Static IPs for Fireblocks

QuotaGuard gives your Fireblocks API client two fixed /32 outbound IP addresses that drop straight onto each API key's allowlist.

It is built for institutional custody and treasury teams running the Fireblocks API from cloud infrastructure, where the egress IP changes on every deploy and a locked-down key starts refusing requests that worked yesterday.

Diagram showing Bloomberg data entering a shield with a lock, symbolizing secure integration.

Two Fixed /32 IPs That Drop Straight Onto the Allowlist

QuotaGuard assigns your account two static /32 IP addresses that belong to you and never change.

Both are exactly the format Fireblocks wants, so you register the pair on a key's allowlist once and the client is recognized on every request, including under failover.

A Load-Balanced Pair, Both /32, Both on the Allowlist

You get two static IPs in a load-balanced pair, each a clean /32.

Add both to the API key's allowlist, because traffic can leave from either one and registering only a single address is the most common cause of intermittent, hard-to-trace rejections.

With both on the list, the key accepts your client regardless of which IP a given request exits from.

Idempotent Retries Make Failover Safe for Custody

The pair runs behind health checks with automated failover, so if one node goes into maintenance, traffic shifts to the other, which is already on your allowlist.

Fireblocks supports idempotency keys on requests, so a call that retries through the second IP returns the original response rather than executing a transfer twice.

That combination lets a custody operation survive a failover without risking a duplicate transaction.

The Addresses Are Yours and Do Not Change

The two IPs are assigned to your QuotaGuard account, not to your hosting platform.

Redeploy, scale, or change hosts and the address Fireblocks sees is identical, so an allowlist entry you set today is still correct a year from now.

That stability is the entire point against a /32 allowlist that has no tolerance for drift.

Diagram showing data flow from your integration with rotating IPs to QuotaGuard Static, then to Bloomberg Enterprise Console.
Diagram showing data flow from your integration with rotating IPs to QuotaGuard Static, then to Bloomberg Enterprise Console.
Diagram showing data flow from your integration with rotating IPs to QuotaGuard Static, then to Bloomberg Enterprise Console.

One Environment Variable, and Your Signing Path Stays Untouched

QuotaGuard works at the API-connectivity layer.

You route your Fireblocks API calls through it with a single environment variable, and nothing about how transactions are signed or approved changes.

Set the Proxy, Route the Outbound API Calls

Store your QuotaGuard connection string as an environment variable on the host running your Fireblocks client, then send the client's outbound calls to api.fireblocks.io through it.

There is no platform migration and no rebuild, just a fixed source address on every request the client makes.

The proxy operates at the transport layer, so the request body and its signature are carried through unchanged.

QuotaGuard Carries Outbound REST, Not the Co-Signer Callback

The IP allowlist governs your outbound REST calls to the Fireblocks API, and that is the only flow QuotaGuard sits in.

The Co-Signer is a separate component that holds your key shares inside an Intel SGX enclave and signs transactions there, and it talks to its own callback handler, an inbound HTTPS server in your environment that returns approve or reject.

It is provisioned in your own production environment, in your cloud or on-premise, physically separate from the outbound API path QuotaGuard handles. QuotaGuard never touches that signing path or that callback.

Your Transaction-Security Model Is Unchanged

Because QuotaGuard handles only the network path of your API calls, your Co-Signer setup, approval quorums, and key shares stay exactly as they are.

You are adding a fixed network identity for outbound requests, not altering how funds move, how approvals are reached, or where signing happens.

Flowchart showing SSO Host and Data Host integration through QuotaGuard Static for Bloomberg access.

Shield for Custody-Grade Compliance

Static satisfies the Fireblocks allowlist.

For an institutional custody or treasury operation, QuotaGuard Shield is the stronger choice, because it changes what the proxy is able to see.

SSL Passthrough, So QuotaGuard Never Decrypts Custody Traffic

Shield uses SSL passthrough and does not decrypt the traffic between your app and Fireblocks.

The encrypted session terminates at Fireblocks rather than at the proxy, so your requests, responses, and credentials are never exposed at the network hop.

The proxy gives you a fixed identity while remaining blind to the contents of the connection.

A Defensible Posture for SOC 2 and Regulated Desks

When your workspace handles regulated assets or operates under SOC 2 or comparable obligations, a network provider that cannot read the traffic is far easier to place in your architecture than one that terminates TLS.

Shield is built for that constraint, so adding a fixed egress identity does not introduce a new party that can see custody data.

If your framework also cares where egress originates, you can choose a US or EU region so the fixed IP sits in that jurisdiction. That keeps a security improvement from creating a compliance question.

When Auditors Review Your Third-Party Network Paths

Custody and SOC 2 reviews examine every third party in the data path and ask what each one can access.

With Shield you can add a fixed network identity for Fireblocks and state plainly that the provider in that path has no access to the data in transit.

That is the answer an auditor is looking for, and it is true by design rather than by policy.

Map of Europe highlighting EU Region, Dedicated EU IPs, and Data Residency Add-on features with metadata note.
Map of Europe highlighting EU Region, Dedicated EU IPs, and Data Residency Add-on features with metadata note.
Map of Europe highlighting EU Region, Dedicated EU IPs, and Data Residency Add-on features with metadata note.

FAQs

Common questions about Fireblocks static IPs and QuotaGuard.

Does my Fireblocks integration actually need a static IP?

It does the moment you allowlist IPs on an API key.

Fireblocks accepts requests from any address only while a key's allowlist is empty, which is acceptable in a sandbox but not for a production custody key that should never be reachable from an arbitrary IP.

As soon as you tighten that key, your client has to present a fixed address on every call, and a cloud host's rotating egress cannot.

A static IP is what lets you lock the key down and keep the integration working.

