UPC — Universal Private ComplianceASP Operators

Running an ASP

What it means to operate an ASP — responsibilities, architecture, and the different types of ASP services.

Running an ASP

An ASP operator is a business or organization that:

  1. Defines compliance criteria (sanctions screen, KYC, age verification, etc.)
  2. Evaluates addresses against those criteria
  3. Maintains a Merkle tree of approved addresses
  4. Publishes roots on-chain
  5. Provides an API for users to generate membership proofs

Why Operate an ASP?

Operating an ASP is a compliance business. If you're already doing identity verification (KYC, KYB, sanctions screening), operating an ASP lets you monetize those compliance capabilities on-chain:

  • Exchanges: Run an ASP for your KYC'd users — let any DeFi protocol accept your customers
  • Compliance firms: Offer ASP-as-a-service to multiple protocols simultaneously
  • Governments: Publish an official sanctions ASP that any protocol can integrate
  • DAOs: Create a membership ASP for verified DAO participants

ASP Architecture

┌────────────────────────────────────────────────────┐
│                    ASP Service                      │
│                                                    │
│  ┌──────────────┐   ┌─────────────┐  ┌──────────┐  │
│  │  IEventSource│   │IMembershipGate│ │REST API │  │
│  │              │   │             │  │         │  │
│  │ Watch Shield │   │ Evaluate    │  │ Proof   │  │
│  │ events       │→  │ criteria    │→ │ gen     │  │
│  └──────────────┘   └─────────────┘  └────┬────┘  │
│                                           │       │
│  ┌────────────────────────────────────────▼────┐  │
│  │           Merkle Tree (LeanIMT)             │  │
│  │           Poseidon-BLS12-381 hashing        │  │
│  └────────────────────┬────────────────────────┘  │
└───────────────────────┼────────────────────────────┘
                        │ publishRoot()

                AttestationHub (on-chain)

Key Interfaces

IEventSource

Provides the stream of addresses to evaluate:

interface IEventSource {
  // Called when a new shield event is detected
  onShield(address: string, token: string, amount: bigint): Promise<void>

  // Start watching for new events
  start(): Promise<void>
  stop(): Promise<void>
}

IMembershipGate

Defines the criteria for approval:

interface IMembershipGate {
  // Return true if address should be added to the ASP
  evaluate(address: string): Promise<boolean>
}

Pre-Built ASP Packages

upc-asp-whitelist

The simplest ASP type — a manually managed allow-list.

npm install @permissionless-technologies/upc-asp-whitelist
import { createWhitelistASP } from '@permissionless-technologies/upc-asp-whitelist'

const asp = createWhitelistASP({
  registryAddress: '0x...',
  provider: new RESTProvider({ url: 'https://my-asp.example.com/api' }),
  publicClient,
  walletClient,
})

// Manually add approved addresses
await asp.approve('0xAddress')
await asp.revoke('0xAddress')

Includes a built-in REST API server for proof generation.

upc-asp-kyc (Planned)

ASP that integrates with a KYC provider's API to automatically approve/reject addresses based on KYC results.

upc-asp-sanctions (Planned)

ASP that ingests a sanctions list (OFAC, EU, UN) and automatically manages membership based on the list.

See Setup for step-by-step ASP deployment, and Publishing Roots for root management best practices.

React Hooks

ASPProvider and useASP — React integration for the UPC SDK.

ASP Setup

Step-by-step guide to deploying an ASP using upc-asp-whitelist.

On this page

Running an ASPWhy Operate an ASP?ASP ArchitectureKey InterfacesIEventSourceIMembershipGatePre-Built ASP Packagesupc-asp-whitelistupc-asp-kyc (Planned)upc-asp-sanctions (Planned)