0% 0% 0% 0%

Auditor disclosure

Index
  1. 01. Concepts
  2. 02. Contracts
  3. 03. pool
  4. 04. policy
  5. 05. viewkeys
  6. 06. verifier
  7. 07. Circuits
  8. 08. Features
  9. 09. Shielded send
  10. 10. Deposit & withdraw
  11. 11. Consolidate & split
  12. 12. Shielded swap & pay
  13. 13. Escrow
  14. 14. Payment channels
  15. 15. Payroll & subscriptions
  16. 16. Auditor disclosure
  17. 17. ASP compliance
  18. 18. Cloud runtimes

Auditor disclosure

When you need to show activity — to an auditor, an accountant, a counterparty — you share a scoped, revocable view key. It is read-only and never grants spending power.

Scoped view keys

View keys derive in a BIP32-style tree (ECDH → HKDF → AEAD), in the Rust core:

master_view_secret
 └─ account_i
     └─ asset_j
         └─ epoch_k  →  { incoming-viewing key, detection key }

A scoped export carries the viewing secret + owner_pk for that node — but no owner_sk. The auditor receives exactly the node at account / asset / epoch, finds and decrypts those notes, and re-derives each commitment to verify against the chain — provable disclosure — with no path back up to any other account, asset, or epoch.

Revocation & trail

The grant (and its later revocation) is recorded on the viewkeys contract — a provable, timestamped trail. Revoke a key and the auditor’s window closes. Spending authority is never involved at any point.

Where in the app

The Auditor page issues and revokes scopes; Settings holds the master phrase the tree derives from.

The automatic, reveal-nothing counterpart is ASP compliance.