Agent Wallets¶
Agents can have managed crypto wallets for on-chain interactions, payments, and ERC-8004 ecosystem participation.
Wallet Models¶
| Model | Trust Model |
|---|---|
| Self-Custody Keys | Non-custodial: agent holds private key. IDP verifies against registered public key. |
| Software-Signed Wallet | Keys encrypted in SigID's database (AES-256-GCM). Signing performed in-process. |
| HSM-Signed Wallet | Keys generated and held in external HSM. Signing via external API call. |
| TSS (Threshold Signing) | Threshold signature scheme via external API call. |
| ERC-4337 Smart Account | On-chain session key constraints. Defense-in-depth. |
Budget Enforcement¶
Agents can have spending limits:
- Per-transaction limits
- Daily spending caps
- Monthly spending caps
- Recipient allowlists
- Contract allowlists
- Emergency freeze
For ERC-4337 smart accounts, session policies constrain direct
account.execute(...) actions. Installed executor modules, such as x402
payment executors, run under the wallet's module-install authority; their
internal callbacks are not checked again against the session action
allowlist. Treat executor installation and replacement as high-trust wallet
administration.
Human Approval¶
Require approval for:
| Action | Recommended gate |
|---|---|
| Sending messages or emails | User confirmation or policy allowlist |
| Changing billing or ownership | Fresh MFA and human approval |
| Deleting data | Delegated token plus explicit approval |
| Signing wallet transactions | Wallet budget, allowlist, and approval |
| Exporting data | Audit event and limited scope |
Incident Response¶
If an agent is compromised:
- Suspend the agent
- Revoke active agent keys
- Revoke delegated tokens and vault grants
- Freeze wallet signing if relevant
- Review recent audit logs and webhooks
- Rotate downstream credentials if the agent could access them
API Surface¶
| Endpoint | Use |
|---|---|
GET /api/v1/wallets |
List wallets |
POST /api/v1/wallets |
Create a wallet |
GET /api/v1/wallets/{id} |
Read wallet details |
POST /api/v1/wallets/{id}/sign |
Sign a transaction |
POST /api/v1/wallets/{id}/freeze |
Emergency freeze |
POST /api/v1/wallets/{id}/unfreeze |
Resume signing after review |
DELETE /api/v1/wallets/{id} |
Deprovision a wallet |
GET /api/v1/wallets/{id}/budget |
Inspect budget and spend state |
PUT /api/v1/wallets/{id}/budget |
Set spending and allowlist controls |
GET /api/v1/wallets/{id}/transactions |
Review transaction history |
See Also¶
- Agent Authentication - Agent identity
- OAuth And OIDC - OAuth and login integration