I am having a hard time trying to understand the basics of wallet implementation for a basic bitcoin service.

Basically, I'd like that:

• Users have a personal wallet ("in-site" wallet, keeping track of their balance)
• Users are able to deposit/withdraw into/from that address/wallet
• The web service is able to make transactions on behalf of the user (to other addresses)

I know there are plenty of ways to go about this, and there are many APIs that can help, so I will narrow this problem down to using BlockCypher's API, which I believe has many similarities with other APIs.

I'd just like to know the general steps one should take to implement this, since I'm pretty much lost. How do I start?

I was thinking that the steps I should take are:

• With the API, generate an address (server side?) and store the private and public keys in a database. Use the same address for the same user all the time.
• Use the transactions API to do the rest and keep track of Bitcoin balance.

However, this put me off a bit (coming from BlockCypher's API, on address generation):

The private key returned is immediately discarded by our servers, but we advise that these keys should not be used for any high-value—or long-term storage—addresses.

The wallets I intend to use would be considered "long-term" storage, I guess, so what other way I could go about implementing such a system?

I'm sorry if this is a very basic question, or if I'm misunderstanding. It'd be great to have some guidance on the right direction; of course I don't expect full-code examples, just an explanation of the concepts. Thanks.

Answer 1

The Bitcoin private key is essential to using the wallet. Bitcoin is based on the PGP idea - one private key corresponds to one public key.

The API that you are using immediately discards the private key, otherwise they would be able to spend the money in every wallet they generate. They would do this by creating transactions and signing them with the private keys that they had.

So they generate these private keys in memory, send them to you via the API, and then discard them. BlockCypher's discarding the private keys does not impact your receipt of these keys. You still get the keys via the API and will have them in memory on your server.

You need to store these private keys in persistent storage, such as a database. Once you do that, then you can transact on behalf of users.

In regards to the long-term storage aspect, they are referring to the strength of the private key used to generate the wallet. Given this, they are likely not extremely strong (it does not mean they are weak!). You want a strong private key so it is not easily hacked or guessed. For long-term storage, especially of high dollar amounts, those wallets are available on the blockchain and are a hacking target. For long-term storage, you're better off with a Trezor or reading up on encryption (which is best done at security.stackexchange.com.