Callbacks
/
TRANSFER_RESOLUTION callback

Travel Rule Protocol (TRP) API (3.2.1)

Public TRP API for VASP-to-VASP Travel Rule data exchange.

Working with the documentation

This section describes the public endpoints of the Travel Rule Protocol (TRP) Registry API. These endpoints allow third-party systems and Virtual Asset Service Providers (VASPs) to discover, identify and register participants in the TRP network.

The API follows REST conventions and returns responses in JSON format. All requests should be made over HTTPS.

Introduction: How the TRP Public API Works

The TRP API enables VASPs to:

  • Authenticate using API keys
  • Generate unique Travel Addresses for beneficiaries
  • Initiate Travel Rule transfers
  • Exchange originator and beneficiary data securely
  • Receive callback notifications from TRP during the verification process

TRP follows global compliance standards (FATF, IVMS101) and ensures secure, encrypted communication between VASPs.

Every integration follows one simple flow:

  1. Request JWT token → authenticate your VASP
  2. Generate Travel Address → unique identifier for the beneficiary VASP
  3. Initiate Transfer → send IVMS101-compliant data
  4. Receive callback → TRP sends status updates to your backend

Authentication Overview

Before calling any protected endpoint, your system must generate a JWT access token using your API Key. This ensures:

  • Secure API access
  • Verified VASP identity
  • Ability to track API usage
  • Authorization for initiating Travel Rule transfers

The access token is short-lived (TTL ≈ 1 hour) for security reasons. Pass it as Authorization: Bearer <jwt> on every protected endpoint.

Conventions

  • All bodies are application/json unless explicitly stated.
  • Successful responses are wrapped in { "status": true, "data": ... }.
  • Errors are wrapped in { "status": false, "errors": [{ "code", "message" }] }.
  • Timestamps use ISO-8601 in UTC.
  • Country codes follow ISO-3166-1 alpha-2.
Download OpenAPI description
openapi.json
openapi.yaml
Overview
URL

https://docs.travel-rule.com

KYCAID TRP Team

support@travel-rule.com

License

Proprietary

Languages
Servers
Production public API host

https://trp.travel-rule.com/

http://localhost:3000/

Identity

Public identity endpoints. These return non-sensitive VASP metadata (legal name, LEI, x509 public key) and server health. They do not require authentication.

Operations

Auth

Authentication endpoints. Use your API Key (issued in the TRP dashboard) to obtain a short-lived JWT that authorises every protected call.

Operations

Address

Travel Address endpoints. A Travel Address is an opaque, URL-safe encoding of a beneficiary VASP route. It is generated by the beneficiary VASP and shared with the originator VASP so that IVMS101 data can be routed back.

Operations

Transfer

High-level Travel Rule transfer operations from the originator VASP perspective. Transfers can flow two ways depending on what was provided at initiation:

  • OPEN_VASP — beneficiary VASP is reachable via Travel Address.
  • EMAIL — beneficiary VASP is unknown; we send an email so the recipient can self-attest.
Operations

Compliance

Inter-VASP compliance endpoints called when TRP routes data between participating VASPs. They are typically invoked by other VASPs / TRP itself, not by your front-end.

Operations

Discovery

Look up other VASPs in the TRP registry by domain, LEI, name, email, or directory ID.

Operations

Callbacks

Webhooks

Callbacks

TRP delivers asynchronous updates to your callback URL via signed POST requests. Each callback is queued and retried with exponential backoff.

Retry schedule

The KYCAID TRP backend retries failed callbacks at:

1m → 5m → 15m → 30m → 1h → 3h → 6h → 12h → 24h

After 9 unsuccessful attempts the callback is marked FAILED and dropped.

