Auth
/
Authentication header

Travel Rule Protocol (TRP) API (3.2.1)

Public TRP API for VASP-to-VASP Travel Rule data exchange.

Working with the documentation

This section describes the public endpoints of the Travel Rule Protocol (TRP) Registry API. These endpoints allow third-party systems and Virtual Asset Service Providers (VASPs) to discover, identify and register participants in the TRP network.

The API follows REST conventions and returns responses in JSON format. All requests should be made over HTTPS.

Introduction: How the TRP Public API Works

The TRP API enables VASPs to:

  • Authenticate using API keys
  • Generate unique Travel Addresses for beneficiaries
  • Initiate Travel Rule transfers
  • Exchange originator and beneficiary data securely
  • Receive callback notifications from TRP during the verification process

TRP follows global compliance standards (FATF, IVMS101) and ensures secure, encrypted communication between VASPs.

Every integration follows one simple flow:

  1. Request JWT token → authenticate your VASP
  2. Generate Travel Address → unique identifier for the beneficiary VASP
  3. Initiate Transfer → send IVMS101-compliant data
  4. Receive callback → TRP sends status updates to your backend

Authentication Overview

Before calling any protected endpoint, your system must generate a JWT access token using your API Key. This ensures:

  • Secure API access
  • Verified VASP identity
  • Ability to track API usage
  • Authorization for initiating Travel Rule transfers

The access token is short-lived (TTL ≈ 1 hour) for security reasons. Pass it as Authorization: Bearer <jwt> on every protected endpoint.

Conventions

  • All bodies are application/json unless explicitly stated.
  • Successful responses are wrapped in { "status": true, "data": ... }.
  • Errors are wrapped in { "status": false, "errors": [{ "code", "message" }] }.
  • Timestamps use ISO-8601 in UTC.
  • Country codes follow ISO-3166-1 alpha-2.
Download OpenAPI description
openapi.json
openapi.yaml
Overview
URL

https://docs.travel-rule.com

KYCAID TRP Team

support@travel-rule.com

License

Proprietary

Languages
Servers
Production public API host

https://trp.travel-rule.com/

http://localhost:3000/

Identity

Public identity endpoints. These return non-sensitive VASP metadata (legal name, LEI, x509 public key) and server health. They do not require authentication.

Operations

Auth

Authentication endpoints. Use your API Key (issued in the TRP dashboard) to obtain a short-lived JWT that authorises every protected call.

Operations

Authentication header

You may pass the API Key in either of these headers:

x-api-key: <YOUR_API_KEY>

or

Authorization: ApiKey <YOUR_API_KEY>

Once you receive the JWT, all subsequent calls must include:

Authorization: Bearer <JWT>

Generate JWT access token

Request

Exchanges your API Key for a short-lived JWT access token (tokenType: Bearer, TTL ≈ 1 hour).

Send the API Key in one of these headers:

  • x-api-key: <YOUR_API_KEY>, or
  • Authorization: ApiKey <YOUR_API_KEY>.

The response includes both the absolute expiration timestamp and the relative TTL in seconds.

Security
ApiKey or ApiKeyAuth
curl -i -X POST \
  https://trp.travel-rule.com/auth/token \
  -H 'x-api-key: YOUR_API_KEY_HERE'

Responses

A new JWT access token.

Bodyapplication/json
accessTokenstring

JWT signed with the TRP service key.

expiresIninteger

TTL in seconds.

Example: 3600
expiresAtstring(date-time)
tokenTypestring
Value "Bearer"
Response
application/json
{
  "accessToken": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9…",
  "expiresIn": 3600,
  "expiresAt": "2026-05-11T10:00:00.000Z",
  "tokenType": "Bearer"
}

Address

Travel Address endpoints. A Travel Address is an opaque, URL-safe encoding of a beneficiary VASP route. It is generated by the beneficiary VASP and shared with the originator VASP so that IVMS101 data can be routed back.

Operations

Transfer

High-level Travel Rule transfer operations from the originator VASP perspective. Transfers can flow two ways depending on what was provided at initiation:

  • OPEN_VASP — beneficiary VASP is reachable via Travel Address.
  • EMAIL — beneficiary VASP is unknown; we send an email so the recipient can self-attest.
Operations

Compliance

Inter-VASP compliance endpoints called when TRP routes data between participating VASPs. They are typically invoked by other VASPs / TRP itself, not by your front-end.

Operations

Discovery

Look up other VASPs in the TRP registry by domain, LEI, name, email, or directory ID.

Operations

Callbacks

Webhooks