In Part 1 of the series, you saw how to mint, transfer, and burn an NFT using Hedera'a EVM and Hedera Token Service (HTS) System Smart Contracts. In this guide, you’ll learn the basics of how to configure / permission native Hedera Tokens via a Smart Contract. Specifically, you will learn how to:
Create and configure an NFT.
Grant and revoke a Know Your Customer (KYC) flag.
Update the KYC key with an Admin (to rotate compliance keys, for example)
git clone https://github.com/hedera-dev/hts-evm-hybrid-mint-nfts.git
cd hts-evm-hybrid-mint-nfts
Install dependencies
npm install
Create .env file set up environment variables
cp .env.example .env
Edit the .env file to include your Hedera Testnet account's private key. Use your ECDSA Hex Encoded Private Key when interacting with Hedera's EVM via the JSON-RPC relay.
This script deploys and tests all of the functionality inside the KYCandUpdateNFT Smart Contract. We'll deep dive into the Smart Contract's functions and corresponding tests below!
Define Token Details – Provide name, symbol, and an optional memo.
Set Keys – We generate three token keys:
AdminKey: Grants permission to update token-level properties later.
SupplyKey: Permits minting and burning of tokens.
KYCKey: Allows the contract (acting as the KYC authority) to grant or revoke KYC on specific accounts.
Create the NFT – Call the HTS System Contract's createNonFungibleToken function from within the contract. If successful, store the resulting HTS token address in tokenAddress.
Test Implementation:
test/2-KYCandUpdateNFT.ts
it("should create an NFT", async () => {
const createTx = await kycNftContract.createNFT(
"KYC Test NFT",
"KYCNFT",
"NFT with KYC",
{
gasLimit: 250_000,
value: ethers.parseEther("7") // sending HBAR needed to pay for tx fee
}
);
await expect(createTx)
.to.emit(kycNftContract, "NFTCreated")
.withArgs(ethers.isAddress);
});
We call createNFT(...) and expect it to emit an NFTCreated event with a valid token address.
Step 3. Minting an NFT
The previous tutorial covered minting NFTs. Nothing's changed, but if you want a deep dive into how it's done, check it out there!
Purpose: Enable KYC for a specific account. If a token is configured to enforce KYC, that account must be “granted” KYC before it can receive or send the token.
Key Code Snippet:
test/2-KYCandUpdateNFT.ts
grantKYC(address account) external {
require(tokenAddress != address(0), "Token not created yet");
int response = grantTokenKyc(tokenAddress, account);
require(response == HederaResponseCodes.SUCCESS, "Failed to grant KYC");
emit KYCGranted(account);
}
Purpose: Transfer an NFT from the treasury (address(this)) to another account. The receiving account must have KYC because this token has a KYC key.
Key Code Snippet:
test/2-KYCandUpdateNFT.ts
function transferNFT(address receiver, uint256 serialNumber) external {
require(tokenAddress != address(0), "Token not created yet");
IERC721(tokenAddress).transferFrom(address(this), receiver, serialNumber);
emit NFTTransferred(receiver, serialNumber);
}
Test Implementation:
test/2-KYCandUpdateNFT.ts
it("should fail to transfer NFT to account without KYC", async () => {
const serialNumber = 1n; // First minted NFT
await expect(
kycNftContract.transferNFT(account1.address, serialNumber, {
gasLimit: 350_000
})
).to.be.reverted;
});
it("should successfully transfer NFT to account with KYC", async () => {
const serialNumber = 1n;
// first, grant KYC
const grantKycTx = await kycNftContract.grantKYC(account1.address);
await grantKycTx.wait();
// then transfer
const transferTx = await kycNftContract.transferNFT(account1.address, serialNumber);
await expect(transferTx)
.to.emit(kycNftContract, "NFTTransferred")
.withArgs(account1.address, serialNumber);
// Verify ownership
const tokenAddress = await kycNftContract.getTokenAddress();
const nftContract = await ethers.getContractAt("IERC721", tokenAddress);
expect(await nftContract.ownerOf(serialNumber)).to.equal(account1.address);
});
The first test expects the transfer to fail when KYC hasn’t been granted.
