Connecting Fireblocks
To operate Fireblocks through Wallet Manager, a Fireblocks workspace must be connected to the Parfin Platform.
This connection allows the Platform to access and operate the structures available in the Fireblocks workspace, such as Vaults, Wallets, Deposit Addresses, balances, and transfers, according to the permissions granted to the API User used in the integration.
This article explains:
which credentials are required;
how to prepare the API User in Fireblocks;
which roles are supported by the integration;
what should be reviewed in the Fireblocks Transfer Policies;
how to complete the connection form in the Platform;
what happens after the connection is submitted for approval.
Before starting
Before connecting Fireblocks, it is necessary to have:
the Certificate Signing Request, or CSR, generated for the Fireblocks API User;
an API User in the Fireblocks workspace;
administrator permission in the Parfin Platform to create the connection.
1. Create an API User in Fireblocks
The integration with the Parfin Platform uses a Fireblocks API User.
This user is responsible for authenticating the requests made by the Platform to the Fireblocks workspace.
The API User must be created directly in Fireblocks, following the official Fireblocks documentation:
Add users — Fireblocks Help Center
Add API users — Fireblocks Help Center
In general, the process involves:
generating the CSR, according to the Fireblocks documentation;
creating the API User in the Fireblocks Console with one of the supported roles:
Admin;
Non-Signing Admin;
waiting for the API User creation to be approved in the workspace;
copying the credentials required to connect Fireblocks to the Parfin Platform:
generated CSR content;
API User ID.
1.1. Supported roles for the integration
For the integration with the Parfin Platform, the Fireblocks API User must have one of the following roles:
Admin;
Non-Signing Admin.
The selected role mainly affects the behavior of transfers created from the Platform, because Fireblocks continues to apply the Transfer Policies configured in the workspace.
API User with Admin role
An API User with the Admin role can initiate and sign transfers.
Therefore, when a transfer created from the Platform matches a Fireblocks policy in which the signer is the transaction initiator, the Admin API User can sign the operation through the configured co-signer.
Even in this scenario, transfers remain subject to Fireblocks policies, such as limits, allowed destinations, policy order, and any other conditions configured in the workspace.
API User with Non-Signing Admin role
An API User with the Non-Signing Admin role can initiate transfers, but cannot sign them.
This behavior requires special attention to the Fireblocks Transfer Policies.
If a transfer created from the Platform matches a Fireblocks policy in which the signer is the transaction initiator, the operation may fail. In this case, the initiator is the API User used by the integration, and this user does not have signing permission.
In this scenario, Fireblocks may return an error because no eligible signer was found.
To use a Non-Signing Admin API User, the Fireblocks Transfer Policies must define a signer that is different from the transaction initiator.
Parfin Platform Governance approval does not replace Fireblocks Transfer Policies. A transfer may be approved in the Parfin Platform and still fail in Fireblocks if the workspace rules do not allow its execution.2. Connect Fireblocks in the Parfin Platform
2.1. Create a new connection
After the API User has been approved in Fireblocks and the credentials are available, the connection can be created in the Parfin Platform.
The flow is available at: Settings > Counterparties > + Connect Counterparty
In the new connection form, the following fields must be completed:
| Field | Description |
|---|---|
| Counterparty Type | Select Custody |
| Counterparty | Select Fireblocks |
| Account Name | Free-text field used to identify this connection in the Platform |
| API Key | Paste the API User ID generated by Fireblocks |
| Secret Key | Paste the CSR content used to create the API User |
The content pasted into Secret Key must follow the structure below:
-----BEGIN CERTIFICATE REQUEST----...-----END CERTIFICATE REQUEST-----
After all required fields are completed, the connection must be submitted.
When the connection is submitted, the Platform automatically sends it to the approval flow configured for the instance.
2.2. Connection approval in the Platform
The Fireblocks connection must be approved before it becomes operational in Wallet Manager.
While waiting for approval, the connection remains in the following status: Pending
During this stage:
the connection is not yet available for operations in Wallet Manager;
actions such as creating Wallets and transfers are not available.
2.3. Wait for the initial synchronization
After Governance approval, the connection moves to the following status: Syncing
During the initial synchronization, Wallet Manager queries Fireblocks to load the connection data.
The synchronization progressively includes:
Vaults;
Wallets;
Deposit Addresses;
balances;
transfer history supported by the integration.
While the connection is in Syncing:
data may appear gradually;
the connection remains read-only;
operational actions remain disabled.
When the initial synchronization is completed, the connection moves to the following status: Active
From this point on, the functionalities supported by the integration become available.
Learn more
For additional information, see: