Session keys are a powerful feature of the Alchemy Wallets API that allow you to create a session for a user's smart account with specific permissions. This enables secure, permissioned access to the user's wallet, allowing your app's server to perform actions on behalf of the user without needing their private key. Session keys allow another account to operate on a user's smart account with given permissions. After creating a session, you will be able to sign transactions for the generated wallet within the defined permissions using that session key. See here for a list of permissions!
To use this guide, you'll need:
- An account you can sign with (e.g. an Alchemy Signer or an EOA)
- An Alchemy API key
- A gas manager policy ID if sponsoring gas
Start using the Alchemy Wallets API today! Get started for free.
We'll demonstrate how to create and use session keys using the SDK client or by using platform-agnostic JSON-RPC APIs.
Start building in minutes using the TypeScript SDK.
Integrate with any RPC client using the JSON-RPC APIs.
To specify permissions during a session key installation, include them in the permissions array when calling client.grantPermission() via the SDK or wallet_createSession via the API.
const signerAddress = await signer.getAddress();
const permissions = await client.grantPermissions({
account: signerAddress,
expirySec: Math.floor(Date.now() / 1000) + 60 * 60,
key: {
publicKey: await sessionKey.getAddress(),
type: "secp256k1",
},
permissions: [{ PERMISSION_ONE }, { PERMISSION_TWO }],
});This permission allows transfer of native tokens (like Ether) from the account.
{
type: "native-token-transfer";
data: {
allowance: Hex; // a hexadecimal encoded transfer limit, for example, 1 ETH would be 0xde0b6b3a7640000 (1e18 in hex)
}
}This permission allows transfer or approval of ERC-20 tokens from the account. The specified allowance represents the total cumulative spend limit for all transfers and approvals (it is not a per-operation allowance).
{
type: "erc20-token-transfer";
data: {
address: Address; // erc20 token contract address
allowance: Hex; // a hexadecimal encoded transfer limit
}
}This permission allows the session key to spend gas for user operations up to a specified limit.
{
type: "gas-limit";
data: {
limit: Hex; // a hexadecimal encoded gas limit, for example 300000 gas would be 0x493e0
}
}This permission grants access to all functions in a specific contract.
{
type: "contract-access";
data: {
address: Address; // the target contract’s address
}
}This permission grants access to specific functions on the smart account itself.
{
type: "account-functions";
data: {
functions: Hex[]; // array of allowed function selectors, e.g. ["0xabcdef01", "0x12345678"]
};
}This permission grants access to a set of function selectors across any address.
{
type: "functions-on-all-contracts";
data: {
functions: Hex[]; // array of function selectors allowed globally, e.g. ["0xddf252ad"]
};
}This permission grants access to specific function selectors on one contract.
{
type: "functions-on-contract";
data: {
address: Address; // the contract address you’re targeting
functions: Hex[]; // array of allowed function selectors for that contract, e.g. ["0xddf252ad"]
};
}This permission grants full access to everything. Needless to say, this is a very dangerous permission to grant.
{
type: "root"; // no additional data required
}