Authenticate with JWT signed by your RSA private key; set X-API-Key header to YOUR_API_KEY and Authorization header to Bearer YOUR_JWT_TOKEN
POST /v1/vault/accounts with body {"name": "<account_name>", "hiddenOnUI": false} to create the vault account; capture vaultAccountId from response
POST /v1/vault/accounts/{vaultAccountId}/{assetId} (e.g. assetId=ETH) with empty body {} to create the asset wallet under the vault account
If the asset requires on-chain activation, call POST /v1/vault/accounts/{vaultAccountId}/{assetId}/activate; poll GET /v1/vault/accounts/{vaultAccountId}/{assetId} until status is READY
Call POST /v1/vault/accounts/{vaultAccountId}/{assetId}/addresses with {"description": "<label>"} to generate a deposit address
Subscribe to webhook events (VAULT_ACCOUNT_ADDED, TRANSACTION_CREATED) at POST /v1/webhooks to receive real-time asset confirmations
Known gotchas
UTXO-based assets (BTC, LTC) require explicit address derivation via POST .../addresses; account-based assets (ETH, MATIC) auto-generate one address — calling addresses again creates a new address on the same account
The JWT expiry must be within 30 seconds of Fireblocks server time; clock skew causes 401 errors that are easily misdiagnosed as key issues
Asset IDs are Fireblocks-internal strings (e.g. ETH, BTC, USDC_ETH) — they differ from on-chain contract addresses; using the wrong ID returns 400 ASSET_NOT_SUPPORTED
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp