Skip to main content
When CUSTODY_COMPLIANCE_ENABLED=true, every outbound transaction is screened by the configured provider (chainalysis or shuftipro) before broadcast. The transaction stays in PENDING_AML_SCREENING until the screening completes. See Errors and codes for screening-failure recovery and Configuration reference for provider setup.

List screenings

GET /v1/compliance/screenings?status=completed&from=2026-04-01T00:00:00Z&to=2026-04-30T23:59:59Z&page=1&per_page=50
Filters
ParamTypeDescription
statusstringpending, completed, flagged, failed
providerstringchainalysis, shuftipro
risk_score_minint0–100
Response 200 
{
  "screenings": [
    {
      "id": "scr_01HXYZ...",
      "transaction_id": "tx_...",
      "provider": "chainalysis",
      "status": "flagged",
      "risk_score": 87,
      "risk_categories": ["sanctions", "darknet"],
      "raw_response": {...},
      "completed_at": "2026-04-27T10:15:30Z",
      "created_at": "2026-04-27T10:15:00Z"
    }
  ]
}

Get screening

GET /v1/compliance/screenings/{id}

Get screening for a transaction

GET /v1/compliance/transactions/{txId}/screening
Returns the most recent screening for a given transaction, or 404 if none exists.

Shufti Pro async callback

POST /v1/compliance/callback/shuftipro
Provider-only endpoint. Authenticated by Shufti Pro’s HMAC signature header — no Qustody bearer token. Callers should not invoke this directly; configure the URL in Shufti Pro and the platform handles it automatically. The handler:
  1. Verifies the Signature header against CUSTODY_SHUFTIPRO_SECRET_KEY
  2. Updates the screening record
  3. Resumes the transaction (PENDING_AML_SCREENINGREADY_FOR_BROADCAST or → BLOCKED_BY_AML)
  4. Emits the transaction.aml_screening.completed webhook

Required permissions

EndpointPermission
GET /v1/compliance/screenings*compliance:read
POST /v1/compliance/callback/shuftipro(none — provider HMAC)