The second test demonstrates a successful transfer once grantKYC(...) has been called.
Step 7. Updating the KYC Key
Function:updateKYCKey(bytes memory newKYCKey)
Purpose: Change the KYC key on the token. This could be a “key rotation” to maintain compliance or to assign another entity control over KYC status.
Key Code Snippet:
function updateKYCKey(bytes memory newKYCKey) external onlyOwner {
require(tokenAddress != address(0), "Token not created yet");
// Create a new TokenKey array with just the KYC key
IHederaTokenService.TokenKey[] memory keys = new IHederaTokenService.TokenKey[](1);
keys[0] = getSingleKey(KeyType.KYC, KeyValueType.SECP256K1, newKYCKey);
int responseCode = updateTokenKeys(tokenAddress, keys);
require(responseCode == HederaResponseCodes.SUCCESS, "Failed to update KYC key");
emit KYCKeyUpdated(newKYCKey);
}
Test Implementation:
test/2-KYCandUpdateNFT.ts
it("should successfully update KYC key to account1", async () => {
const account1CompressedPublicKey = getSignerCompressedPublicKey(0);
const updateKycTx = await kycNftContract.updateKYCKey(account1CompressedPublicKey, {
gasLimit: 350_000
});
await expect(updateKycTx)
.to.emit(kycNftContract, "KYCKeyUpdated")
.withArgs(account1CompressedPublicKey);
});
it("should fail to grant KYC to account2 after KYC key update", async () => {
await expect(
kycNftContract.grantKYC(account2.address, {
gasLimit: 350_000
})
).to.be.revertedWith("Failed to grant KYC");
});
function getSignerCompressedPublicKey(
index = 0,
asBuffer = true,
prune0x = true
) {
const wallet = new ethers.Wallet(config.networks[network.name].accounts[index]);
const cpk = prune0x
? wallet.signingKey.compressedPublicKey.replace('0x', '')
: wallet.signingKey.compressedPublicKey;
return asBuffer ? Buffer.from(cpk, 'hex') : cpk;
}
The compressedPublicKey , not the EVM address, must be passed as the address argument for the updateKeysfunction to work. The getSignerCompressedPublicKey utility function shows how you can get the compressed key using hardat and ethers.
After this key rotation, the contract's key is no longer able to perform KYC operations. In the snippet above, we immediately demonstrate that KYC attempts signed by the contract itself will revert.
Account 1 will now be able to grant/revoke KYC using the SDK.
Token Association in the Tests
Because we’re using a hybrid approach of EVM and the Native Hedera Token Service, you’ll see special logic to:
Associate the newly created token with the signers’ accounts (via TokenAssociateTransaction).
Fetch the signers’ Hedera account IDs from EVM addresses with AccountId.fromEvmAddress(...).
Use the PrivateKey.fromStringECDSA call to instantiate a Hedera client for executing SDK transactions.
test/2-KYCandUpdateNFT.ts
it("should associate NFT to account 1 and 2", async () => {
const tokenAddress = await kycNftContract.getTokenAddress();
const client = Client.forTestnet();
const accountId1 = await AccountId.fromEvmAddress(0, 0, account1.address).populateAccountNum(client);
accountId1.evmAddress = null; // ensures we use the Hedera account ID for transactions
const privateKey = PrivateKey.fromStringECDSA(process.env.PRIVATE_KEY as string);
client.setOperator(accountId1, privateKey);
// Repeat for account2...
// Then call new TokenAssociateTransaction()...
});
This is due to a nuance: In order to grant KYC to an account, it must have the token associated with it. This is the case even if the account has unlimited auto associations.
Conclusion
Using a Solidity Smart Contract on Hedera, you can replicate many of the native HTS functionalities—granting and revoking KYC, updating token keys, minting and transferring NFTs—while retaining the benefit of contract-driven logic and on-chain state. This approach may be preferable if:
You want advanced business logic in a self-contained contract.
You prefer standard Solidity patterns and tooling for your Web3 workflows.
You plan to modularize or integrate your token behavior with other smart contracts.
Check out our GitHub repo to find the full contract and Hardhat test scripts, along with the configuration files you need to deploy and test on Hedera!
