Skip to main content
Compliance grants allow authorized third parties (regulators, compliance tools) to read encrypted data. Grants are stored on-chain and come in two kinds:
  • User grants - Authorized by the user. Grants a third party access to the user’s shared-mode ciphertexts.
  • Network grants - Authorized by the Arcium network. Grants access to MXE-mode or shared-mode ciphertexts without requiring user interaction.

getComplianceGrantIssuerFunction

Import: @umbra-privacy/sdk/compliance 
function getComplianceGrantIssuerFunction(
  args: GetCreateUserGrantedComplianceGrantFunctionArgs,
  deps?: GetCreateUserGrantedComplianceGrantFunctionDeps,
): CreateUserGrantedComplianceGrantFunction
Creates an on-chain compliance grant signed by the user, authorizing a third-party receiver to re-encrypt and read the user’s shared-mode ciphertexts.

GetCreateUserGrantedComplianceGrantFunctionArgs

  • client: IUmbraClient

GetCreateUserGrantedComplianceGrantFunctionDeps

  • getLatestBlockhash?: GetLatestBlockhash
  • transactionForwarder?: TransactionForwarder
  • masterViewingKeyX25519KeypairGenerator?: MasterViewingKeyX25519KeypairGeneratorFunction

Returns

CreateUserGrantedComplianceGrantFunction 
type CreateUserGrantedComplianceGrantFunction = (
  receiver: Address,
  granterX25519: X25519PublicKey,
  receiverX25519: X25519PublicKey,
  nonce: RescueCipherEncryptionNonce,
  optionalData?: OptionalData32,
  hooks?: ComplianceTransactionHooks,
) => Promise<TransactionSignature>
  • receiver: Address - The third-party account that will be authorized to call re-encryption.
  • granterX25519: X25519PublicKey - The granter’s X25519 public key (MVK encrypting key).
  • receiverX25519: X25519PublicKey - The receiver’s X25519 public key (the target re-encryption key).
  • nonce: RescueCipherEncryptionNonce - Grant nonce, used to differentiate multiple grants to the same receiver.

Example

import { getComplianceGrantIssuerFunction } from "@umbra-privacy/sdk/compliance";

const createGrant = getComplianceGrantIssuerFunction({ client });
const signature = await createGrant(
  receiverAddress,
  granterX25519PublicKey,
  receiverX25519PublicKey,
  grantNonce,
);

getComplianceGrantRevokerFunction

Import: @umbra-privacy/sdk/compliance 
function getComplianceGrantRevokerFunction(
  args: GetDeleteUserGrantedComplianceGrantFunctionArgs,
  deps?: GetDeleteUserGrantedComplianceGrantFunctionDeps,
): DeleteUserGrantedComplianceGrantFunction
Revokes an existing user-granted compliance grant, removing the third-party’s authorization to re-encrypt.

GetDeleteUserGrantedComplianceGrantFunctionArgs

  • client: IUmbraClient

GetDeleteUserGrantedComplianceGrantFunctionDeps

  • getLatestBlockhash?: GetLatestBlockhash
  • transactionForwarder?: TransactionForwarder
  • masterViewingKeyX25519KeypairGenerator?: MasterViewingKeyX25519KeypairGeneratorFunction

Returns

DeleteUserGrantedComplianceGrantFunction 
type DeleteUserGrantedComplianceGrantFunction = (
  receiver: Address,
  granterX25519: X25519PublicKey,
  receiverX25519: X25519PublicKey,
  nonce: RescueCipherEncryptionNonce,
  optionalData?: OptionalData32,
  hooks?: ComplianceTransactionHooks,
) => Promise<TransactionSignature>
Parameters are identical to CreateUserGrantedComplianceGrantFunction - pass the same values used when creating the grant.

getUserComplianceGrantQuerierFunction

Import: @umbra-privacy/sdk/compliance 
function getUserComplianceGrantQuerierFunction(
  args: GetQueryUserComplianceGrantFunctionArgs,
  deps?: GetQueryUserComplianceGrantFunctionDeps,
): QueryUserComplianceGrantFunction
Checks whether a specific user-granted compliance grant exists on-chain.

GetQueryUserComplianceGrantFunctionArgs

  • client: IUmbraClient

GetQueryUserComplianceGrantFunctionDeps

  • accountInfoProvider?: AccountInfoProviderFunction

Returns

QueryUserComplianceGrantFunction 
type QueryUserComplianceGrantFunction = (
  granterX25519: X25519PublicKey,
  nonce: RescueCipherEncryptionNonce,
  receiverX25519: X25519PublicKey,
) => Promise<QueryComplianceGrantResult>

getNetworkComplianceGrantQuerierFunction

Import: @umbra-privacy/sdk/compliance 
function getNetworkComplianceGrantQuerierFunction(
  args: { client: IUmbraClient },
  deps?: { accountInfoProvider?: AccountInfoProviderFunction },
): NetworkComplianceGrantQuerierFunction;
Checks whether a network MXE compliance grant exists for the given nonce and receiver key. Network MXE grants allow the Arcium network to re-encrypt MXE-mode ciphertexts.

Returns

type NetworkComplianceGrantQuerierFunction = (
  nonce: RescueCipherEncryptionNonce,
  receiverX25519: X25519PublicKey,
) => Promise<QueryComplianceGrantResult>;

getSharedComplianceGrantQuerierFunction

Import: @umbra-privacy/sdk/compliance 
function getSharedComplianceGrantQuerierFunction(
  args: { client: IUmbraClient },
  deps?: { accountInfoProvider?: AccountInfoProviderFunction },
): SharedComplianceGrantQuerierFunction;
Checks whether a network shared compliance grant exists. Allows the Arcium network to re-encrypt Shared-mode ciphertexts.

Returns

type SharedComplianceGrantQuerierFunction = (
  granterX25519: X25519PublicKey,
  nonce: RescueCipherEncryptionNonce,
  receiverX25519: X25519PublicKey,
) => Promise<QueryComplianceGrantResult>;

QueryComplianceGrantResult

Returned by all three query functions:
  • { state: "exists" } - The grant is present on-chain.
  • { state: "non_existent" } - No grant exists for the given parameters.

getNetworkCiphertextReencryptorForNetworkGrantFunction

Import: @umbra-privacy/sdk/compliance 
function getNetworkCiphertextReencryptorForNetworkGrantFunction(
  args: { client: IUmbraClient },
  deps?: GetNetworkCiphertextReencryptorForNetworkGrantFunctionDeps,
): NetworkCiphertextReencryptorForNetworkGrantFunction;
Re-encrypts MXE-mode ciphertexts under a network grant, making them readable by the grant receiver. Queues an Arcium MPC computation.

GetNetworkCiphertextReencryptorForNetworkGrantFunctionArgs

  • client: IUmbraClient

GetNetworkCiphertextReencryptorForNetworkGrantFunctionDeps

  • getLatestBlockhash?: GetLatestBlockhash
  • transactionForwarder?: TransactionForwarder

Returns

NetworkCiphertextReencryptorForNetworkGrantFunction 
type NetworkCiphertextReencryptorForNetworkGrantFunction = (
  receiverX25519Key: X25519PublicKey,
  nonce: RescueCipherEncryptionNonce,
  inputEncryptionNonce: RescueCipherEncryptionNonce,
  ciphertexts: readonly Uint8Array[],
  optionalData?: OptionalData32,
  hooks?: ComplianceTransactionHooks,
) => Promise<TransactionSignature>
  • receiverX25519Key: X25519PublicKey - The receiver’s X25519 public key.
  • nonce: RescueCipherEncryptionNonce - The grant nonce identifying which network grant to use.
  • inputEncryptionNonce: RescueCipherEncryptionNonce - The nonce used when the ciphertexts were originally encrypted.
  • ciphertexts: readonly Uint8Array[] - The MXE-encrypted ciphertexts to re-encrypt. Must contain between 1 and 6 elements.

getSharedCiphertextReencryptorForNetworkGrantFunction

Import: @umbra-privacy/sdk/compliance 
function getSharedCiphertextReencryptorForNetworkGrantFunction(
  args: GetSharedCiphertextReencryptorForNetworkGrantFunctionArgs,
  deps?: GetSharedCiphertextReencryptorForNetworkGrantFunctionDeps,
): SharedCiphertextReencryptorForNetworkGrantFunction
Re-encrypts shared-mode ciphertexts under a network shared grant.

Returns

ReencryptSharedCiphertextsNetworkGrantFunction 
type ReencryptSharedCiphertextsNetworkGrantFunction = (
  granterX25519Key: X25519PublicKey,
  receiverX25519Key: X25519PublicKey,
  nonce: RescueCipherEncryptionNonce,
  inputEncryptionNonce: RescueCipherEncryptionNonce,
  ciphertexts: readonly Uint8Array[],
  optionalData?: OptionalData32,
  hooks?: ComplianceTransactionHooks,
) => Promise<TransactionSignature>
  • granterX25519Key: X25519PublicKey - The granter’s X25519 public key.
  • receiverX25519Key: X25519PublicKey - The receiver’s X25519 public key.
  • ciphertexts: readonly Uint8Array[] - Must contain between 1 and 6 elements.

getSharedCiphertextReencryptorForUserGrantFunction

Import: @umbra-privacy/sdk/compliance 
function getSharedCiphertextReencryptorForUserGrantFunction(
  args: GetReencryptSharedCiphertextsUserGrantFunctionArgs,
  deps?: GetReencryptSharedCiphertextsUserGrantFunctionDeps,
): ReencryptSharedCiphertextsUserGrantFunction
Re-encrypts shared-mode ciphertexts under a user-granted compliance grant.

Returns

ReencryptSharedCiphertextsUserGrantFunction 
type ReencryptSharedCiphertextsUserGrantFunction = (
  granterX25519Key: X25519PublicKey,
  receiverX25519Key: X25519PublicKey,
  nonce: RescueCipherEncryptionNonce,
  inputEncryptionNonce: RescueCipherEncryptionNonce,
  ciphertexts: readonly Uint8Array[],
  optionalData?: OptionalData32,
  hooks?: ComplianceTransactionHooks,
) => Promise<TransactionSignature>
Identical signature to ReencryptSharedCiphertextsNetworkGrantFunction. The difference is which on-chain grant account is used to authorize the re-encryption.
  • ciphertexts: readonly Uint8Array[] - Must contain between 1 and 6 elements.