Edit a comment

Travel Rule Protocol (TRP) API (3.2.1)

Public TRP API for VASP-to-VASP Travel Rule data exchange.

Working with the documentation

This section describes the public endpoints of the Travel Rule Protocol (TRP) Registry API. These endpoints allow third-party systems and Virtual Asset Service Providers (VASPs) to discover, identify and register participants in the TRP network.

The API follows REST conventions and returns responses in JSON format. All requests should be made over HTTPS.

Introduction: How the TRP Public API Works

The TRP API enables VASPs to:

Authenticate using API keys
Generate unique Travel Addresses for beneficiaries
Initiate Travel Rule transfers
Exchange originator and beneficiary data securely
Receive callback notifications from TRP during the verification process

TRP follows global compliance standards (FATF, IVMS101) and ensures secure, encrypted communication between VASPs.

Every integration follows one simple flow:

Request JWT token → authenticate your VASP
Generate Travel Address → unique identifier for the beneficiary VASP
Initiate Transfer → send IVMS101-compliant data
Receive callback → TRP sends status updates to your backend

Authentication Overview

Before calling any protected endpoint, your system must generate a JWT access token using your API Key. This ensures:

Secure API access
Verified VASP identity
Ability to track API usage
Authorization for initiating Travel Rule transfers

The access token is short-lived (TTL ≈ 1 hour) for security reasons. Pass it as Authorization: Bearer <jwt> on every protected endpoint.

Conventions

All bodies are application/json unless explicitly stated.
Successful responses are wrapped in { "status": true, "data": ... }.
Errors are wrapped in { "status": false, "errors": [{ "code", "message" }] }.
Timestamps use ISO-8601 in UTC.
Country codes follow ISO-3166-1 alpha-2.

Download OpenAPI description

openapi.json

openapi.yaml

Overview

URL

https://docs.travel-rule.com

KYCAID TRP Team

support@travel-rule.com

License

Proprietary

Servers

Production public API host

https://trp.travel-rule.com/

http://localhost:3000/

Identity

Public identity endpoints. These return non-sensitive VASP metadata (legal name, LEI, x509 public key) and server health. They do not require authentication.

Operations

Auth

Authentication endpoints. Use your API Key (issued in the TRP dashboard) to obtain a short-lived JWT that authorises every protected call.

Operations

Address

Travel Address endpoints. A Travel Address is an opaque, URL-safe encoding of a beneficiary VASP route. It is generated by the beneficiary VASP and shared with the originator VASP so that IVMS101 data can be routed back.

Operations

Transfer

High-level Travel Rule transfer operations from the originator VASP perspective. Transfers can flow two ways depending on what was provided at initiation:

OPEN_VASP — beneficiary VASP is reachable via Travel Address.
EMAIL — beneficiary VASP is unknown; we send an email so the recipient can self-attest.

Operations

Initiate Travel Rule transfer

Request

Main Travel Rule operation. Submits originator and beneficiary applicants, asset, amount, and optional routing info (travelAddress or email).

Flow selection

Provided fields	Resulting `flow`
`travelAddress`	`OPEN_VASP`
only `email` (top-level or `beneficiary.email`)	`EMAIL`

What TRP does next

Persists the transfer with APPROVED originator status.
Resolves originator and beneficiary VASP IDs.
In OPEN_VASP flow, queues an INQUIRY callback to the beneficiary VASP endpoint (extracted from the Travel Address).
In EMAIL flow, sends a confirmation email and flips isEmailDelivered once Mailjet acks.

Security

BearerAuth

Bodyapplication/jsonrequired

travelAddressstring[ 1 .. 200 ] characters

Encoded Travel Address routing the request to the beneficiary VASP.

emailstring(email)<= 255 characters

Top-level recipient email (used in EMAIL flow if beneficiary.email is empty).

assetstring[ 1 .. 20 ] charactersrequired

Example: "BTC"

amountstring[ 1 .. 20 ] charactersrequired

Asset amount as a decimal string (e.g. 0.05). The backend validates only the length range (1..20) on this endpoint — pattern validation kicks in on the transfers/inquiry callback.

