@fireblocks/fireblocks-cli
Advanced tools
Agent-first CLI for Fireblocks infrastructure. Execute any Fireblocks API operation from the command line.
Command-line interface for the Fireblocks API. Configure once, invoke any Fireblocks operation from your terminal or AI agent.
Commands are generated from the Fireblocks OpenAPI spec, so every endpoint is reachable and new endpoints appear automatically when the CLI updates. Authentication and JWT request signing are handled for you.
brew tap fireblocks/fireblocks-cli
brew install fireblocks-cli
npm install -g @fireblocks/fireblocks-cli
Download the latest release for your platform from GitHub Releases. No Node.js required.
| Architecture | Installer | Tarball |
|---|---|---|
| ARM64 (Apple Silicon) | fireblocks-v*-arm64.pkg | fireblocks-v*-darwin-arm64.tar.gz |
| x64 (Intel) | fireblocks-v*-x64.pkg | fireblocks-v*-darwin-x64.tar.gz |
| Architecture | Installer | Tarball |
|---|---|---|
| x64 | fireblocks-v*-x64.exe | fireblocks-v*-win32-x64.tar.gz |
Note: If the installer shows "PATH not updated" during installation, your system PATH exceeds Windows' 1024-character limit. Use
npm install -g @fireblocks/fireblocks-cliinstead, or manually addC:\Program Files\fireblocks\binto your PATH after installing.
| Architecture | .deb (Ubuntu / Debian) | Tarball |
|---|---|---|
| x64 | fireblocks-v*-amd64.deb | fireblocks-v*-linux-x64.tar.gz |
| ARM64 | fireblocks-v*-arm64.deb | fireblocks-v*-linux-arm64.tar.gz |
Tarballs are also available as .tar.xz for smaller downloads.
To verify a download, compare the sha256 shown on the release page against:
# macOS / Linux
sha256sum <downloaded-file>
# macOS alternative
shasum -a 256 <downloaded-file>
# 1. Configure your API key and secret (from the Fireblocks Console)
fireblocks configure
# 2. Verify credentials
fireblocks whoami
# 3. Make a request
fireblocks vaults get-paged-vault-accounts
# 4. Discover the API
fireblocks help-index
fireblocks configure — Manage credentialsInteractive setup that stores your API key ID and RSA secret in ~/.config/fireblocks/config.json. For agents and CI, use env vars or flags instead (see Authentication).
fireblocks configure # set up the default profile
fireblocks configure --profile profile-name # named profile for multi-env setups
fireblocks configure --set-default=profile-name # switch the default profile without re-entering credentials
When configuring a second profile you are asked whether to make it the default. The config always stores the baseUrl explicitly so the file is self-describing.
fireblocks whoami — Show current profilePrints the default profile name, masked API key, and base URL from the local config file. No API call is made.
fireblocks whoami
Example output:
{
"defaultProfile": "default",
"apiKey": "apiKey",
"baseUrl": "https://api.fireblocks.io"
}
fireblocks <namespace> <action> — API operationsCommands are generated from the Fireblocks OpenAPI spec. OpenAPI path parameters become required flags (kebab-case); query parameters become optional flags. Write ops take the body as --data '<json>'.
# Reads
fireblocks vaults get-paged-vault-accounts
fireblocks vaults get-vault-account --vault-account-id 0
# Writes (include --no-confirm for non-interactive)
fireblocks transactions create-transaction \
--data '{"assetId":"BTC","amount":"0.01","source":{"type":"VAULT_ACCOUNT","id":"0"},"destination":{"type":"VAULT_ACCOUNT","id":"1"}}' \
--no-confirm
# Idempotent retries
fireblocks transactions create-transaction \
--data '{...}' \
--idempotency-key "$(uuidgen)" --no-confirm
Global flags:
| Flag | Env Var | Purpose |
|---|---|---|
--api-key | FIREBLOCKS_API_KEY | API key ID |
--secret-key | FIREBLOCKS_SECRET_KEY / FIREBLOCKS_SECRET_KEY_PATH | RSA private key (PEM string or path) |
--base-url | FIREBLOCKS_BASE_URL | Override endpoint (default https://api.fireblocks.io, sandbox https://sandbox-api.fireblocks.io) |
--profile | Named config profile | |
--data | JSON body for write operations | |
--idempotency-key | UUID for safe retries of write operations | |
--no-confirm | Skip confirmation prompt on writes | |
--dry-run | Print the assembled request without sending | |
--debug | Log request/response details to stderr | |
--output | Output format: json (default) or yaml |
fireblocks help-index — Discover the APIhelp-index prints a compact JSON manifest of every resource and action the CLI exposes — under 2K tokens for the full catalog. Designed for agents: one call gives enough to plan, without loading per-resource docs upfront.
fireblocks help-index # all resources and actions
fireblocks vaults --help # detail for one namespace
fireblocks vaults get-vault-account --help # detail for one action
fireblocks vaults get-vault-account --dry-run # preview the request
Progressive disclosure: start narrow with --help, widen to help-index only when you need to find something.
Credentials resolve in this order (highest priority first):
--api-key, --secret-keyFIREBLOCKS_API_KEY + (FIREBLOCKS_SECRET_KEY | FIREBLOCKS_SECRET_KEY_PATH)~/.config/fireblocks/config.json (select with --profile <name>)fireblocks configure is interactive-only. Agents and CI must use flags or env vars.
Write operations run against your workspace's Transaction Authorization Policy (TAP). The CLI submits requests; TAP decides whether they require co-signer or admin approval. The CLI is not a security boundary — TAP is. Treat CLI credentials with the same care you'd treat any key into a custody platform.
Errors are structured JSON on stderr:
{"code": 5, "status": 429, "message": "Rate limit exceeded", "request_id": "abc-123", "retry_after": 30}
Exit codes:
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | Client error (400/409/422) |
| 2 | Usage/parse error |
| 3 | Auth error (401/403) |
| 4 | Not found (404) |
| 5 | Rate limited (429) — retry after retry_after seconds |
| 6 | Server error (500+) |
| 7 | Timeout (30s) |
The CLI is designed to be driven by coding agents (Claude Code, Cursor, Devin). Install the CLI, then drop SKILL.md into your agent's skills directory. Agents will:
help-indexretry_after# List vault accounts, filter with jq, pipe to the next command
fireblocks vaults get-paged-vault-accounts \
| jq -r '.accounts[] | select(.assets[].balance > 0) | .id'
For agent workflows that benefit from typed tool schemas, use Fireblocks AI Link MCP. Use the CLI for leaf operations, scripts, and any time ambient schema tokens aren't worth the context cost. The two are designed to coexist.
Issues and PRs welcome at github.com/fireblocks/fireblocks-cli.
FAQs
Agent-first CLI for Fireblocks infrastructure. Execute any Fireblocks API operation from the command line.
The npm package @fireblocks/fireblocks-cli receives a total of 43 weekly downloads. As such, @fireblocks/fireblocks-cli popularity was classified as not popular.
We found that @fireblocks/fireblocks-cli demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 7 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub Actions checkout now blocks risky pull_request_target checkouts by default to help prevent pwn request supply chain attacks.
Product
Socket now supports Custom Roles and Repository Access Permissions so organizations can control who can access specific repositories and actions.
Product
Socket MCP now lets AI assistants review org alerts, investigate threats using the Socket threat feed, and inspect package files in addition to dependency scoring.