Why can't I just allowlist my cloud provider's IP range on Fireblocks?

Because Fireblocks accepts only /32 addresses on the allowlist.

There is no CIDR or subnet option, so you cannot register a provider's published range as a fallback for rotating egress the way you might on a service that allows blocks.

The only thing the allowlist will take is one or more specific /32 IPs, which is exactly what QuotaGuard provides as a fixed pair.

That restriction is deliberate on Fireblocks' part, since a broad range would weaken the control it is meant to enforce.

How do I add QuotaGuard's IPs to a Fireblocks API key?

In the Fireblocks Console, open the API key's settings and add both of your QuotaGuard static IPs to its IP allowlist as /32 entries.

Add both, since traffic is load-balanced and can leave from either address, and registering only one is a common cause of intermittent rejections.

Then route your client's calls to api.fireblocks.io through QuotaGuard, and every request will arrive from an allowlisted address. The allowlist is per key, so repeat this for each key that runs from the same client.

Is the IP allowlist the same as whitelisting destination addresses in Fireblocks?

No, and it is worth keeping them separate because both use the word whitelist.

The IP allowlist controls which source addresses are allowed to call the API, which is what QuotaGuard's static IPs satisfy.

Destination address whitelisting is a different feature that controls which addresses you can send assets to, and it goes through the Admin Quorum approval process, with the One Time Address feature as an alternative for non-whitelisted destinations.

QuotaGuard is relevant only to the first one, the source-IP allowlist.

Should I use QuotaGuard Static or Shield for Fireblocks?

Static satisfies the allowlist and is enough to make the connection work.

For institutional custody, Shield is the stronger choice, because it uses SSL passthrough and never decrypts the traffic between your app and Fireblocks.

If your workspace is under SOC 2 or similar review, or your policy requires that no third party in the path can read custody traffic, choose Shield.

Both give you the same fixed /32 IPs, so the decision is about what the proxy is permitted to see, not about connectivity.

Does QuotaGuard touch my Co-Signer or my signing keys?

No. QuotaGuard carries your outbound REST calls to the Fireblocks API at the network layer and nothing else.

It does not sit in the Co-Signer path, does not see your key shares, and does not participate in signing or in the Co-Signer's approve-or-reject callback.

You are adding a fixed network identity for API requests, and your transaction-security model is entirely unchanged.

Does this work with the Fireblocks Python and JavaScript SDKs?

Yes, with one caveat.

The Fireblocks JavaScript SDKs and the legacy Python SDK route through the proxy with their normal settings, and the RSA-signed authentication is unaffected because the proxy changes only the source IP, not the signed request.

The newer Python SDK does not expose a proxy setting, so for that one you route through the legacy Python SDK or apply a host-level proxy.

Either way your calls exit from your two static IPs.

Will routing through a proxy cause an "Unauthorized: Token was not accepted" error?

No, those are two unrelated problems.

A token-not-accepted error means the API key or the RSA signature on the request is wrong, which is an authentication issue you would see with or without a proxy.

An IP-related refusal comes from the allowlist and is about where the request originated.

QuotaGuard addresses the source-IP side and has no effect on signing, so a request that authenticates correctly today will still authenticate correctly through the proxy.

Can I get dedicated IPs for Fireblocks?

Yes, on QuotaGuard Enterprise plans.

Dedicated IPs are reserved for your account and shared with no other QuotaGuard customer, which is appropriate when a custody key's allowlist should be satisfiable only by traffic that is yours.

Request them from support after signup with your username and region.

For most teams the standard pair is sufficient, but dedicated IPs are there when a review specifically calls for them.

Does QuotaGuard work across multiple API keys or workspaces?

Yes.

The same pair of IPs can sit on the allowlist of every key that runs from one client, or you can give a separate workspace its own subscription and its own pair for stricter isolation.

The allowlist is per key, so you control exactly which keys recognize your QuotaGuard identity.

When you need to update IPs, Fireblocks can list the keys paired to a given Co-Signer, which makes finding every affected allowlist straightforward.

Does QuotaGuard handle Fireblocks webhooks?

QuotaGuard covers the outbound direction, your client calling the Fireblocks API.

Fireblocks webhooks flow the other way, from Fireblocks to an endpoint you host, and that direction needs a publicly reachable URL rather than an outbound allowlist entry.

If you want a fixed inbound endpoint for that traffic for your own security or compliance reasons, QuotaGuard Static includes inbound proxy capability on direct plans starting at $19 a month.

The Co-Signer's callback handler is a separate inbound server again, and QuotaGuard does not sit in that path.

Still have questions?

We don’t outsource Support to non-Engineers.

Reach out directly to the Engineers who built Shield to discuss your specific architecture, integration challenges, or compliance constraints here 👇

Contact

🚀 Ready to Get Started? Choose Your QuotaGuard Path

QuotaGuard STATIC

Why: You need a rock-solid, fixed IP for general API access, AI workflows, or standard third-party integrations.
Best For: Developers, startups, and general application connectivity.
Key Feature: SOCKS5 support for secure database access.
Sign Up for QG Static for ServiceNow

QuotaGuard SHIELD

Why: You handle HIPAA, PCI, or sensitive PII data and require End-to-End Encryption (E2EE) for full compliance.
Best For: Regulated industries, financial services, and healthcare.
Key Feature: SSL Passthrough and key isolation.
Sign Up for QG Shield for ServiceNow

Trusted by Engineering Teams Everywhere

Reliability Engineered for the Modern Cloud

For over a decade, QuotaGuard has provided reliable, high-performance static IP and proxy solutions for cloud environments like Heroku, Kubernetes, and AWS.

Get the fixed identity and security your application needs today.

Start Free TrialTalk to an Engineer