Skip to main content
HomeLanding pagesWhat is a session key?
LANDING PAGE

What is a session key?

7 min read·Last updated June 2, 2026

A session key is a scoped, often temporary cryptographic key authorized to sign a limited set of transactions on behalf of a wallet, within defined constraints, without exposing the wallet's main key. Smart wallets use session keys to delegate bounded signing authority to an app or agent. It is one way to give an agent bounded payment authority; managed wallets with a server-side spend policy are another.

Definition

A session key is a scoped, often temporary cryptographic key authorized to sign a limited set of transactions on behalf of a wallet, within defined constraints, without exposing the wallet's main key. Smart wallets use session keys to delegate bounded signing authority to an app or agent. It is one way to give an agent bounded payment authority; managed wallets with a server-side spend policy are another.

In short, a session key is a limited stand-in for a wallet's main key. Rather than handing an app or agent full control of a wallet, you issue a key that can do only certain things, within limits, for a defined window. That lets you delegate signing without delegating everything, which is why session keys appear in smart-wallet designs and in discussions of how to give an agent payment authority safely. They are a mechanism for bounded delegation at the key level.

The problem it solves

The problem a session key solves is delegating signing authority without all-or-nothing risk. A wallet's main key can do anything: move the whole balance, sign any transaction. If you give that key to an app or an agent so it can act for you, you have handed over total control, and a compromise of that app or agent compromises the whole wallet. That is too much risk for most delegation.

A session key narrows the grant. Instead of the main key, you issue a key scoped to exactly what the delegate needs, certain actions, certain amounts, a certain time, and the delegate operates with that. The main key stays safe, unexposed, while the session key carries only limited authority. If the session key leaks or the delegate misbehaves, the damage is bounded by the key's scope rather than the whole wallet. So the session key turns dangerous all-or-nothing delegation into safe, bounded delegation, which is its reason to exist.

How a session key works

A session key works by being authorized with a defined scope and then used within it. The wallet, typically a smart wallet capable of custom authorization rules, grants the session key permission to perform a limited set of actions, often with spending constraints and an expiry. The session key then signs transactions that fall within that scope, and the wallet accepts them because they match the granted authority; transactions outside the scope are not authorized.

The scope is the heart of it. It can include which kinds of transactions are allowed, caps on amounts, and a time window after which the key expires. Because the constraints are enforced by the wallet's authorization logic, the session key cannot exceed them even if the holder tries. When the session ends or the key expires, its authority lapses, which is why it is called a session key: it is meant for a bounded session of activity, after which it no longer signs. This combination, scoped grant plus enforced constraints plus expiry, is what makes it a controlled credential.

Where session keys appear

Session keys appear primarily in smart wallets, which, unlike a basic externally-owned account, can implement custom authorization rules and so can authorize keys with conditions. Some consumer smart wallets use session keys to improve experience: an app can be granted a session key to act on a user's behalf for a while without prompting for approval on every action, which is smoother than repeated confirmations while staying bounded.

In the agent and payments world, session keys come up as one way to give an agent scoped authority to transact. The idea maps naturally: an agent gets a session key bounded to what it should be able to spend and do, rather than a wallet's full key. Smart-wallet platforms that support session keys can express agent authority this way. It is one design point in a space that also includes managed wallets with server-side policies, so session keys are a common but not universal mechanism for bounded agent authority.

Session keys and agents

For AI agents, a session key is appealing because an agent is exactly the kind of delegate that should not hold a wallet's full key. An agent can be wrong or prompt-injected, so giving it unbounded signing authority is dangerous. A session key scoped to the agent's needs, capped amounts, allowed actions, an expiry, bounds what the agent can do at the key level, so a compromised agent is limited to the session key's scope.

This is the same goal as an agent spend policy: bound what an autonomous agent can spend so a human can delegate safely. The session key achieves it by issuing a constrained signing credential; a managed wallet with a spend policy achieves it by enforcing limits server-side without the agent holding a raw key at all. Both aim at scoped, bounded authority for an agent, and which you encounter depends on the platform. The shared principle is that an agent should operate with limited, enforced authority, never the keys to the whole wallet.

