Documentation Index

Fetch the complete documentation index at: https://developers.fireblocks.com/llms.txt

Use this file to discover all available pages before exploring further.

​

API Authentication

The Fireblocks API uses an API key and a request-signing process to provide a highly secure communication protocol. You can create API keys through the Fireblocks Console or the API.

​

Create an API key in the Console

To create your first API key:

1. Generate an RSA 4096 private key and CSR file:
   Shell

   openssl req -new -newkey rsa:4096 -nodes -keyout fireblocks_secret.key -out fireblocks.csr -subj '/O=<your_organization>'
   
2. In the Fireblocks Console, go to the Developer center’s API users page.
3. Select Add API user.
4. Enter a display name for the API key (up to 30 characters) and select the appropriate role. Permissions follow the same user roles used for Console users.
5. Upload the CSR file you generated in step 1.
6. Select whether a Co-signer setup is required.
   1. If you’re in a testnet workspace, you can connect to the Fireblocks Communal Test Co-signer.
   2. Only select First user on this machine if you’re using the API user to install a new SGX Co-signer.
7. Select Add user.

After the required approval quorum is reached, the API key appears in the API users list. You can copy the API key from there by hovering your pointer over the value in the API User (ID) column. Every request using this API key must follow the Fireblocks API authentication scheme.

​

Create an API key via the Fireblocks API

Complete step 1 from the Console procedure above to generate your RSA key and CSR file, then call the Create API Key endpoint to complete the API key creation operation.

​

API key management best practices

Your API credentials are a prime target for attackers. Fireblocks recommends following these best practices to work securely with our APIs.

​

Role-based access control

Provision each API user’s role according to the principle of least privilege. Fireblocks supports multiple roles for role-based access control, and an API user can hold any one of them. Create separate API users to enforce duty separation and establish clear security boundaries.

​

Policy rules for API users

API users with transaction initiation and signing capabilities can execute transactions like any Console user. Create strong Policy rules to govern what transaction types these API users can conduct and from which accounts.

​

IP address allowlisting

Each API user can restrict API calls to specific IP addresses. If no IP addresses are allowlisted, the API accepts requests from any address. Explicitly allowlist only the IP addresses you expect to call the Fireblocks API.

​

Generating and storing RSA 4096 private keys

Each API user requires a public/private key pair to sign requests. Keep your fireblocks_secret.key file safe and secure at all times. To protect your key pair:

• Generate a unique CSR file and key pair for each API user. This limits the blast radius if one user’s keys are compromised.
• Generate the CSR file and key pair in an offline (air-gapped) environment for added security.
• Store fireblocks_secret.key in a hardened environment with advanced security controls such as multi-factor authentication and endpoint protection.

​

Storing API keys outside your codebase

Never embed API keys directly in code or commit them to your source tree. Keys embedded in code can be accidentally exposed, especially if you use a public source control system such as GitHub. Instead, store API keys in environment variables or in files outside your application’s source tree.

​

Rotating secrets

Rotation works differently depending on the API user type:

• Fireblocks API users: Because authentication relies on a CSR and associated secret key, create a new API user to rotate credentials.
• Co-signers: Re-enroll the API user to obtain a new pairing token, then complete the pairing process to receive a new refresh token.
• Fireblocks Agent for KeyLink: Uses the pairing token, access token, and device. This user type does not hold MPC keys.