Complete the TxB onboarding process to receive API credentials; generate client certificates through the GS developer portal, configure mutual TLS on your HTTP client using the client certificate and private key, and provide your outbound IP CIDR ranges to Goldman Sachs for allowlisting
Authenticate API calls by presenting the client certificate in the TLS handshake; for operations on higher-value or third-party accounts, include a signed JWT in the authentication parameter to satisfy step-up authentication requirements
Create a multi-currency account (MCA) if you need a single account number to consolidate payments and receipts across multiple currencies; the MCA create endpoint returns a virtual account for each currency denomination associated with a single account reference
Originate a domestic or international payment by POST to the payments origination endpoint, specifying payment method (ACH, wire, or real-time rail), debit account reference, beneficiary account details, amount, currency, and your unique end-to-end reference; record the TxB transaction ID returned for tracking
Poll the account balances endpoint to retrieve current ledger and available balances for cash-position reporting; the balance response includes intraday postings reflecting payments originated and received since the prior business day close
Subscribe to TxB webhooks or use the transaction reporting API to retrieve a real-time feed of account activity for reconciliation; TxB also supports BAI2 and ISO camt.053 file delivery via SFTP for treasury management system integration
Known gotchas
Mutual TLS certificate expiry is a common production outage cause — GS-issued client certificates have finite validity periods; implement certificate rotation automation and set alerts well before expiry rather than relying on connection errors to detect expired certificates
TxB IP allowlisting is enforced at the network perimeter — any outbound IP change in your infrastructure (new NAT gateway, cloud region failover) will silently block all API calls until the new IP range is added to the allowlist; include IP range management in your infrastructure change process
TxB's step-up authentication JWT requirement is endpoint-specific and not uniformly documented; encountering an authentication rejection on an endpoint that previously worked may indicate that Goldman Sachs added step-up authentication to that endpoint — check the changelog and renegotiate authentication scope with your relationship manager
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp