Fireblocks Integration
Connect your Fireblocks workspace with Sumsub to automatically send Travel Rule data transfers.
Fireblocks is a platform that companies use to safely store and move digital assets. Fireblocks integration enables its clients to use Sumsub as their Travel Rule Provider (TRP) under the Fireblocks Travel Rule Link (TRLink) framework.
By integrating Fireblocks with Sumsub, you will be able to:
- Seamlessly perform compliant Travel Rule data exchange transactions with counterparties worldwide.
- Ensure Personally Identifiable Information (PII) is encrypted end-to-end.
- Monitor all outbound Travel Rule data exchange transactions directly in both Fireblocks and Sumsub dashboards.
Before enabling the integration, make sure that you meet the following requirements:
- Sumsub Travel Rule is enabled in your organization. If not, reach out to your Sumsub Customer Success Manager.
- TRLink is enabled in your Fireblocks workspace. If not, contact your Fireblocks Customer Success Manager to activate it.
- You have valid Fireblocks API credentials and Sumsub Dashboard access.
How Fireblocks integration works
Fireblocks orchestrates the transaction (including policy checks, routing, signing), while Sumsub manages the Travel Rule data exchange between VASPs.
Sumsub supports outbound transactions flow with Fireblocks integration. Processing each transaction includes the following steps:
- User initiates a crypto transfer in Fireblocks.
- Fireblocks TRLink determines that the transaction requires Travel Rule screening.
- Fireblocks sends encrypted originator/beneficiary data to Sumsub.
- Sumsub performs VASP attribution and exchanges data with the beneficiary VASP.
- If Sumsub does not find VASP, enable unhosted wallet verification:
- End user verifies control (signs a message) or submits self-declaration via WebSDK link.
- On success, we store the wallet for future reuse.
- We send the result (accepted, rejected, awaiting, and so on) back to Fireblocks.
- Fireblocks processes response and proceed with on-chain transaction if possible.
Important
All PII is encrypted with the private key you generate during setup. Fireblocks does not have access to your PII data.
Enable Fireblocks integration
The following is a sequence of steps to be taken to integrate your Fireblocks workspace with Sumsub.
Step 1: Enable Travel Rule Link in Fireblocks
To integrate with Fireblocks, you need to start with performing the following steps on the Fireblocks side:
- Contact your Fireblocks Customer Success Manager to enable TRLink.
- In Fireblocks dashboard, navigate to Compliance, go to the Travel Rule Link section, and open settings.
- Create or assign a Legal Entity for TRLink:
- Select Entity Purpose: TR Link.
- Assign relevant vaults.
- Configure how counterparties can discover your entity information by setting a discoverability mode: hidden, anonymous, or discoverable. For more information, refer to the Fireblocks documentation.
Tip
We suggest selecting discoverable mode which allows counterparties to access all shared legal entity information. It lets you fully automate the process of confirming wallet ownership during Inbound Travel Rule data exchange transactions.
Step 2: Connect Fireblocks to Sumsub
Use the Sumsub Dashboard to link your Fireblocks workspace and set up encryption keys for secure Travel Rule data exchange.
- In the Sumsub Dashboard, navigate to the Marketplace section and select Fireblocks.
- Click Settings on Fireblocks.
- Enter your Fireblocks API key (integration ID generated from Fireblocks workspace).
- Click Generate Key Pair. Sumsub will create a public or private key pair.
- Public key is stored by Sumsub to encrypt PII.
- Private key remains in your environment only.
- Once verified, connection status should change to active.
Step 3: Configure Travel Rule settings and rules
Use the Sumsub Dashboard to define your Travel Rule preferences.
- Fill out either the Registration Form or Due Diligence Questionnaire.
- Install the Travel Rule rules bundle from the Rules Library along with jurisdiction-specific rule bundles (such as Travel Rule: UK, Travel Rule: EU, and so on) based on your country of registration.
- After installation, switch from the test mode and activate the rules.
- Navigate to the Transactions and travel rule section. Open settings and select Travel Rule.
- Set the confirmation timeout (the time period during which you want to receive the Travel Rule data exchange transaction details from the counterparty).
- Select the originator/beneficiary fields to share and specify the data-matching strictness. For more information about Travel Rule settings, see this article.
Step 4: Encrypt PII
Encrypting the PII for the Travel Rule data exchanges is mandatory. Fireblocks must always receive Travel Rule data already encrypted by you. Do not submit plaintext PII to Fireblocks.
Encrypt only what is required for the jurisdictions involved. Configure fields in the Sumsub settings.
Build PII payload
Compose only the fields required for your corridor/jurisdiction.
They often include fields aligned with IVMS101:
- Full name
- Address
- Date of birth
- Account/wallet ID
Make sure these match your Sumsub Travel Rule configuration for matching rules.
Encrypt PII (JOSE standards)
Protect your PII — encrypt with JWE (required) and optionally sign with JWS (for sender authenticity).
- JWE — use
RSA-OAEP-256key management andA256GCMfor content encryption. - JWS (optional) — use
RS256if you need a signed-then-encrypted envelope. It proves the sender’s identity and prevents tampering before encryption. - Keys — JWK recommended, PEM supported for legacy.
Encrypt PII data with the beneficiary’s JWK and return a compact JWE string.
Example:
const jose = require('node-jose');
async function encryptPiiForTrm(beneficiaryJwk, piiObject) {
const ks = jose.JWK.createKeyStore();
const publicKey = await ks.add(beneficiaryJwk);
return jose.JWE.createEncrypt(
{ format: 'compact', fields: { alg: 'RSA-OAEP-256', enc: 'A256GCM' } },
publicKey
).update(JSON.stringify(piiObject)).final(); // → compact JWE string
}
Create a signed-then-encrypted JWE. Set senderSigningKey to null if you do not need JWS.
import com.nimbusds.jose.jwk.RSAKey;
// publicKey: RSAKey parsed from beneficiary JWK
String jwe = TRJWTCodec.encodeAndEncrypt(
piiJsonString, // payload JSON
senderSigningKey, // optional JWS key (can be null if unsigned)
publicKey, // beneficiary encryption key
"your-issuer" // optional issuer claim
);
// Use `jwe` as the travelRuleMessage below
Note
For more details, see the examples of implementations for encrypting PII data.
Step 5: Create Fireblocks transaction
Use encrypted Travel Rule message to create a Fireblocks transaction. Attach the compact JWE to the Fireblocks request as travelRuleMessage.
Minimal request:
{
"assetId": "ETH",
"source": { "type": "VAULT_ACCOUNT", "id": "0" },
"destination": {
"type": "ONE_TIME_ADDRESS",
"oneTimeAddress": { "address": "0xRecipient..." }
},
"operation": "TRANSFER",
"amount": "1.0",
"note": "Payment to beneficiary",
"travelRuleMessage": "<COMPACT-JWE-FROM-PART-A>"
}
Step 6: View results
Once you send the transaction, Fireblocks applies TRLink policies and forwards the encrypted Travel Rule message to Sumsub.
- Sumsub performs VASP attribution and exchanges data via the appropriate protocol.
- Beneficiary VASP confirms wallet ownership and matches PII.
After that, you will receive outcomes in both Dashboards.
| Fireblocks Status | Sumsub Status | Description |
|---|---|---|
pending | awaitingCounterparty | Waiting for counterparty VASP confirmation. |
approved | completed | Data exchange matched and confirmed. |
declined | counterpartyMismatchedData | Beneficiary reported a PII mismatch. |
unreachable | counterpartyVaspNotReachable | Counterparty not reachable on supported networks. |
expired | expired | No response within your confirmation timeout. |
Updated 6 days ago