Connecting Fireblocks

To operate Fireblocks through Wallet Manager, a Fireblocks workspace must be connected to the Parfin Platform.


This connection allows the Platform to access and operate the structures available in the Fireblocks workspace, such as Vaults, Wallets, Deposit Addresses, balances, and transfers, according to the permissions granted to the API User used in the integration.


This article explains:

  • which credentials are required;

  • how to prepare the API User in Fireblocks;

  • which roles are supported by the integration;

  • what should be reviewed in the Fireblocks Transfer Policies;

  • how to complete the connection form in the Platform;

  • what happens after the connection is submitted for approval.


Before starting

Before connecting Fireblocks, it is necessary to have:

  • the Certificate Signing Request, or CSR, generated for the Fireblocks API User;

  • an API User in the Fireblocks workspace;

  • administrator permission in the Parfin Platform to create the connection.


1. Create an API User in Fireblocks

The integration with the Parfin Platform uses a Fireblocks API User.

This user is responsible for authenticating the requests made by the Platform to the Fireblocks workspace.

The API User must be created directly in Fireblocks, following the official Fireblocks documentation:

  • Add users — Fireblocks Help Center

  • Add API users — Fireblocks Help Center

In general, the process involves:

  1. generating the CSR, according to the Fireblocks documentation;

  2. creating the API User in the Fireblocks Console with one of the supported roles:

    • Admin;

    • Non-Signing Admin;

  3. waiting for the API User creation to be approved in the workspace;

  4. copying the credentials required to connect Fireblocks to the Parfin Platform:

    • generated CSR content;

    • API User ID.


1.1. Supported roles for the integration

For the integration with the Parfin Platform, the Fireblocks API User must have one of the following roles:

  • Admin;

  • Non-Signing Admin.

The selected role mainly affects the behavior of transfers created from the Platform, because Fireblocks continues to apply the Transfer Policies configured in the workspace.


API User with Admin role

An API User with the Admin role can initiate and sign transfers.


Therefore, when a transfer created from the Platform matches a Fireblocks policy in which the signer is the transaction initiator, the Admin API User can sign the operation through the configured co-signer.


Even in this scenario, transfers remain subject to Fireblocks policies, such as limits, allowed destinations, policy order, and any other conditions configured in the workspace.


API User with Non-Signing Admin role

An API User with the Non-Signing Admin role can initiate transfers, but cannot sign them.


This behavior requires special attention to the Fireblocks Transfer Policies.


If a transfer created from the Platform matches a Fireblocks policy in which the signer is the transaction initiator, the operation may fail. In this case, the initiator is the API User used by the integration, and this user does not have signing permission.


In this scenario, Fireblocks may return an error because no eligible signer was found.

To use a Non-Signing Admin API User, the Fireblocks Transfer Policies must define a signer that is different from the transaction initiator.


Parfin Platform Governance approval does not replace Fireblocks Transfer Policies. A transfer may be approved in the Parfin Platform and still fail in Fireblocks if the workspace rules do not allow its execution.




2. Connect Fireblocks in the Parfin Platform

2.1. Create a new connection

After the API User has been approved in Fireblocks and the credentials are available, the connection can be created in the Parfin Platform.


The flow is available at: Settings > Counterparties > + Connect Counterparty


In the new connection form, the following fields must be completed:

FieldDescription
Counterparty TypeSelect Custody
CounterpartySelect Fireblocks
Account NameFree-text field used to identify this connection in the Platform
API KeyPaste the API User ID generated by Fireblocks
Secret KeyPaste the CSR content used to create the API User


The content pasted into Secret Key must follow the structure below:

-----BEGIN CERTIFICATE REQUEST----
 ... 
-----END CERTIFICATE REQUEST-----

After all required fields are completed, the connection must be submitted.

When the connection is submitted, the Platform automatically sends it to the approval flow configured for the instance.


2.2. Connection approval in the Platform

The Fireblocks connection must be approved before it becomes operational in Wallet Manager.

While waiting for approval, the connection remains in the following status: Pending


During this stage:

  • the connection is not yet available for operations in Wallet Manager;

  • actions such as creating Wallets and transfers are not available.


2.3. Wait for the initial synchronization

After Governance approval, the connection moves to the following status: Syncing


During the initial synchronization, Wallet Manager queries Fireblocks to load the connection data.


The synchronization progressively includes:

  • Vaults;

  • Wallets;

  • Deposit Addresses;

  • balances;

  • transfer history supported by the integration.


While the connection is in Syncing:

  • data may appear gradually;

  • the connection remains read-only;

  • operational actions remain disabled.


When the initial synchronization is completed, the connection moves to the following status: Active


From this point on, the functionalities supported by the integration become available.


Learn more

For additional information, see: