// GLOSSARY -- WEB3 INFRASTRUCTURE

What is a Session Key?

1 min read Updated

A temporary cryptographic key granting an AI agent limited, time-bound permission to sign transactions from a smart account. Session keys expire automatically and restrict what operations the agent can perform.

WHY IT MATTERS

Giving an agent the master key to a smart account is like giving them the keys to the vault. Session keys are temporary passes — they grant specific, limited signing authority that expires.

A session key might allow: USDC transfers only, up to $500 per transaction, for the next 4 hours, only to approved addresses. The smart account validates each transaction against these constraints before accepting the signature.

Session keys are native to smart accounts (ERC-4337) and represent one of the strongest on-chain mechanisms for controlling agent spending.

HOW POLICYLAYER USES THIS

PolicyLayer uses session keys to grant agents temporary, scoped spending authority. Sessions keys provide on-chain enforcement while PolicyLayer adds off-chain policy richness.

FREQUENTLY ASKED QUESTIONS

How are session keys created?
The smart account owner (or authorized system like PolicyLayer) issues a session key with defined permissions. The key is given to the agent for its session.
What happens on expiry?
The smart account stops accepting signatures from that key. The agent can't transact until a new session key is issued.
Can multiple agents share a session key?
Technically possible but not recommended. Each agent should have its own session key for accountability and independent revocation.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.