Note

Creating a Fireblocks Cold Wallet workspace requires scheduling onboarding time. For more information contact your Customer Success Manager.

Overview

In a Cold Wallet workspace, the Transaction Authorization Policy (TAP) rules are slightly different than in an online signing workspace:

You can add a single user, multiple users, user groups, or a combination to the Designated Signer column allowing them to sign Cold Wallet transactions. You must assign each user a Signer role, whether you add them individually or in a user group.
You cannot add the workspace Owner to the Designated Signers column, individually or in a user group. Owners cannot sign transactions in Cold Wallet workspaces.
You cannot add API users to the Designated Signers column. Signers must use the Fireblocks Cold Wallet mobile application to complete the signature process. However, you can add API users as non-signing admins if you want them to serve as API co-signers automatically approving workspace operations.
You cannot add multiple individual users (or a user group) to the Designated Signers column for rules with an exchange or fiat account as the Source. Transfers matching the rule would fail automatically.

You must submit a separate TAP template for your Cold Wallet workspace. Download the Cold Wallet TAP template here. (We recommend using Excel to view its full functionalities.)

After you complete the template, submit it to Fireblocks Support for approval and implementation.

Designated signer groups

A group of designated signers is a user group or multiple users allowed to sign offline for specific transaction types as defined in your Cold Wallet TAP.

Using this type of group accelerates your transaction authorization flow and provides redundancy, allowing any user in the group to sign transactions that match the rule. You can also create semi-automated transaction flows where any group member can sign transactions initiated via API.

How does a group of designated signers work?

Only one person in the group of designated signers can sign a transaction at a time. However, there are a few differences between designated signer groups and individuals:

When a user submits an offline signing transaction, the transaction card appears in each designated signer's Offline Signing panel, so any signer can initiate signing.
When they select Sign on a transaction card, the Send Transaction to Mobile Device window opens, where they scan a QR code. The card disappears for other signers. The window may take a few seconds to open. Do not close or refresh the tab, or you will be sent back to the Offline Signing panel, where you must select Sign again to reopen it.
If the signer who initiated offline signing does not finish the process in a reasonable amount of time, the user can cancel and re-submit the transaction so a different signer can sign it.

Examples: TAP rules with a designated signer group

Companies use inclusionary or exclusionary rules to customize their TAP. This allows multiple ways to ensure transactions match the correct rule. This is important since you cannot add multiple users or a user group to the Designated Signers column for rules with exchanges or fiat accounts in the Source column. Doing so causes transfers matching the rule to fail automatically.

Method 1: Use a group of designated signers only for supported sources

The rules in the table above state:

Rule 1: This rule allows any transaction from any vault account to any whitelisted destination or one-time address greater than $0 of any asset. One member of Group 1 must sign all transactions that match this rule.
Rule 2: This rule allows any transaction from any source to any whitelisted destination or one-time address greater than $0 of any asset. User A must approve all transactions that match this rule.

Therefore, based on the first match principle, the group of designated signers only signs single transactions if the source is a vault account. User A must approve all transactions from other sources.

Method 2: Excluding a group of designated signers from unsupported sources