Skip to main content
Migration takes over the key material from a user’s Fireblocks Non-Custodial Wallet (NCW) and provisions Dynamic embedded wallets for it. It is a single cross-chain operation: one call migrates the device across every supported chain and keeps the addresses the user already had.
Before you start. This is for applications already running a Fireblocks NCW integration. Migration imports that device’s keys into a Dynamic embedded wallet for the currently signed-in Dynamic user — your Fireblocks wallet is not changed or disabled. Migration currently supports EVM and Solana; other chains return a per-chain failure for now.

How it works

The migration runs inside Dynamic’s embedded-wallet iframe, served from https://app.dynamicauth.com. The Fireblocks key takeover and per-chain key derivation happen in that sandboxed iframe — the raw key material never enters your application’s page context. During the takeover, the Fireblocks NCW SDK (running in the iframe) exchanges MPC protocol messages with Fireblocks. It does not call Fireblocks directly. Instead it relays each message through your backend’s RPC endpoint, which forwards it to Fireblocks using your Fireblocks API credentials. The flow per message:
  1. The iframe sends the NCW message to POST {backendBaseUrl}/api/devices/{deviceId}/rpc, with your application’s auth token for the user as a bearer token.
  2. Your backend relays the message to Fireblocks and returns the response unchanged.
  3. The iframe completes the takeover, derives each chain’s key, and imports it into the Dynamic embedded wallet.
Your Fireblocks API key and secret stay on your backend. The browser only ever holds your application’s auth token for the user — never a Fireblocks credential.

Prerequisites

1

Configure the migration backend in the dashboard

Fireblocks migration is behind a feature flag. Contact support to enable it for your environment before the settings below appear.
In your environment settings, configure the Fireblocks migration backend:
  • Backend base URL — the base URL of your backend (HTTPS required). The iframe calls {backendBaseUrl}/api/devices/{deviceId}/rpc.
  • Environmentsandbox or production, matching the Fireblocks environment the NCW device belongs to.
Fireblocks migration settings in the Dynamic dashboard
2

Expose an RPC endpoint on your backend

Implement POST /api/devices/{deviceId}/rpc to relay NCW messages to Fireblocks:
  • Request — header Authorization: Bearer <token> (your application’s auth token for the user), body { "message": "<ncw-message>" }.
  • Action — authenticate the token, then forward the message to Fireblocks with the Fireblocks server SDK, invokeWalletRpc(walletId, deviceId, message), and return the Fireblocks response JSON unchanged. Your Fireblocks API credentials live here, on the backend.
Resolve the walletId from the authenticated user behind the token. See the Fireblocks NCW backend demo for a reference implementation.
3

Enable CORS for the Dynamic iframe

The RPC request originates from the Dynamic iframe origin, https://app.dynamicauth.com. Your /rpc endpoint must allow CORS from that origin — allow the POST method and the Content-Type and Authorization request headers.
Without CORS, the browser blocks the request and the takeover fails with a network error before any message reaches Fireblocks.

Migrate with the SDK

Once the dashboard and backend are configured, call the migration from your SDK:

React

JavaScript

Last modified on June 25, 2026