Industry-standard blockchain analytics for AML, KYT (Know Your Transaction), and sanctions screening. Offers a free on-chain Sanctions Oracle (`isSanctioned(address)`) and a paid KYT REST + webhook API for real-time transaction risk scoring across 25+ chains.
- 01OFAC sanctions screening
- 02transaction risk scoring (KYT)
- 03regulated VASPs and exchanges
- 04on-chain sanctions oracle for smart contracts
- 05investigations and Reactor case work
| Variable | Scope | Description |
|---|---|---|
| CHAINALYSIS_API_KEY | Server | API key for KYT and Sanctions API (header: `Token: <key>`). Free Sanctions API uses a separate free key. |
| CHAINALYSIS_WEBHOOK_SECRET | Server | Shared secret for verifying inbound KYT alert webhooks (HMAC-SHA256 over raw body). |
Use Chainalysis for AML/sanctions. (1) Free Sanctions screening: `GET https://public.chainalysis.com/api/v1/address/{address}` with `X-API-Key` returns `identifications[]` — non-empty means OFAC-listed. (2) On-chain enforcement: call the Sanctions Oracle `0x40C57923924B5c5c5455c48D93317139ADDaC8fb` (deployed on Ethereum, Polygon, Arbitrum, Optimism, BSC, Avalanche, Base, Celo) via `isSanctioned(address) returns (bool)` from your contract before transferring. (3) KYT API: register a user with `POST /api/kyt/v2/users/{userId}`, pre-screen withdrawals with `POST /api/kyt/v2/users/{userId}/withdrawal-attempts`, and submit transfers via `POST /api/kyt/v2/users/{userId}/transfers`. Webhook handler verifies HMAC-SHA256 signature using `CHAINALYSIS_WEBHOOK_SECRET`, then handles `alert.created`, `alert.updated`, and `transfer.flagged` events.
- ⚑The Sanctions Oracle returns the full OFAC SDN list — not custom internal blocklists. Wrap it with your own allow/deny list contract for jurisdiction-specific rules (UK HMT, EU CFSP, UN).
- ⚑Sanctions Oracle calls add gas to every guarded transfer; cache results off-chain or batch screening at deposit/withdraw boundaries rather than per-transfer.
- ⚑KYT and Sanctions API are different products with different keys, base URLs (`api.chainalysis.com` vs `public.chainalysis.com`), and rate limits — do not share keys across them.
- ⚑KYT requires you to register every counterparty as a `user` before screening transfers, otherwise alerts attribute risk to the wrong entity.
- ⚑Webhook signature is HMAC-SHA256 over the raw request body — Next.js App Router requires `req.text()` and `runtime = 'nodejs'` to preserve bytes; JSON-parsed bodies will fail verification.
- ⚑False-positive rate on indirect exposure (n-hop) is meaningful — tune `severity` thresholds and treat `medium`/`low` as review-queue rather than auto-block.