Example: "0.05"

callbackstring^https?:\/\/.+$

HTTPS callback URL that will receive TRANSFER_RESOLUTION updates.

dtistring<= 50 characters

Digital Token Identifier (ISO 24165), e.g. 4H95J0R2X.

originatorNatural person (object) or Legal entity (object)(Applicant)required

One of:

Shared fields available for both natural and legal applicants. These properties are accepted on the originator and beneficiary objects of POST /transfers/initiate regardless of personType.

originator.externalIdstring<= 64 characters

Your internal identifier for this applicant.

originator.middleNamestring<= 100 characters

Middle name (typically used for natural persons).

originator.dateOfBirthstring(date)<= 10 characters

Applicant date of birth. ISO-8601 date.

Example: "1990-01-15"

originator.placeOfBirthstring<= 70 characters

Example: "London"

originator.addressTypestring

IVMS101 address type — Home / Business / Geographic.

Enum"HOME""BIZZ""GEOG"

originator.streetNamestring<= 70 characters

originator.buildingNumberstring<= 16 characters

originator.buildingNamestring<= 35 characters

originator.postCodestring<= 16 characters

originator.townNamestring<= 35 characters

originator.countrystring= 2 characters

ISO-3166-1 alpha-2 country code.

originator.countrySubDivisionstring<= 35 characters

State / province / region code.

originator.nationalIdstring<= 35 characters

National identifier value (passport number, LEI, etc.).

originator.nationalIdTypestring<= 10 characters

IVMS101 national-identifier type. LEIX for legal entities (LEI), CCPT for passport, etc.

Enum"ARNU""CCPT""RAID""DRLC""FIIN""TXID""SOCS""IDCD""LEIX""MISC"

originator.countryOfIssuestring= 2 characters

ISO-3166-1 alpha-2 country that issued nationalId.

originator.accountNumberstring<= 100 characters

VASP-internal account identifier for this applicant.

originator.walletAddressstring<= 100 characters

On-chain wallet address belonging to this applicant.

originator.emailstring(email)<= 255 characters

Contact email. Not persisted on the Applicant record in the database — used at request time (e.g. EMAIL flow) and forwarded to email notifications.

originator.isSelfHostedboolean

true if this applicant is a self-hosted (non-custodial) wallet owner.

originator.vaspobject(ApplicantVasp)

VASP that holds (or self-hosts on behalf of) this applicant. Used to identify the counterparty service provider when it cannot be resolved from a Travel Address.

originator.personTypestringrequired

Discriminator. Must be natural.

Default "natural"

Value"natural"

originator.firstNamestring<= 100 charactersrequired

Example: "Alice"

originator.lastNamestring<= 100 charactersrequired

Example: "Liddell"

beneficiaryNatural person (object) or Legal entity (object)(Applicant)required

One of:

Shared fields available for both natural and legal applicants. These properties are accepted on the originator and beneficiary objects of POST /transfers/initiate regardless of personType.

beneficiary.externalIdstring<= 64 characters

Your internal identifier for this applicant.

beneficiary.middleNamestring<= 100 characters

Middle name (typically used for natural persons).

beneficiary.dateOfBirthstring(date)<= 10 characters

Applicant date of birth. ISO-8601 date.

Example: "1990-01-15"

beneficiary.placeOfBirthstring<= 70 characters

Example: "London"

beneficiary.addressTypestring

IVMS101 address type — Home / Business / Geographic.

Enum"HOME""BIZZ""GEOG"

beneficiary.streetNamestring<= 70 characters

beneficiary.buildingNumberstring<= 16 characters

beneficiary.buildingNamestring<= 35 characters

beneficiary.postCodestring<= 16 characters

beneficiary.townNamestring<= 35 characters

beneficiary.countrystring= 2 characters

ISO-3166-1 alpha-2 country code.

beneficiary.countrySubDivisionstring<= 35 characters

State / province / region code.

beneficiary.nationalIdstring<= 35 characters

National identifier value (passport number, LEI, etc.).

beneficiary.nationalIdTypestring<= 10 characters

IVMS101 national-identifier type. LEIX for legal entities (LEI), CCPT for passport, etc.

