Custody·Multi-chain · EVM · Solana · Bitcoin · Cosmos
Fireblocks
Institutional digital-asset custody and treasury infrastructure built on MPC-CMP key management with policy-based transaction authorization, address allowlisting, and Workspace-scoped governance across 100+ chains.
- 01institutional custody
- 02MPC-based treasury
- 03policy-governed payouts
- 04exchange and OTC settlement
- 05tokenization and stablecoin issuance
- pnpm add @fireblocks/ts-sdk
| Variable | Scope | Description |
|---|---|---|
| FIREBLOCKS_API_KEY | Server | Fireblocks API user UUID issued from the workspace; bound to a co-signer / API user with role-based scopes. |
| FIREBLOCKS_API_SECRET_PATH | Server | Filesystem path (or PEM string) containing the RSA private key paired with the API user's public key. |
| FIREBLOCKS_BASE_URL | Server | Base URL — `https://api.fireblocks.io` for production or `https://sandbox-api.fireblocks.io` for sandbox. |
Use Fireblocks for institutional MPC custody and policy-gated transactions. Server-side, instantiate the SDK with `new Fireblocks({ apiKey: process.env.FIREBLOCKS_API_KEY, secretKey: fs.readFileSync(process.env.FIREBLOCKS_API_SECRET_PATH, 'utf8'), basePath: process.env.FIREBLOCKS_BASE_URL })` and submit transfers via `fireblocks.transactions.createTransaction({ transactionRequest: { assetId, amount, source: { type: TransferPeerPathType.VaultAccount, id }, destination: { type, id }, externalTxId } })` — always pass `externalTxId` for idempotency. Read state with `vaults.getVaultAccounts`, `transactions.getTransaction`, and listen for status webhooks (`SIGNING`, `COMPLETED`, `FAILED`) instead of polling. Configure the Transaction Authorization Policy (TAP), AML provider, and address-book allowlist in the workspace before going live.
- ⚑Every API request is signed with the RSA private key as a JWT — clock skew, missing `nonce`, or reused `urlPath` will fail signature verification with cryptic 401s.
- ⚑Only addresses in the workspace Address Book / Whitelisted Contracts can be destinations once 'one-time addresses' is disabled — coordinate allowlist additions with the TAP quorum.
- ⚑TAP quorum and co-signer approvals are required for high-value transfers; designs that assume a single API call settles instantly will stall in `PENDING_AUTHORIZATION` or `PENDING_SIGNATURE`.
- ⚑Sandbox and production are completely isolated workspaces with separate API users, vault IDs, and asset IDs — never reuse credentials or hardcoded vault IDs across environments.
- ⚑IP allowlisting at the API user level is opt-in but recommended; serverless runtimes with rotating egress IPs need a static-IP NAT or a dedicated egress proxy.
- ⚑Some jurisdictions (e.g., custody in NY, certain EU member states) require a licensed sub-custodian — feature-flag deposits/withdrawals per region.