How to Integrate Session Keys

​

Integrate delegated session keys

1. Generate a dedicated session public/private keypair for automation.
2. Choose the narrowest acl_scope that still matches the request family you need to automate.
3. Build a delegated payload with explicit expiry and the session public key.
4. Sign the delegated payload with the wallet EIP-712 signer.
5. Attach the delegated payload bytes to each session-key-signed request.
6. Verify server-side acceptance through receipts and event outcomes.
7. Rotate or revoke the session key on expiry, ACL change, or automation-host compromise.

​

Map request families to ACL scope before signing

​

Required payload fields

• session_signature
• expiry
• acl_scope
• session_public_key

​

Validate the delegated payload before live use

1. Confirm expiry is comfortably inside the intended automation window.
2. Confirm session_public_key matches the key that will sign requests.
3. Confirm acl_scope covers the exact request family and no broader set than necessary.
4. Sign a low-risk request in a non-production environment and verify that the server accepts it.
5. Intentionally send one out-of-scope request and confirm it rejects as a session authorization failure before relying on the policy in production.

​

Common failure patterns

​

Next routes

• Session Key Reference
• Request Signing Reference
• Error Reference