Session Keys
Session keys are a powerful feature of the Alchemy Wallets API that allow you to create a session for a user’s smart account with specific permissions. This enables secure, permissioned access to the user’s wallet, allowing your app’s server to perform actions on behalf of the user without needing their private key. Session keys allow another account to operate on a user’s smart account with given permissions. After creating a session, you will be able to sign transactions for the generated wallet within the defined permissions using that session key. See here for a list of permissions!
To use this guide, you’ll need:
- An account you can sign with (e.g. an Alchemy Signer or an EOA)
- An Alchemy API key
- A gas manager policy ID if sponsoring gas
Don't have an API key?
Start using the Alchemy Wallets API today! Get started for free.
Create A Session With Permissions
We’ll demonstrate how to create and use session keys using the SDK client or by using platform-agnostic JSON-RPC APIs.
Start building in minutes using the TypeScript SDK.
Integrate with any RPC client using the JSON-RPC APIs.
Permission Types
To specify permissions during a session key installation, include them in the permissions
array when calling client.grantPermission()
via the SDK or wallet_createSession
via the API.
Native Token Transfer
This permission allows transfer of native tokens (like Ether) from the account.
ERC20 Token Transfer
This permission allows transfer or approval of erc20 tokens from the account. Both transfers and approvals count towards the limit.
Gas Limit
This permission allows the session key to spend gas for user operations up to a specified limit.
Contract Access
This permission grants access to all functions in a specific contract.
Account Functions
This permission grants access to specific functions on the smart account itself.
Functions On All Contracts
This permission grants access to a set of function selectors across any address.
Functions On Contract
This permission grants access to specific function selectors on one contract.
Root
This permission grants full access to everything. Needless to say, this is a very dangerous permission to grant.