HTS x EVM - Part 2: KYC & Update

In Part 1 of the series, you saw how to mint, transfer, and burn an NFT using Hedera'a EVM and Hedera Token Service (HTS) System Smart Contracts. In this guide, you’ll learn the basics of how to configure / permission native Hedera Tokens via a Smart Contract. Specifically, you will learn how to:

  • Create and configure an NFT.

  • Grant and revoke a Know Your Customer (KYC) flag.

  • Update the KYC key with an Admin (to rotate compliance keys, for example)


Prerequisites

  • ECDSA account from the Hedera Portal.

  • Basic understanding of Solidity.


Table of Contents


Step 1: Project Setup

  1. Clone the repository

git clone https://github.com/hedera-dev/hts-evm-hybrid-mint-nfts.git
cd hts-evm-hybrid-mint-nfts
  1. Install dependencies

npm install
  1. Create .env file set up environment variables

cp .env.example .env

Edit the .env file to include your Hedera Testnet account's private key. Use your ECDSA Hex Encoded Private Key when interacting with Hedera's EVM via the JSON-RPC relay.

PRIVATE_KEY=0x

Make sure to use an ECDSA account with Unlimited Auto-Associations for the test script to run successfully.

  1. Run the test script

npx hardhat test test/2-KYCandUpdateNFT.ts

This script deploys and tests all of the functionality inside the KYCandUpdateNFT Smart Contract. We'll deep dive into the Smart Contract's functions and corresponding tests below!


Step 2. Creating an NFT

Function: createNFT(string memory name, string memory symbol, string memory memo)

Purpose: Deploy an HTS non-fungible token (NFT) via a Solidity contract call to HederaTokenService.createNonFungibleToken.

Key Code Snippet:

contracts/2-KYCandUpdateNFT.sol
function createNFT(
    string memory name,
    string memory symbol,
    string memory memo
) external payable onlyOwner {
    IHederaTokenService.HederaToken memory token;
    token.name = name;
    token.symbol = symbol;
    token.memo = memo;
    token.treasury = address(this);

    // 3 keys: Admin, Supply, KYC
    IHederaTokenService.TokenKey[] memory keys = new IHederaTokenService.TokenKey[](3);
    keys[0] = getSingleKey(KeyType.ADMIN, KeyValueType.CONTRACT_ID, address(this));
    keys[1] = getSingleKey(KeyType.SUPPLY, KeyValueType.CONTRACT_ID, address(this));
    keys[2] = getSingleKey(KeyType.KYC, KeyValueType.CONTRACT_ID, address(this));

    token.tokenKeys = keys;

    (int responseCode, address createdToken) = createNonFungibleToken(token);
    require(responseCode == HederaResponseCodes.SUCCESS, "Failed to create NFT");

    tokenAddress = createdToken;
    emit NFTCreated(createdToken);
}

How It Works

  1. Define Token Details – Provide name, symbol, and an optional memo.

  2. Set Keys – We generate three token keys:

    • AdminKey: Grants permission to update token-level properties later.

    • SupplyKey: Permits minting and burning of tokens.

    • KYCKey: Allows the contract (acting as the KYC authority) to grant or revoke KYC on specific accounts.

  3. Create the NFT – Call the HTS System Contract's createNonFungibleToken function from within the contract. If successful, store the resulting HTS token address in tokenAddress.

Test Implementation:

test/2-KYCandUpdateNFT.ts
it("should create an NFT", async () => {
    const createTx = await kycNftContract.createNFT(
        "KYC Test NFT",
        "KYCNFT",
        "NFT with KYC",
        {
            gasLimit: 250_000,
            value: ethers.parseEther("7") // sending HBAR needed to pay for tx fee
        }
    );

    await expect(createTx)
        .to.emit(kycNftContract, "NFTCreated")
        .withArgs(ethers.isAddress);
});

We call createNFT(...) and expect it to emit an NFTCreated event with a valid token address.


Step 3. Minting an NFT

The previous tutorial covered minting NFTs. Nothing's changed, but if you want a deep dive into how it's done, check it out there!

