Register a webhook endpoint in the Fireblocks console under Settings > Webhooks; provide an HTTPS URL that returns HTTP 200 within 5 seconds
Verify incoming webhooks: Fireblocks signs payloads with an RSA private key; retrieve the public key from the Fireblocks console and verify the X-Fireblocks-Signature header against the SHA-512 hash of the raw body
Subscribe to TRANSACTION_STATUS_UPDATED events; parse the data.status field and map REJECTED, FAILED, BLOCKED (TAP-blocked) statuses to compliance workflow triggers
For BLOCKED transactions (blocked by TAP policy), extract data.subStatus and data.txHash to identify the transaction; route to your compliance queue with the Fireblocks txId for manual review
For COMPLETED transactions, extract data.destinationAddress and data.assetId and submit to Chainalysis KYT or TRM Labs for post-broadcast monitoring using the on-chain txHash
Implement exponential backoff retry logic in your webhook handler; if your endpoint returns non-200, Fireblocks retries with increasing delays — ensure idempotent processing using the txId as a deduplication key
Known gotchas
Fireblocks sends webhooks in near-real-time but does not guarantee ordering; a TRANSACTION_STATUS_UPDATED event for COMPLETED may arrive before the TRANSACTION_CREATED event — store events by txId and process once the terminal state is reached
The webhook public key rotates periodically; cache the key with a short TTL and fetch fresh from the console API on verification failure rather than hardcoding it
Webhook delivery is best-effort; for compliance-critical events, supplement webhook processing with periodic polling of GET /v1/transactions?status=BLOCKED&limit=50 to catch any missed compliance-flagged transactions
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp