Overview

Session keys are cryptographically signed keys generated by a user’s master key (passkey, ECDSA, or multisig). Smart Sessions enables session keys to be created and used with all major smart account implementations (via ERC-7579) and is fully compatible with Rhinestone’s Omni Account transaction infrastructure.

Examples of the onchain permissions that can be tailored with Smart Sessions includes:

  • Interacting only with a specific DeFi protocol (Aave or Uniswap)
  • Spending limits on ERC20s or ETH
  • Timeframes for expiry after a pre-determined period
  • Combining permissions (e.g., Uniswap-only, 1000 USDC limit, 3-day expiry)

Key example use cases include:

  • Skipping confirmations: Store a session key locally for “one-click trading,” allowing seamless decentralized application (dapp) interactions without repeated signing prompts.
  • Automating transactions: Users share a scoped key for server-side execution, enabling:
    • Subscription payments
    • Limit orders or stop orders
    • Auto-repaying loans to prevent liquidation

This granular control enhances security, streamlines dapp interactions, and makes Web3 more user-friendly.

Security

Smart Sessions is a powerful tool that unlocks a bunch of new opportunities and use cases. To keep your users secure when using sessions, follow these guidelines:

  • Store the session key securely. Depending on the use case, you can opt to store it in the browser or on your backend. Consider key management solutions like KMS or Lit Protocol.
  • Stick to the principle of least privilege: do not request more actions than you need.
  • Guard your smart session with granular policies (e.g., restrict the amount of ETH that can be transacted through the session)
  • If possible, timebox your session (e.g., make it valid for only 1 week)
By default, the SDK creates a session that allows any transaction. Make sure you restrict it with relevant actions and policies.

Reach out to us if you need any help!