Skip to main content
Session keys are restricted, short-lived keys that a user delegates to a third party. The delegate can sign transactions on the user’s behalf, but only within the bounds the user defined. The user’s main account key is never shared. Rhinestone’s Smart Sessions module implements session keys as an ERC-7579 validator. It is multichain-compatible and works with all supported smart account implementations and smart EOAs.

How they work

When a user creates a session, they define:
  • Owners: who holds the session key (your app, an agent, a smart contract)
  • Actions: which contracts and functions the key is allowed to call
  • Policies: constraints on those actions (spending limits, time windows, usage limits)
The user signs once to approve the session. After that, the session key holder can execute permitted transactions without prompting the user again — until the session expires or its limits are reached.

What they enable

1-click UX: users pre-approve a set of actions, then your app executes them instantly with no wallet prompts. Common in trading apps, games, and subscription flows. Automated transactions: delegate to a bot, agent, or smart contract to execute on the user’s behalf within predefined limits. The user retains full control and can revoke at any time. Crosschain automation: Smart Sessions is multichain-aware. A single session approval can authorize actions across multiple chains, consistent with Warp’s single-signature intent model.

Trust model

Session keys do not grant unrestricted access to the account. They are constrained by:
  • The specific contracts and function selectors allowed in the session
  • Any policies applied (spending limits, timeframe, usage count)
  • The session expiry
A compromised or malicious session key can only act within these bounds. The user’s main key always retains the ability to revoke the session.

Next steps

Smart Sessions guide

Full API reference: owners, actions, policies, and multi-session signatures.

Session keys tutorial

Build a working session key integration step by step.