Manage Allowlists
Control which addresses can hold your token using allowlists.
Tokens created with requiresAllowlist: true keep a list of approved destination addresses for controlled token actions. SDP enforces that list on allowlist-aware issuance flows such as minting and administrative transfers. Payment transfers use wallet-level destination allowlists instead of this token allowlist. This is essential for regulated tokens like tokenized securities.
When a token is created without an allowlist, the dashboard hides allowlist management for that token.
Prerequisites
- A token with
requiresAllowlistenabled - The
tokens:writepermission for API key callers
For tokens with an on-chain allowlist configured, the mint endpoints also auto-add fresh destination wallets to the allowlist on first mint (both on-chain and in the DB mirror). Older allowlist tokens without an on-chain list enforce the DB allowlist only and reject destinations that aren't already added — use POST /allowlist first for those. If you want every entry to come through explicit operator review, use POST /allowlist ahead of mint and avoid handing out tokens:write to keys that should not be able to grow the allowlist. For those on-chain-list tokens, revoked entries are never auto-reactivated by mint — they return 403 DESTINATION_REVOKED until re-added explicitly here. Legacy allowlist tokens without an on-chain list don't track a distinct revoked state — a removed destination simply fails with 403 NOT_ON_TOKEN_ALLOWLIST until it's re-added.
Add an address
curl -X POST https://api.solana.com/v1/issuance/tokens/tok_abc123/allowlist \
-H "Authorization: Bearer sk_test_..." \
-H "Content-Type: application/json" \
-d '{
"address": "7xKXz...9fGh",
"label": "Treasury wallet"
}'const response = await fetch(
"https://api.solana.com/v1/issuance/tokens/tok_abc123/allowlist",
{
method: "POST",
headers: {
"Authorization": "Bearer sk_test_...",
"Content-Type": "application/json",
},
body: JSON.stringify({
address: "7xKXz...9fGh",
label: "Treasury wallet",
}),
}
);HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://api.solana.com/v1/issuance/tokens/tok_abc123/allowlist"))
.header("Authorization", "Bearer sk_test_...")
.header("Content-Type", "application/json")
.POST(HttpRequest.BodyPublishers.ofString("""
{
"address": "7xKXz...9fGh",
"label": "Treasury wallet"
}"""))
.build();The label field is optional but recommended for identifying entries.
List entries
curl https://api.solana.com/v1/issuance/tokens/tok_abc123/allowlist \
-H "Authorization: Bearer sk_test_..."const response = await fetch(
"https://api.solana.com/v1/issuance/tokens/tok_abc123/allowlist",
{ headers: { "Authorization": "Bearer sk_test_..." } }
);
const { data, meta } = await response.json();
// meta: { total, page, pageSize, hasMore }HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://api.solana.com/v1/issuance/tokens/tok_abc123/allowlist"))
.header("Authorization", "Bearer sk_test_...")
.GET()
.build();Supports page and pageSize query parameters for pagination.
Remove an address
curl -X DELETE \
https://api.solana.com/v1/issuance/tokens/tok_abc123/allowlist/alw_abc123 \
-H "Authorization: Bearer sk_test_..."await fetch(
"https://api.solana.com/v1/issuance/tokens/tok_abc123/allowlist/alw_abc123",
{
method: "DELETE",
headers: { "Authorization": "Bearer sk_test_..." },
}
);HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://api.solana.com/v1/issuance/tokens/tok_abc123/allowlist/alw_abc123"))
.header("Authorization", "Bearer sk_test_...")
.DELETE()
.build();Workflow
A typical allowlist workflow for a tokenized security:
- Create the token with
"requiresAllowlist": trueand template"tokenized-security" - Deploy the token
- Collect wallet addresses from KYC-verified users
- Add each verified address to the allowlist
- Mint tokens to allowlisted addresses
- Remove addresses when compliance status changes