Enum"ARNU""CCPT""RAID""DRLC""FIIN""TXID""SOCS""IDCD""LEIX""MISC"

beneficiary.countryOfIssuestring= 2 characters

ISO-3166-1 alpha-2 country that issued nationalId.

beneficiary.accountNumberstring<= 100 characters

VASP-internal account identifier for this applicant.

beneficiary.walletAddressstring<= 100 characters

On-chain wallet address belonging to this applicant.

beneficiary.emailstring(email)<= 255 characters

Contact email. Not persisted on the Applicant record in the database — used at request time (e.g. EMAIL flow) and forwarded to email notifications.

beneficiary.isSelfHostedboolean

true if this applicant is a self-hosted (non-custodial) wallet owner.

beneficiary.vaspobject(ApplicantVasp)

VASP that holds (or self-hosts on behalf of) this applicant. Used to identify the counterparty service provider when it cannot be resolved from a Travel Address.

beneficiary.personTypestringrequired

Discriminator. Must be natural.

Default "natural"

Value"natural"

beneficiary.firstNamestring<= 100 charactersrequired

Example: "Alice"

beneficiary.lastNamestring<= 100 charactersrequired

Example: "Liddell"

curl -i -X POST \
  https://trp.travel-rule.com/transfers/initiate \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "travelAddress": "ta1qexamplebeneficiaryvasp1ahjk23",
    "asset": "BTC",
    "amount": "0.05",
    "callback": "https://my-vasp.com/trp/callbacks",
    "dti": "4H95J0R2X",
    "originator": {
      "personType": "natural",
      "externalId": "cust_42",
      "firstName": "Bob",
      "lastName": "Marley",
      "middleName": "Robert",
      "dateOfBirth": "1985-02-06",
      "placeOfBirth": "Kingston",
      "addressType": "HOME",
      "streetName": "Hope Road",
      "buildingNumber": "56",
      "buildingName": "Tuff Gong House",
      "postCode": "KIN 6",
      "townName": "Kingston",
      "country": "JM",
      "countrySubDivision": "Saint Andrew",
      "nationalId": "A12345678",
      "nationalIdType": "CCPT",
      "countryOfIssue": "JM",
      "accountNumber": "ACC-ORIG-001",
      "walletAddress": "bc1qoriginatoraddressxx",
      "email": "bob@example.com",
      "isSelfHosted": false,
      "vasp": {
        "name": "My VASP Inc."
      }
    },
    "beneficiary": {
      "personType": "natural",
      "externalId": "cust_77",
      "firstName": "Alice",
      "lastName": "Liddell",
      "middleName": "Pleasance",
      "dateOfBirth": "1990-01-15",
      "placeOfBirth": "London",
      "addressType": "HOME",
      "streetName": "Baker Street",
      "buildingNumber": "221B",
      "postCode": "NW1 6XE",
      "townName": "London",
      "country": "GB",
      "countrySubDivision": "England",
      "nationalId": "PB1234567",
      "nationalIdType": "CCPT",
      "countryOfIssue": "GB",
      "walletAddress": "bc1qbeneficiaryaddressxx",
      "email": "alice@example.com",
      "isSelfHosted": false,
      "vasp": {
        "name": "Wonderland Exchange"
      }
    }
  }'

Responses

Transfer accepted.

Bodyapplication/json

statusboolean

Value true

dataobject

Response

application/json

{
  "status": true,
  "data": {
    "transferId": "0193abc4-1234-7890-abcd-ef1234567890",
    "status": "PENDING",
    "createdAt": "2026-05-11T08:00:00.000Z"
  }
}

List comments on a transfer

Request

Returns every comment attached to the transfer (originator and beneficiary VASPs share the same thread). Attachment downloads are signed, short-lived URLs.

