Access Control
Last updated: February 2, 2026
Access Control
Key Management and API Key Safety
Environment separation: Use distinct API keys for sandbox (testing) vs production (live transactions)
Bearer token authentication: All API requests require your API key in the Authorization header
Keep keys secure: Never expose API keys in client-side code or public repositories
Roles, Permissions, and Approvals
Admin roles: Admins can approve or reject pending transfers
Approval workflows: Configure transfer approvals to require manual review before execution
Control access through three permission levels:
RoleAccess Level | |
Admin | Complete access. Can manage users, wallets, transactions, API keys, team roles, approval workflows, and billing. |
Member | Operational access. Can manage users and accounts but requires approval for transfers. Cannot update business settings or view billing. |
Analyst | Read-only access. Can view all data but cannot create or modify anything. |
Transaction Approval and Controls
Transfer Approvals provide control over outgoing transactions:
SettingDescription | |
Approval required | Transfers wait in |
Expiration | On-chain transfers expire after 1 week; offramps after 1 day |
Approve/Reject | Admins can approve (executes transfer) or reject (cancels and returns funds) |
Transfers, bridging, and offramps support an optional approval workflow. When enabled (requireApproval: true), transactions enter PENDING_APPROVAL status and must be approved by an admin before execution.
Admins receive email notifications for pending approvals
Approved transactions execute immediately
Rejected transactions are cancelled
Compliance controls include:
KYC/KYB verification requirements
PEP (Politically Exposed Persons) screening
Prohibited industry restrictions