Skip to content

Agent Wallets

Agents can have managed crypto wallets for on-chain interactions, payments, and ERC-8004 ecosystem participation.

Wallet Models

Model Trust Model
Self-Custody Keys Non-custodial: agent holds private key. IDP verifies against registered public key.
Software-Signed Wallet Keys encrypted in SigID's database (AES-256-GCM). Signing performed in-process.
HSM-Signed Wallet Keys generated and held in external HSM. Signing via external API call.
TSS (Threshold Signing) Threshold signature scheme via external API call.
ERC-4337 Smart Account On-chain session key constraints. Defense-in-depth.

Budget Enforcement

Agents can have spending limits:

  • Per-transaction limits
  • Daily spending caps
  • Monthly spending caps
  • Recipient allowlists
  • Contract allowlists
  • Emergency freeze

For ERC-4337 smart accounts, session policies constrain direct account.execute(...) actions. Installed executor modules, such as x402 payment executors, run under the wallet's module-install authority; their internal callbacks are not checked again against the session action allowlist. Treat executor installation and replacement as high-trust wallet administration.

Human Approval

Require approval for:

Action Recommended gate
Sending messages or emails User confirmation or policy allowlist
Changing billing or ownership Fresh MFA and human approval
Deleting data Delegated token plus explicit approval
Signing wallet transactions Wallet budget, allowlist, and approval
Exporting data Audit event and limited scope

Incident Response

If an agent is compromised:

  1. Suspend the agent
  2. Revoke active agent keys
  3. Revoke delegated tokens and vault grants
  4. Freeze wallet signing if relevant
  5. Review recent audit logs and webhooks
  6. Rotate downstream credentials if the agent could access them

API Surface

Endpoint Use
GET /api/v1/wallets List wallets
POST /api/v1/wallets Create a wallet
GET /api/v1/wallets/{id} Read wallet details
POST /api/v1/wallets/{id}/sign Sign a transaction
POST /api/v1/wallets/{id}/freeze Emergency freeze
POST /api/v1/wallets/{id}/unfreeze Resume signing after review
DELETE /api/v1/wallets/{id} Deprovision a wallet
GET /api/v1/wallets/{id}/budget Inspect budget and spend state
PUT /api/v1/wallets/{id}/budget Set spending and allowlist controls
GET /api/v1/wallets/{id}/transactions Review transaction history

See Also