Security

BearerAuth

Path

transferPublicIdstring(uuid)required

Public ID of the transfer (UUID).

curl -i -X GET \
  'https://trp.travel-rule.com/transfers/{transferPublicId}/comments' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

List of comments.

Bodyapplication/json

statusboolean

Value true

dataArray of objects(TransferComment)

Response

application/json

{
  "status": true,
  "data": [
    { … }
  ]
}

Add a comment (with optional attachments)

Request

Adds a comment to a transfer thread. Up to 5 attachments per call (each ≤ 50 MB). Only images and PDFs are accepted — other MIME types are rejected with Only images and PDF files are allowed.

Security

BearerAuth

Path

transferPublicIdstring(uuid)required

Public ID of the transfer (UUID).

Bodymultipart/form-datarequired

textstring[ 1 .. 2000 ] charactersrequired

filesArray of strings(binary)<= 5 items

Up to 5 images / PDF attachments (≤ 50 MB each).

curl -i -X POST \
  'https://trp.travel-rule.com/transfers/{transferPublicId}/comments' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: multipart/form-data' \
  -F text=string \
  -F files=string

Responses

Comment created.

Bodyapplication/json

statusboolean

Value true

dataobject(TransferComment)

Response

application/json

{
  "status": true,
  "data": {
    "id": 0,
    "text": "string",
    "createdAt": "2019-08-24T14:15:22Z",
    "updatedAt": "2019-08-24T14:15:22Z",
    "author": { … },
    "canEdit": true,
    "attachments": [ … ]
  }
}

Edit a comment

Request

Edits a comment you previously authored. Other parties' comments can be read but not modified.

Security

BearerAuth

Path

transferPublicIdstring(uuid)required

Public ID of the transfer (UUID).

commentIdinteger(int64)>= 1required

Numeric ID of the comment.

Bodyapplication/jsonrequired

textstring[ 1 .. 2000 ] charactersrequired

curl -i -X PATCH \
  'https://trp.travel-rule.com/transfers/{transferPublicId}/comments/{commentId}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "text": "Updated comment text."
  }'

Responses

Comment updated.

Bodyapplication/json

statusboolean

Value true

dataobject(TransferComment)

Response

application/json

{
  "status": true,
  "data": {
    "id": 0,
    "text": "string",
    "createdAt": "2019-08-24T14:15:22Z",
    "updatedAt": "2019-08-24T14:15:22Z",
    "author": { … },
    "canEdit": true,
    "attachments": [ … ]
  }
}

Compliance

Inter-VASP compliance endpoints called when TRP routes data between participating VASPs. They are typically invoked by other VASPs / TRP itself, not by your front-end.

Operations

Discovery

Look up other VASPs in the TRP registry by domain, LEI, name, email, or directory ID.

Operations

Callbacks

Webhooks

Travel Rule Protocol (TRP) API (3.2.1)

Working with the documentation

Introduction: How the TRP Public API Works

Authentication Overview

Conventions

Identity

Auth

Address

Transfer

Initiate Travel Rule transfer

Request

Flow selection

What TRP does next

Responses

Was this helpful?

List comments on a transfer

Request

Responses

Was this helpful?

Add a comment (with optional attachments)

Request

Responses

Was this helpful?

Edit a comment

Request

Responses

Was this helpful?

Compliance

Discovery

Callbacks

Travel Rule Protocol (TRP) API (3.2.1)

Working with the documentation

Introduction: How the TRP Public API Works

Authentication Overview

Conventions

Identity

Auth

Address

Transfer

Initiate Travel Rule transfer

RequestExpand all

Flow selection

What TRP does next

Responses

Was this helpful?

List comments on a transfer

Request

Responses

Was this helpful?

Add a comment (with optional attachments)

Request

Responses

Was this helpful?

Edit a comment

Request

Responses

Was this helpful?

Compliance

Discovery

Callbacks

Request