FATF Travel Rule compliance for VASPs — counterparty discovery, originator/beneficiary PII exchange, and pre-transaction validation across 200+ connected VASPs.
- 01Travel Rule (FATF R.16)
- 02VASP-to-VASP messaging
- 03counterparty due diligence
- 04self-hosted wallet checks
- 05MiCA / TFR compliance
- pnpm add @notabene/javascript-sdk
| Variable | Scope | Description |
|---|---|---|
| NOTABENE_CLIENT_ID | Server | OAuth2 client ID issued by Notabene for the dashboard environment. |
| NOTABENE_CLIENT_SECRET | Server | OAuth2 client secret used to mint access tokens for the REST API. |
| NOTABENE_VASP_DID | Server | DID of your VASP entity in the Notabene network (e.g. did:ethr:0x...). |
Use Notabene for FATF Travel Rule compliance on crypto withdrawals. Server-side, exchange `NOTABENE_CLIENT_ID`/`NOTABENE_CLIENT_SECRET` for an access token at `https://auth.notabene.dev/oauth/token`, then call the Validation API (`POST /tr/validate`) with `originator`, `beneficiary`, `transactionAsset`, and `transactionAmount` to determine whether a Travel Rule flow must trigger and whether the destination is a known VASP or self-hosted wallet. For full TR exchange, use `POST /tr/transactions` to create a transaction with the resolved counterparty `beneficiaryVASPdid` and your `originatorVASPdid`, then poll status or subscribe to webhooks. On the client, the JavaScript SDK handles PII encryption — initialize with `new Notabene({ vaspDID, authToken })` and call `notabene.tr.create(payload)`.
- ⚑Travel Rule thresholds and required PII fields differ by jurisdiction (EU TFR is €0, US is $3k, Singapore is S$1.5k) — drive thresholds from a per-customer jurisdiction map, not a hardcoded constant.
- ⚑Self-hosted wallet flows require proof-of-ownership (Satoshi Test, signed message, or AOPP) before the transfer can be released — design UX for the extra step on outbound withdrawals.
- ⚑PII payloads are encrypted to the recipient VASP's public key, so a key rotation or DID change on their side will fail decryption silently — monitor `transferStatus = REJECTED` reasons.
- ⚑Sandbox (`api.notabene.dev`) and production (`api.notabene.id`) are fully isolated — VASP DIDs, counterparties, and webhook signing keys do not transfer between environments.
- ⚑Webhooks are signed with HMAC-SHA256 in the `x-notabene-signature` header — verify on every event or you'll trust forged status updates.