Signature verification

Every callback ships an x-data-integrity header computed as:

HMAC-SHA512( BASE64( request_body ), customer_signing_secret )

Pseudocode:

import crypto from 'node:crypto';

function verify(rawBody, signatureHeader, secret) {
    const base64 = Buffer.from(rawBody, 'utf8').toString('base64');
    const expected = crypto
        .createHmac('sha512', secret)
        .update(base64)
        .digest('hex');
    return crypto.timingSafeEqual(
        Buffer.from(expected),
        Buffer.from(signatureHeader),
    );
}

Callback types

TypeWhenBody
INQUIRYSent by originator VASP to beneficiary VASP after transfers/initiate.{ asset, amount, callback, IVMS101 }
INQUIRY_RESOLUTIONSent by beneficiary VASP back to originator.{ approved, callback }
TRANSFER_RESOLUTIONSent to the originator's callback once the beneficiary VASP approves.{ transferId, status, statusComment, callback }
TRANSFER_CONFIRMATIONSent to the beneficiary's stored callback once txId is broadcast.{ txid }

Respond with 2xx to acknowledge. Any non-2xx response is retried per the schedule above.

INQUIRY callbackWebhook

Request

Delivered to the beneficiary VASP after a successful transfers/initiate in OPEN_VASP flow. Respond with 2xx to acknowledge; non-2xx responses are retried per the schedule in Callbacks.

Security
BearerAuth
Bodyapplication/jsonrequired
assetstring
amountstring
callbackstring

URL that the beneficiary VASP must call back with inquiryResolution.

IVMS101object(IVMS101Originator)

Full IVMS101 originator envelope sent in callbacks. Mirrors the originatingVASP and originator fields used by the KYCAID TRP backend.

application/json
{
  "asset": "string",
  "amount": "string",
  "callback": "string",
  "IVMS101": {
    "originator": { … },
    "beneficiary": { … },
    "originatingVASP": { … },
    "beneficiaryVASP": { … }
  }
}

Responses

Acknowledged.

INQUIRY_RESOLUTION callbackWebhook

Request

Delivered to the originator VASP once the beneficiary VASP resolves the inquiry.

Security
BearerAuth
Bodyapplication/jsonrequired
approvedstring or objectrequired

Either a plain wallet address string, or a structured object with an address and an optional callback override.

One of:

Either a plain wallet address string, or a structured object with an address and an optional callback override.

<= 100 characters
string<= 100 characters

Either a plain wallet address string, or a structured object with an address and an optional callback override.

callbackstring^https?:\/\/.+$

Optional override for the next callback URL.

application/json
{
  "approved": "bc1qxy2…",
  "callback": "string"
}

Responses

Acknowledged.

TRANSFER_RESOLUTION callbackWebhook

Request

Delivered to the originator's callback URL once the beneficiary VASP approves the transfer. The body includes a callback field — the URL to which the originator must later POST the on-chain txId.

Security
BearerAuth
Bodyapplication/jsonrequired
transferIdstring(uuid)
statusstring(TransferStatus)

Lifecycle state of a Travel Rule transfer (Prisma TransferStatus enum).

  • PENDING — initial state after transfers/initiate, waiting for the beneficiary VASP to resolve the inquiry.
  • APPROVED — beneficiary VASP confirmed the destination wallet via inquiryResolution.
  • REJECTED — beneficiary VASP refused the transfer.
  • COMPLETED — the on-chain transaction was broadcast and confirmed.
  • CANCELLED — the originator cancelled before completion.
Enum"PENDING""APPROVED""REJECTED""COMPLETED""CANCELLED"
statusCommentstring or null
callbackstring

URL the originator must POST the txId to once broadcast.

application/json
{
  "transferId": "e240f72a-b0bc-4f57-ab86-5b78f1d8ea9b",
  "status": "PENDING",
  "statusComment": "string",
  "callback": "string"
}

Responses

Acknowledged.

TRANSFER_CONFIRMATION callbackWebhook

Request

Delivered to the beneficiary's stored confirmation URL once the originator submits txId. Final stage of the Travel Rule exchange.

Security
BearerAuth
Bodyapplication/jsonrequired
txidstring

Final on-chain transaction id.

application/json
{
  "txid": "string"
}

Responses

Acknowledged.