Skip to main content
Regulated QRC standards (notably QRC-1400 and QRC-3643) expose policy-controlled, permissioned transfer rules. Qustody surfaces these as a complianceConfig document and an allowlist collection per token. Updates flow through the standard approval and signing pipeline.

GET /v1/tokens/{tokenId}/compliance

Fetch the current compliance configuration. 
{
  "tokenId": "token_abc123",
  "config": {
    "permissionedTransfers": true,
    "jurisdictionFlags": ["US-Reg-D-506(c)"],
    "investorEligibilityProvider": "external-kyc-provider-id",
    "transferRestrictions": {
      "minHoldingPeriodSeconds": 31536000,
      "maxHoldersPerJurisdiction": { "US": 99 }
    }
  },
  "updatedAt": "2026-04-27T10:00:00Z"
}

PATCH /v1/tokens/{tokenId}/compliance

Update the compliance configuration. Privileged.
AspectDetail
Required permissionstokens:compliance:update plus on-chain COMPLIANCE_OPERATOR role
IdempotencyIdempotency-Key header required
Approval policyRequired
Blockchain effectContract call(s) to the compliance module
Webhook eventstoken.compliance_updated, token.operation_failed

POST /v1/tokens/{tokenId}/allowlist

Add an address to the token’s allowlist. | Required permissions | tokens:allowlist:write plus on-chain COMPLIANCE_OPERATOR role | | Idempotency | Idempotency-Key header recommended | | Approval policy | Required | | Webhook events | token.allowlist_added, token.operation_failed |

Request body

{
  "address": "0x9a8e5e21f0c27d2c5c14b6e9bd8e4a0f9c9b4d12",
  "identityRef": "kyc_subject_001",
  "expiresAt": "2027-04-27T00:00:00Z",
  "idempotencyKey": "allowlist-add-2026-04-27-001"
}

DELETE /v1/tokens/{tokenId}/allowlist/{address}

Remove an address from the allowlist. Webhook events: token.allowlist_removed, token.operation_failed.

Errors

CodeTypeMeaning
1703TOKEN_NOT_DEPLOYEDToken has no on-chain contractAddress.
1704TOKEN_OPERATION_NOT_ALLOWEDStandard or template does not support compliance controls.
1708TOKEN_ROLE_REQUIREDCaller lacks the COMPLIANCE_OPERATOR role.
1714TOKEN_COMPLIANCE_RESTRICTION_FAILEDThe compliance module rejected the change.
1200POLICY_DENIEDApproval policy denied the operation.
1201APPROVAL_REQUIREDApproval is required and was not yet granted.
1601IDEMPOTENCY_CONFLICTSame Idempotency-Key reused with different body.

Wording and scope

We say:
  • “compliance-aware”
  • “permissioned transfer rules”
  • “policy-controlled”
  • “an integration point for identity and compliance systems”
We do not say:
  • “automatically legally compliant”
  • “fully compliant securities issuance”
  • “guaranteed regulatory approval”