Explore & Design
Explore & DesignDevelop & IntegrateEmbedded Wallet GuidesChangelogCommunityStatusRequest Demo

Integrate Fireblocks with Third-Party Service Providers

Suggest Edits

Overview

Many organizations utilizing Fireblocks seek to integrate their workspace with third-party service providers such as accounting solutions, portfolio aggregation tools, trading platforms and more.
These providers can offer valuable insights, operational efficiencies and provide with additional functionality by integrating directly with your Fireblocks environment.

However, because Fireblocks might not have native integrations with these services, it is essential to follow a set of best practices to ensure that your assets and data remain secure while maximizing the effectiveness of the integration.

This guide provides step-by-step recommendations for securely integrating third-party service providers with your Fireblocks workspace.
Since these integrations usually involve API access granted by you to the provider, it’s crucial to follow best practices to protect your environment and ensure a smooth integration process.



Best Practices for Integration


1. Limit Access Levels

When integrating with third-party providers, never provide Signer or Admin access to your Fireblocks system. Regardless of whether the integration is API-based or UI-based, the maximum role granted to the provider should be Viewer or, at most, Editor. Providing elevated privileges can expose your environment to unnecessary risks.


2. Secure API Key Management

For API integrations, the provider will typically request an API key to access your Fireblocks workspace. To ensure security:

  • Key Generation: The provider should generate their own RSA private key file and a corresponding Certificate Signing Request (CSR) file. They should share only the CSR file with you. Never allow private keys to be shared over the internet. This approach ensures that sensitive key material remains secure.

    For more details on API authentication, refer to the Fireblocks API Key Management Documentation.


3. Use Dedicated API Keys

Always create a separate API key specifically for the third-party provider. Do not reuse API keys that are currently used within your internal systems. This separation minimizes the risk of unintended exposure and simplifies access management.


4. Whitelist Provider IP Addresses

To further secure the integration, the provider should provide their server IP addresses so that you can whitelist these for the specific API key. While this step is not mandatory, it is a recommended security best practice to ensure that only authorized servers can interact with your Fireblocks workspace.

For more information, refer to the IP Whitelisting Documentation.


5. Initial Data Synchronization

For the initial data synchronization, we recommend sharing balance and address reports generated through the Fireblocks Console. This method prevents the provider from excessively querying the Fireblocks API for historical data, which could lead to rate limits and slow down the integration process.


6. Enable Webhook Notifications

For ongoing integrations, in addition to API key access, it is advisable to configure webhooks with the provider’s URL. This allows the provider to receive real-time updates about your workspace via push events, reducing the need for frequent API polling.

For more details on configuring webhooks, visit the Webhook Configuration Guide.


7. Signing Transactions

You should avoid granting signing privileges to third-party providers within your Workspace. For integrations that require initiating transactions and signing flows, it's recommended to use the Designated Signer as part of the Transaction Authorization Policy engine feature provided by Fireblocks.

This approach ensures that the provider will have an API key with permissions limited to initiating transactions. A Transaction Authorization Policy optionally will dictate that you, as the Fireblocks customer, must approve transactions, alongside the Designated Signer, which can be either a mobile device in your workspace or an API Co-Signer instance that is provisioned and stored under your control, not the provider's.


Conclusion

Integrating Fireblocks with third-party service providers can significantly enhance your operational capabilities. However, it is crucial to adhere to these best practices to maintain the security and integrity of your Fireblocks environment. By following these guidelines, you can ensure a smooth and secure integration process that benefits both your organization and the service provider.

Updated 18 days ago