Delegated Keys
Delegate wallet actions with guardrails to prevent misuse
Delegated keys are well suited for agentic development, where you’d like to enforce programmatic guardrails about what an agent can and cannot do onchain.
Why Smart Wallets + Delegated Keys?
- 🔐 Enhanced Security: Keep your wallet secure while delegating permissions to AI agents
- ⚡ Autonomous Operations: Enable AI agents to execute independently within parameters
- 🎯 Granular Control: Set permissions and expiration dates for each agent’s capabilities
- 🚀 Quick Integration: Get up and running in minutes with a straightforward REST API
How Delegated Signers Work
- Creation: Developer creates a request to add a new key as signer for the wallet, with optional restrictions around permissions and expiry date
- Approval: Wallet admin approves the request
- Transact: AI agent can then execute transactions within the defined permissions
Technical Implementation
Overview
In this quickstart, we propose a scenario where there’s a smart wallet that is owned by two keys: an admin key held by the developer, and a delegated key given to an agent, with a restricted set of permissions.
Step 1: Create Smart Wallet
First, we create a Smart Wallet, controlled by the developer’s key, which will be called the admin signer.
You can use a webauthn passkey as admin signer, an existing ethereum address, or generate an ethereum wallet in code.
In this quickstart we will generate the admin signer key in code:
This address is not the wallet you’ll put funds in. It’s just a key that will be used to control the smart wallet, which we create below.
Save the private key for the admin signer securely.
Now, we are going to create a Smart Wallet and set its owner to be the admin key we just created.
To do so, we call the Create wallet endpoint with the following body:
With this, we have a smart wallet created, and it can be controlled by the admin (agent owner), 0x234.
Step 2: Create Key for the Agent
As a next step, we want to create a separate key that will be held by our agent. This key will be able to send transactions on behalf of the smart wallet, but will have some restrictions attached.
For this tutorial, we will generate the agent key following the same steps as the admin key:
Then we should store the private key somewhere safe that the agent can access. For example, as an environment variable in the server that the agent is running on.
And now we register the address above as a delegated signer for the smart wallet, using the address locator returned when we created the wallet, i.e. 0xdeadbeef:
Step 3: Approve Registration of Agent Signer with the Admin Key
The admin signer needs to approve the registration of the agent’s key as a delegated signer, by signing the message from the response, i.e. 0xme55ageTo5ign - note that the response above is “awaiting-approval”.
We now need to submit that signed message using the signature approval endpoint, POST https://staging.crossmint.com/api/v1-alpha2/wallets/0xdeadbeef/signatures/1bc61c9d-0929-4782-a21c-177acda93a2d/approvals and pass the following body:
And with this, the agent key now has delegated access to the smart wallet 🎉
Step 4: Send a Transaction from the Agent
Now that the agent’s key is approved, it can create transactions on the developer’s behalf, as long as transactions respect the defined permissions.
Here we are going to make a USDC transfer. The first step is to prepare the transaction:
Now we will use the transaction data generated and the Generate new transaction API to submit a new transaction for the smart wallet with the following body:
Step 5: Approve Transaction
The agent, via its delegated key, signs the transaction message to approve it. Then, it will be broadcasted on-chain.
Like before, the message to sign is “awaiting-approval” in the previous response.
To submit the transaction, use the Transaction Approval API to pass the signature in the body, the transactionId from Step 4 in the route’s path, and the wallet’s locator, 0xdeadbeef:
With this, our agent has already submitted its first transaction! 🕺
(Bonus) Step 6: Check transactions for a wallet
The agent developer can easily fetch transactions executed by their wallet, as well as filter the responses based on signer to audit transactions by specific agents.
🎉 Advanced: Permissions System
Developers will soon be able to specify a comprehensive permissions system for delegated keys.
This powerful feature will enable granular control over AI agent capabilities: