Skip to content
sigil

Agents quickstart

Sigil Keys Agents lets you delegate signing to an agent (a backend job, an LLM tool-call loop, a trading bot) without giving it your secret key. You create a session bound to one wallet, with limits on how much it can spend and where, and you hand the agent a session token. The token signs only what the policy allows. Revoke any time.

Prerequisites

  • An organisation in TEE signing mode. Agent sessions require server-side signing — they don’t make sense for client-side wallets where the user approves each signature.
  • A wallet in that organisation (any curve).
  • An sk_live_… secret key from the portal.

1. Create a session

From your backend (never from the browser — the session token can sign):

Terminal window
curl -X POST https://api.sigilkeys.com/v1/s2s/agent-sessions \
  -H "Authorization: Bearer sk_live_…" \
  -H "Content-Type: application/json" \
  -d '{
    "wallet_id": "WALLET_UUID",
    "name": "trading-bot-prod",
    "max_spend_per_tx_native": "100000000000000000",
    "max_spend_total_native": "1000000000000000000",
    "allowed_chains": ["base", "arbitrum"],
    "allowed_methods": ["signMessage", "sendTransaction"],
    "expires_at": "2026-12-31T23:59:59Z"
  }'

Response (shape):

{
  "data": {
    "session": { "id": "", "name": "trading-bot-prod", "status": "active",  },
    "token": "as_live_eyJhbGciOiJIUzI1NiIs…"
  }
}

The token is returned once. Store it where the agent can read it (env var, secret manager). Sigil does not retain a copy — if you lose it, revoke the session and create a new one.

2. Sign from the agent

import { SigilAgent } from '@sigilkeys/sdk';


const agent = new SigilAgent({
  apiBaseUrl: 'https://api.sigilkeys.com',
  sessionToken: process.env.SIGIL_AGENT_TOKEN!,
});


// Inspect what the session is allowed to do.
const profile = await agent.getSession();
console.log(profile.walletAddress, profile.spentNative, profile.maxSpendTotalNative);


// Sign a message.
const sig = await agent.signMessage('login challenge', { network: 'base' });


// Send a transaction. Rejected with AgentPolicyError if it breaks policy.
const { signature } = await agent.sendTransaction({
  network: 'base',
  to: '0x…',
  value: '50000000000000000', // 0.05 native
});

3. Watch and revoke

Open the Agents section in the portal to see every signature attempted, what was allowed, what was rejected (and why), and how much of the budget the session has used. Revoke from there or via the API:

Terminal window
curl -X POST https://api.sigilkeys.com/v1/orgs/ORG_UUID/agent-sessions/SESSION_ID/revoke \
  -H "Authorization: Bearer sk_live_…"

Revocation is immediate. The next signing attempt with that token returns 401.