HTS x EVM - Part 1: How to Mint NFTs

Step 4. Granting KYC

Function: grantKYC(address account)

Purpose: Enable KYC for a specific account. If a token is configured to enforce KYC, that account must be “granted” KYC before it can receive or send the token.

Key Code Snippet:

test/2-KYCandUpdateNFT.ts
grantKYC(address account) external {
    require(tokenAddress != address(0), "Token not created yet");
    int response = grantTokenKyc(tokenAddress, account);
    require(response == HederaResponseCodes.SUCCESS, "Failed to grant KYC");
    emit KYCGranted(account);
}

Test Implementation:

test/2-KYCandUpdateNFT.ts
it("should grant KYC to account1", async () => {
    const grantKycTx = await kycNftContract.grantKYC(account1.address, {
        gasLimit: 350_000
    });

    await expect(grantKycTx)
        .to.emit(kycNftContract, "KYCGranted")
        .withArgs(account1.address);
});

Step 5. Revoking KYC

Function: revokeKYC(address account)

Purpose: Disable KYC for a specific account. After revocation, that account can no longer receive or transfer the token.

Key Code Snippet:

test/2-KYCandUpdateNFT.ts
function revokeKYC(address account) external {
    require(tokenAddress != address(0), "Token not created yet");
    int response = revokeTokenKyc(tokenAddress, account);
    require(response == HederaResponseCodes.SUCCESS, "Failed to revoke KYC");
    emit KYCRevoked(account);
}

Test Implementation:

test/2-KYCandUpdateNFT.ts
it("should revoke KYC from account1 (example)", async () => {
    const revokeTx = await kycNftContract.revokeKYC(account1.address, {
        gasLimit: 350_000
    });

    await expect(revokeTx)
        .to.emit(kycNftContract, "KYCRevoked")
        .withArgs(account1.address);
});

Step 6. Transferring NFTs and Enforcing KYC

Function: transferNFT(address receiver, uint256 serialNumber)

Purpose: Transfer an NFT from the treasury (address(this)) to another account. The receiving account must have KYC because this token has a KYC key.

Key Code Snippet:

test/2-KYCandUpdateNFT.ts
function transferNFT(address receiver, uint256 serialNumber) external {
    require(tokenAddress != address(0), "Token not created yet");
    IERC721(tokenAddress).transferFrom(address(this), receiver, serialNumber);
    emit NFTTransferred(receiver, serialNumber);
}

Test Implementation:

test/2-KYCandUpdateNFT.ts
it("should fail to transfer NFT to account without KYC", async () => {
    const serialNumber = 1n; // First minted NFT

    await expect(
        kycNftContract.transferNFT(account1.address, serialNumber, {
            gasLimit: 350_000
        })
    ).to.be.reverted;
});

it("should successfully transfer NFT to account with KYC", async () => {
    const serialNumber = 1n;

    // first, grant KYC
    const grantKycTx = await kycNftContract.grantKYC(account1.address);
    await grantKycTx.wait();

    // then transfer
    const transferTx = await kycNftContract.transferNFT(account1.address, serialNumber);
    await expect(transferTx)
        .to.emit(kycNftContract, "NFTTransferred")
        .withArgs(account1.address, serialNumber);

    // Verify ownership
    const tokenAddress = await kycNftContract.getTokenAddress();
    const nftContract = await ethers.getContractAt("IERC721", tokenAddress);
    expect(await nftContract.ownerOf(serialNumber)).to.equal(account1.address);
});

The first test expects the transfer to fail when KYC hasn’t been granted.

The second test demonstrates a successful transfer once grantKYC(...) has been called.


Step 7. Updating the KYC Key

Function: updateKYCKey(bytes memory newKYCKey)

Purpose: Change the KYC key on the token. This could be a “key rotation” to maintain compliance or to assign another entity control over KYC status.

