Saas Ai Webflow Website Datalog Template

Fireblocks

View IntegrationContact Support
Fireblocks lets you restrict each API key to an allowlist of source IPs, and it accepts only exact /32 addresses, with no CIDR or range option. Cloud platforms like Render, Railway, Heroku, Fly.io, and AWS Lambda assign dynamic outbound IPs that change on every deploy, every restart, and sometimes mid-session. A locked-down key then refuses requests that worked yesterday, and there is no provider range you can register as a fallback. Your custody integration breaks.

Built for Fireblocks' per-API-key /32 IP allowlist and institutional custody API calls.

QuotaGuard gives you two fixed /32 IPs that drop straight onto the key's allowlist, the only format Fireblocks accepts. It sits on the API-connectivity layer and never touches your Co-Signer or signing path. Trusted by fintech and institutional teams running production infrastructure since 2013.

  • Two-Minute Setup: Add your QuotaGuard connection URL as the QUOTAGUARDSTATIC_URL environment variable in your app. Configure your HTTP client or the Fireblocks SDK to proxy outbound calls to api.fireblocks.io. Register both static IPs on the API key's allowlist as /32 entries.
  • The Only Format Fireblocks Accepts: Fireblocks rejects CIDR ranges and takes only individual /32 addresses on the allowlist. Your two QuotaGuard IPs are clean /32s, so they register without the workaround a range-based allowlist would tolerate. Add both, since traffic is load-balanced across the pair.
  • Multi-Platform Support: Works whether you host on Heroku, Render, Railway, Fly.io, AWS Lambda, Vercel, Netlify Functions, Kubernetes, or direct VPS. The same configuration applies, and it works with the Fireblocks JavaScript SDKs and the legacy Python SDK, which route outbound calls through the proxy without changing how they sign requests.
  • Production-Grade Reliability: A load-balanced pair of static IPs with automated failover, both registered on the key's allowlist. Because Fireblocks supports idempotency keys, a request that retries through the second IP returns the original response rather than executing a transfer twice, so a custody operation survives a failover safely.
  • Shield for Regulated Custody Data: For SOC 2 or other regulated custody environments, QuotaGuard Shield uses SSL passthrough so QuotaGuard never decrypts the traffic flowing between your app and Fireblocks. The fixed network identity you need, with no third party able to read custody traffic in transit.

Allowlist note: Fireblocks accepts requests from any address only while a key's allowlist is empty. The static IP matters the moment you lock a production key to its allowlist, which is what a custody key should always do. The IP allowlist is separate from destination-address whitelisting, and QuotaGuard is relevant only to the source-IP side, never to the Co-Signer or the signing path.

Comparing platforms? See the complete guide to static IPs on any PaaS platform.

Reliability Engineered for the Modern Cloud

For over a decade, QuotaGuard has provided reliable, high-performance static IP and proxy solutions for cloud environments like Heroku, Kubernetes, and AWS.

Get the fixed identity and security your application needs today.

Start Free TrialTalk to an Engineer