- Base check. All addresses pass through Arcane’s base compliance check. This check always runs and cannot be disabled.
- Custom KYT provider (optional). An application admin can configure a custom KYT provider for their application. When configured, every address that passes the base check is also checked against the custom provider’s own internal rules, over a webhook.
Screening flow
For each public address in a transaction, the base check always runs first. The custom provider check (if configured) only runs after the base check approves the address. If every address in the transaction passes all applicable checks, the transaction is approved.Authorization
If you configure a shared secret for your custom KYT provider, Arcane signs every outbound request with an HMAC-SHA256 signature so your service can verify the request came from Arcane. Signing is opt-in: without a shared secret, requests are sent unsigned. The signature covers the timestamp, HTTP method, path and query string, and raw request body, joined with.:
Use a constant-time comparison (like
timingSafeEqual above) when
checking the signature. Comparing hex strings directly leaks timing
information that an attacker could use to guess the correct signature
byte by byte.Reference implementation
Arcane maintains a minimal reference implementation of the custom KYT provider contract: a CSV blacklist check. It exposes the same/metadata
and /check endpoints described in the API
reference and
approves every address except those listed in a CSV file of
address,reason rows. Use it as a starting point for your own provider,
or as a reference for testing your integration.
reference-csv-blacklist-service
Reference KYT provider that approves addresses unless they appear in a
CSV blacklist.