Selective disclosure & viewing grants
Privacy by default does not mean opacity. Mersennet lets an account holder grant a scoped viewing key to an auditor, exchange, or counterparty that reveals exactly the data they need โ and nothing else. The rest of the account stays shielded.
Viewing grantsโ
A viewing grant is a capability you mint and hand to a grantee. It is scoped, time-bounded, and revocable.
- Scoped โ each grant authorizes one or more read scopes:
balances:read,positions:read,orders:read. - Time-bounded โ grants carry an expiry; reads fail once expired.
- Revocable โ the grantor can revoke at any time, immediately invalidating future reads.
// Grant a scoped, expiring viewing key
const grant = await wallet.createGrant({
scope: ['balances:read', 'positions:read'],
grantee: auditorPubKey,
expiresAt: '2026-12-31',
});
// The grantee reconstructs only what was shared
const view = await rpc.viewBalances(grant.id);
Lifecycleโ
flowchart LR
Mint["prime_viewGrantToken (mint)"] --> Active["Active grant"]
Active -->|"prime_viewBalances / Positions / Orders"| Read["Grant-gated reads"]
Active -->|"prime_viewRevokeToken"| Revoked["Revoked"]
Active -->|"expiresAt reached"| Expired["Expired"]
Read -->|"prime_viewGrantStatus"| Active
| Step | Method | Purpose |
|---|---|---|
| Mint | prime_viewGrantToken | Create a scoped, expiring grant for a grantee. |
| Status | prime_viewGrantStatus | Check whether a grant is active, expired, or revoked. |
| Read balances | prime_viewBalances | Grant-gated balances:read reconstruction read. |
| Read positions | prime_viewPositions | Grant-gated positions:read reconstruction read. |
| Read orders | prime_viewOrders | Grant-gated orders:read open-order reconstruction read. |
| Revoke | prime_viewRevokeToken | Invalidate the grant immediately. |
The node never decrypts your dataโ
Grant-gated reads are authorization gates, not decryption oracles. For balances, prime_viewBalances returns the encrypted notes the grantee is authorized to see (paginated), and the grantee runs reconstructPortfolio client-side โ the node never decrypts a balance. Position and order reads return the public per-market clearing context plus the records needed for the grantee to run reconstructPositions / reconstructOpenOrders locally, authorized by the grant.
This keeps the trust model honest: a viewing grant lets a specific party recompute a specific view, without ever placing your plaintext on the server.
Build itโ
See Note scanning & wallet reconstruction for the client-side reconstruction primitives, the Shielded SDK for typed helpers (scanGrantedNotes, reconstructPortfolio, reconstructPositions, reconstructOpenOrders), and the Shielded JSON-RPC reference for the full method signatures.