Session keys versus managed wallets

It is worth being clear about how session keys relate to the managed-wallet approach, since they are alternative means to a similar end. With session keys, the agent holds a scoped key and signs within its constraints, and the wallet's authorization logic enforces the scope. With a managed wallet and a server-side spend policy, as Blockchain0x uses, the agent holds no raw key at all; it requests payments, and a server-side spend limit caps what it can spend, enforced where the agent cannot reach it.

Both bound the agent and protect against a compromise, but the trust model differs. A session key still puts a signing credential in the agent's hands, bounded but present; the managed approach keeps keys out of the agent entirely and bounds it with an enforced policy. Neither is universally better; they are different designs for the same need, scoped, safe delegation of payment authority. Understanding session keys helps you recognize one common approach and contrast it with the managed-wallet-plus-spend-policy approach when you compare how platforms bound agents.

The tradeoffs to weigh

When you encounter session keys as an option, a few tradeoffs are worth weighing. On the plus side, a session key keeps the main wallet key entirely unexposed and lets the wallet's own authorization logic enforce scope on chain, which is appealing for self-custody and for transparency about what the delegate may do. On the other side, the agent does hold a credential, bounded but real, that must be managed, rotated, and protected, and the scoping rules add complexity to set up correctly.

The managed-wallet approach trades differently: no credential in the agent's hands and a simple server-side limit, at the cost of relying on the platform's enforcement rather than on-chain authorization rules. Which tradeoff fits depends on whether you value self-custody and on-chain enforcement or simplicity and zero key exposure for the agent. Knowing session keys exist, and what they trade, lets you make that choice deliberately rather than defaulting to whichever a single platform happens to offer.

A session key connects to several concepts. A smart wallet is the kind of wallet that can authorize session keys. An agent spend policy is the server-side approach to bounding an agent, an alternative to session keys. An AI agent wallet is what either approach secures. And Coinbase Smart Wallet is one wallet known for session-key-style features.

Understanding session keys helps you reason about how signing authority is delegated and bounded, one of the core safety questions for agent payments. For the managed alternative, see what-is-an-agent-spend-policy; for the wallet itself, see what-is-an-ai-agent-wallet. Pricing is on the pricing page.

FAQ

Frequently asked questions.

What is a session key in simple terms?

It is a limited, often temporary key that can sign certain transactions for a wallet without being the wallet's main key. You grant it scope, what it may do, how much it may spend, for how long, and then an app or agent can act within that scope. If it is compromised, the damage is bounded by its scope, and the main key stays safe.

What is the point of a session key?

To delegate bounded signing authority without exposing the main key. Instead of giving an app or agent the full wallet key, which would be all-or-nothing, you issue a session key scoped to exactly what it needs. That limits risk: the delegate can do its job within the scope, and a compromise is contained, rather than putting the whole wallet at stake.

Where are session keys used?

Primarily in smart wallets, which can authorize keys with custom rules. Some consumer smart wallets use session keys to let an app act on a user's behalf for a session without repeated approvals. In agent contexts, a session key is one way to give an agent scoped payment authority, though managed wallets with a server-side spend policy achieve a similar goal differently.

Does Blockchain0x use session keys?

Blockchain0x uses managed wallets with a server-side spend policy to bound an agent's payments, which achieves the same goal as a session key, bounded delegated authority, through a different mechanism. The agent never holds a raw key, and a server-side spend limit caps what it can spend. Session keys are an alternative approach common in smart-wallet setups; both aim at scoped, bounded authority.

Is a session key the same as a spend limit?

Related but not identical. A session key is a scoped signing credential; a spend limit is a cap on how much can be spent. A session key often includes spending constraints as part of its scope, so the two overlap, but a spend limit can also be enforced server-side without a separate key, as with a managed agent wallet. Both bound what a delegate can do.

Create your free agent wallet in 5 minutes.

First payment confirmed in under ten minutes. Free to start.