> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rhinestone.dev/llms.txt
> Use this file to discover all available pages before exploring further.
# Overview
> Rhinestone’s framework for creating and managing session keys. It is a powerful system for creating onchain permissions.
## Introduction
Session keys are cryptographically signed keys generated by a user’s master key (passkey, ECDSA, or multisig). Smart Sessions enables session keys to be created and used with all major smart account implementations (via ERC-7579) and is fully compatible with Rhinestone’s Warp transaction infrastructure.
Examples of the onchain permissions that can be tailored with Smart Sessions include:
* Interacting only with a specific DeFi protocol (Aave or Uniswap)
* Spending limits on ERC20s or ETH
* Timeframes for expiry after a pre-determined period
* Combining permissions (e.g., Uniswap-only, 1000 USDC limit, 3-day expiry)
Key example use cases include:
* **Skipping confirmations**: Store a session key locally for “one-click trading,” allowing seamless decentralized application (dapp) interactions without repeated signing prompts.
* **Automating transactions**: Users share a scoped key for server-side execution, enabling:
* Subscription payments
* Limit orders or stop orders
* Auto-repaying loans to prevent liquidation
* This granular control enhances security, streamlines dapp interactions, and makes Web3 more user-friendly.
## How it works
[Smart Sessions](https://github.com/erc7579/smartsessions) is built around three concepts: **owners** (who can sign), **actions** (what they can do), and **policies** (under what conditions).
## Owners
Smart Sessions support a wide range of signing mechanisms out of the box:
* [Single ECDSA key](./signature-validators/ecdsa)
* [Multiple ECDSA keys](./signature-validators/multisig) (i.e. multisig)
* [Passkeys](./signature-validators/passkey)
You can also use custom validators to validate sessions, as long as they are [ERC-7780](https://eips.ethereum.org/EIPS/eip-7780) compatible.
## Actions
Actions define what transactions (calls) you can make within a session. An action is defined by the *target address* and the *function selector*.
When defining multiple actions within a session, a transaction that matches **any** specified action is considered valid. If no actions are specified, **any** transaction will pass.
When using smart contracts directly, you need to explicitly provide a list of valid actions.
## Policies
Policies let you restrict the session to hit specific conditions. You can define policies at the *session* (affects the entire session) or *action* (affects a single action within a session) level.
Supported policies include:
* [Sudo](./policies/sudo): allows any transaction
* [Call](./policies/call): allows transactions with the specified calldata
* [Spending limit](./policies/spending-limit): allows a limited value of ERC20 tokens to be transferred and approved
* [Timeframe](./policies/timeframe): allows transactions within the specified time frame
* [Usage limit](./policies/usage-limit): allows a limited number of transactions
* Value limit: allows a limited ETH value transferred
When defining multiple policies within an action, a transaction that passes **every** specified policy is considered valid. If no policies are specified, **any** transaction will pass (i.e., the sudo policy is applied).
Policies work like a logical AND. If an action has two policies, the transaction must pass both policies to be valid.
## Usage
Smart session support is **experimental**. Expect breaking changes.
### Installing the validation
You can install the validator during account deployment:
```ts {6-8} theme={null}
const rhinestoneAccount = await rhinestone.createAccount({
owners: {
type: 'ecdsa',
accounts: [ownerAccount],
},
experimental_sessions: {
enabled: true,
},
})
```
You can also install it when the account is already deployed:
```ts theme={null}
import { experimental_enable } from '@rhinestone/sdk/actions/smart-sessions'
const transactionData = await rhinestoneAccount.sendTransaction({
chain: base,
calls: [experimental_enable()],
})
```
To uninstall the validator:
```ts theme={null}
import { experimental_disable } from '@rhinestone/sdk/actions/smart-sessions'
const transactionData = await rhinestoneAccount.sendTransaction({
chain: base,
calls: [experimental_disable()],
})
```
### Creating Sessions
To create an account with a session key:
```ts theme={null}
const session: Session = {
owners: {
type: 'ecdsa',
accounts: [sessionOwnerAccount],
},
}
```
You can also limit the session to specific allowed actions:
```ts {6-16} theme={null}
const session: Session = {
owners: {
type: 'ecdsa',
accounts: [sessionOwnerAccount],
},
actions: [
{
target: usdcAddress,
selector: toFunctionSelector(
getAbiItem({
abi: erc20Abi,
name: 'transfer',
}),
),
},
],
}
```
Finally, you can specify action-level policies:
```ts {15-26} theme={null}
const session: Session = {
owners: {
type: 'ecdsa',
accounts: [sessionOwnerAccount],
},
actions: [
{
target: usdcAddress,
selector: toFunctionSelector(
getAbiItem({
abi: erc20Abi,
name: 'transfer',
}),
),
policies: [
{
type: 'universal-action',
rules: [
{
condition: 'equal',
calldataOffset: 0n,
referenceValue: '0xd8da6bf26964af9d7eed9e03e53415d37aa96045',
},
],
},
],
},
],
}
```
### Installing sessions
To enable a session:
```ts theme={null}
import { experimental_enableSession } from '@rhinestone/sdk/actions/smart-sessions'
const sessions = [session]
const sessionDetails =
await rhinestoneAccount.experimental_getSessionDetails(sessions)
const enableSignature =
await rhinestoneAccount.experimental_signEnableSession(sessionDetails)
const sessionIndex = 0
const transactionResult = await rhinestoneAccount.sendTransaction({
chain,
calls: [
experimental_enableSession(
session,
enableSignature,
sessionDetails.hashesAndChainIds,
sessionIndex,
),
],
})
```
You can also enable session with a signature. See [Multi-Session Signature](./multi-session-signature) for more details.
### Checking session status
To check if a session is enabled:
```ts theme={null}
const isEnabled = await rhinestoneAccount.experimental_isSessionEnabled(session)
```
### Using sessions
To authorize a transaction with a session key you've enabled before:
```ts {13-16} theme={null}
const transactionResult = await rhinestoneAccount.sendTransaction({
chain,
calls: [
{
to: usdcAddress,
data: encodeFunctionData({
abi: erc20Abi,
functionName: 'transfer',
args: ['0xd8da6bf26964af9d7eed9e03e53415d37aa96045', 1n],
}),
},
],
signers: {
type: 'experimental_session',
session,
},
})
```
This will prompt the signature request from the session owner(s) and submit the transaction on their behalf.
You can also enable and use the smart session in one transaction using the ["enable mode"](./multi-session-signature).
## Security
Smart Sessions is a powerful tool that unlocks a bunch of new opportunities and use cases. To keep your users secure when using sessions, follow these guidelines:
* Store the session key securely. Depending on the use case, you can opt to store it in the browser or on your backend. Consider key management solutions like [KMS](https://aws.amazon.com/kms/) or [Lit Protocol](https://www.litprotocol.com).
* Stick to the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege): do not request more actions than you need.
* Guard your smart session with granular policies (e.g., restrict the amount of ETH that can be transacted through the session)
* If possible, timebox your session (e.g., make it valid for only 1 week)
By default, the SDK creates a session that allows any transaction. Make sure you restrict it with relevant actions and policies.
[Reach out to us](http://t.me/kurt_larsen) if you need any help!