Blockstream Enterprise Custody SDK
Core Concepts

Restrictions

Restrictions define per-asset transfer policies for asset destinations and burn permissions. AMP2 uses restrictions as the primary compliance control for issuer-managed transfers.

Restrictions are per asset transfer policies that control where assets can move and whether they can be burned. They are the primary mechanism for regulatory compliance in AMP2.

How restrictions work

Restrictions are defined by the issuer and enforced by the HSM at PSET cosigning time. When a transfer PSET is submitted for cosigning, the HSM checks the source wallet's restriction group for the asset being transferred. If the transfer violates the policy, the HSM refuses to cosign and the transaction cannot be broadcast.

This enforcement is cryptographic, not advisory: there is no way to bypass restrictions without the HSM's signature, and the HSM only signs compliant transactions.

Restriction group fields

FieldTypeDescription
widsarray of WIDsWallets this restriction group applies to
toWhitelistarray of WIDsAllowed destination wallets for transfers
useToWhitelistbooleanIf true, only toWhitelist destinations are allowed
canBurnbooleanIf true, wallets in this group can burn the asset

Enforcement rules

When a wallet in a restriction group attempts an operation:

ConditionCheckResult if violated
useToWhitelist: trueDestination WID must be in toWhitelistCosign refused
canBurn: falseTransaction must not include burn outputsCosign refused
Wallet lockedWallet must not be in locked stateCosign refused
Asset lockedAsset must not be in locked stateCosign refused

If no restriction group is assigned to a wallet for a given asset, transfers of that asset from that wallet are unrestricted.

Single wallet restriction

Apply a restriction to one wallet for one asset using the SDK:

import { AmpActions } from '@blockstream/amp-registry';

const response = await broadcastRequest<
  typeof AmpActions.editAssetWalletRestrictions
>(
  {
    action: 'edit',
    resource: '/amp/assets/{aid}/wallets/{wid}/restrictions',
    details: {
      can_burn: false,
      whitelist: ['allowed_wid_1', 'allowed_wid_2'],
      wid: 'target_wid',
    },
  },
  blockstream,
);

This means: when wid holds this asset, it can only send to allowed_wid_1 or allowed_wid_2, and it cannot burn.

Bulk restrictions

Apply the same policy to multiple wallets at once:

const response = await broadcastRequest<
  typeof AmpActions.editAssetWalletRestrictionsList
>(
  {
    action: 'edit',
    resource: '/amp/assets/{aid}/restrictions',
    details: {
      can_burn: false,
      use_to_whitelist: true,
      to_whitelist: ['treasury_wid', 'approved_wid_1', 'approved_wid_2'],
      wids: ['investor_wid_1', 'investor_wid_2', 'investor_wid_3'],
    },
  },
  blockstream,
);

All three investor wallets share the same restriction group. They can send the asset only to the treasury or the two approved wallets.

Querying restrictions

ActionResourceDescription
get/amp/assets/{aid}/restrictionsList all restriction groups for an asset (v1)
get/amp/assets/v2/{aid}/restrictionsList restrictions with expanded group details (v2)
get/amp/assets/{aid}/wallets/{wid}/restrictionsGet restriction for a specific wallet

Modifying restrictions

Restrictions are managed through edit and delete operations:

ActionResourceDescription
edit/amp/assets/{aid}/wallets/{wid}/restrictionsSet restriction for a single wallet
edit/amp/assets/{aid}/restrictionsSet restriction for multiple wallets
delete/amp/assets/{aid}/wallets/{wid}/restrictionsDelete wallet restriction
delete/amp/assets/{aid}/restrictions/group/{gid}Delete restriction group

To change a wallet's restriction policy, delete the existing restriction and create a new one. There is no in place update operation.

For the full SDK reference, see the JS SDK restriction docs.

Interaction with locks

Restrictions and locks are independent but complementary:

StateEffect
Asset lockedAll operations on this asset are blocked for all wallets
Wallet lockedAll transfers from this wallet are blocked for all assets
UTXO lockedThe specific output cannot be spent
Restriction violationThe specific transfer is refused, other operations may still work

Locks are broader than restrictions. A locked asset or wallet blocks everything regardless of restriction policies.

Difference from AMP0 categories

AspectAMP0 CategoriesAMP2 Restriction Groups
ScopeGlobal (across all assets)Per asset
ModelGroup investors, then link to assetsDefine policy per asset per wallet
GranularityCategory levelWallet level within a group
EnforcementApplication levelHSM level (cryptographic)
Burn controlNot availablePer group canBurn flag

Design guidance

  • Keep groups small and explicit. A restriction group should represent a clear compliance boundary (e.g., "verified EU investors for asset X").
  • Audit restriction changes. Log every create/delete in your issuer systems with operator, timestamp, and reason.
  • Test in testnet first. Restriction enforcement is strict: a misconfigured whitelist will block legitimate transfers.
  • Include the treasury wallet in whitelists. Investors typically need to be able to send assets back to the issuer.

On this page