Key Code Snippet:

function updateKYCKey(bytes memory newKYCKey) external onlyOwner {
    require(tokenAddress != address(0), "Token not created yet");

    // Create a new TokenKey array with just the KYC key
    IHederaTokenService.TokenKey[] memory keys = new IHederaTokenService.TokenKey[](1);
    keys[0] = getSingleKey(KeyType.KYC, KeyValueType.SECP256K1, newKYCKey);

    int responseCode = updateTokenKeys(tokenAddress, keys);
    require(responseCode == HederaResponseCodes.SUCCESS, "Failed to update KYC key");

    emit KYCKeyUpdated(newKYCKey);
}

Test Implementation:

test/2-KYCandUpdateNFT.ts
it("should successfully update KYC key to account1", async () => {
    const account1CompressedPublicKey = getSignerCompressedPublicKey(0);
    const updateKycTx = await kycNftContract.updateKYCKey(account1CompressedPublicKey, {
        gasLimit: 350_000
    });

    await expect(updateKycTx)
        .to.emit(kycNftContract, "KYCKeyUpdated")
        .withArgs(account1CompressedPublicKey);
});

it("should fail to grant KYC to account2 after KYC key update", async () => {
    await expect(
        kycNftContract.grantKYC(account2.address, {
            gasLimit: 350_000
        })
    ).to.be.revertedWith("Failed to grant KYC");
});

function getSignerCompressedPublicKey(
    index = 0,
    asBuffer = true,
    prune0x = true
) {
    const wallet = new ethers.Wallet(config.networks[network.name].accounts[index]);
    const cpk = prune0x
        ? wallet.signingKey.compressedPublicKey.replace('0x', '')
        : wallet.signingKey.compressedPublicKey;

    return asBuffer ? Buffer.from(cpk, 'hex') : cpk;
}

The compressedPublicKey , not the EVM address, must be passed as the address argument for the updateKeysfunction to work. The getSignerCompressedPublicKey utility function shows how you can get the compressed key using hardat and ethers.

After this key rotation, the contract's key is no longer able to perform KYC operations. In the snippet above, we immediately demonstrate that KYC attempts signed by the contract itself will revert.

Account 1 will now be able to grant/revoke KYC using the SDK.


Token Association in the Tests

Because we’re using a hybrid approach of EVM and the Native Hedera Token Service, you’ll see special logic to:

  • Associate the newly created token with the signers’ accounts (via TokenAssociateTransaction).

  • Fetch the signers’ Hedera account IDs from EVM addresses with AccountId.fromEvmAddress(...).

  • Use the PrivateKey.fromStringECDSA call to instantiate a Hedera client for executing SDK transactions.

test/2-KYCandUpdateNFT.ts
it("should associate NFT to account 1 and 2", async () => {
    const tokenAddress = await kycNftContract.getTokenAddress();
    const client = Client.forTestnet();

    const accountId1 = await AccountId.fromEvmAddress(0, 0, account1.address).populateAccountNum(client);
    accountId1.evmAddress = null; // ensures we use the Hedera account ID for transactions
    const privateKey = PrivateKey.fromStringECDSA(process.env.PRIVATE_KEY as string);
    client.setOperator(accountId1, privateKey);

    // Repeat for account2...
    // Then call new TokenAssociateTransaction()...
});

This is due to a nuance: In order to grant KYC to an account, it must have the token associated with it. This is the case even if the account has unlimited auto associations.


Conclusion

Using a Solidity Smart Contract on Hedera, you can replicate many of the native HTS functionalities—granting and revoking KYC, updating token keys, minting and transferring NFTs—while retaining the benefit of contract-driven logic and on-chain state. This approach may be preferable if:

  • You want advanced business logic in a self-contained contract.

  • You prefer standard Solidity patterns and tooling for your Web3 workflows.

  • You plan to modularize or integrate your token behavior with other smart contracts.

Check out Part 3: How to Pause, Freeze, Wipe, and Delete NFTs to learn more about configuring Native Tokens with Smart Contracts.

HTS x EVM - Part 3: How to Pause, Freeze, Wipe, and Delete NFTs

Additional Resources

Check out our GitHub repo to find the full contract and Hardhat test scripts, along with the configuration files you need to deploy and test on Hedera!

Last updated

Was this helpful?