Wallets — overview

A Sigil wallet is an account a user signs with. Sigil ships three kinds, and a single end user can hold all three at once. Choosing between them is mostly a question of who holds the keys and who pays the gas.

EOA — client signing

Keys are generated and reconstructed inside the user’s browser (Sigil iframe). Sigil never sees a plaintext key. The user pays gas from their own balance.

EOA — TEE signing

Keys are generated and reconstructed inside a hardware-attested Trusted Execution Environment (Google Confidential Space, AMD SEV-SNP). Same address shape as a client EOA, but signing happens server-side. Unlocks agent / backend signing without a browser.

Smart account (ERC-4337)

Opt-in, per chain. Sits on top of either kind of EOA. Sigil sponsors the gas via Pimlico, capped at €10 / wallet / month. Batched calls, gasless sends, deterministic CREATE2 address identical across EVM chains.

How they stack

EOAs and smart accounts are not alternatives — a smart account requires an EOA underneath it (the owner). The wallet kind picks which authority signs the UserOp; the smart account is a thin contract that executes whatever that authority approves.

                ┌───────────────────────────────────┐
                │ Smart account (LightAccount v2)   │  ← per-chain, opt-in
                │ 0xSA...                            │
                └────────────────┬──────────────────┘
                                 │ owns
                                 ▼
                ┌───────────────────────────────────┐
                │ EOA wallet  (single per curve)    │
                │ 0xEOA... or solana base58, etc.   │
                └───────────────────────────────────┘
                                 ▲
                                 │ signs from
              ┌──────────────────┴──────────────────┐
              ▼                                      ▼
   ┌──────────────────────┐              ┌──────────────────────┐
   │ Browser iframe (SSS) │      OR      │ Confidential Space   │
   │  client mode         │              │ TEE — tee mode       │
   └──────────────────────┘              └──────────────────────┘

A user’s primary wallet is always an EOA. Whether the EOA’s key is held client-side or TEE-side is a one-time choice per wallet (see signing_mode in the API). On top of that EOA, the user — or your backend — can optionally provision a smart account per EVM chain.

Choosing

Use the matrix below as a starting point. Mixed setups are common — nothing prevents a single product from offering client EOAs to retail users and TEE EOAs to institutional ones.

	Client EOA	TEE EOA	Smart account
Who holds the key	User (browser SSS)	TEE-attested workload	Inherits owner
Sigil can sign without user	No	Yes	Yes (via owner)
Backend / agent signing	No	Yes	Yes
Gas paid by	User	User	Sigil (€10/mo cap)
Batched ops in one tx	No	No	Yes
Address on every EVM chain	Same	Same	Same (CREATE2 deterministic)
Recovery flow	Email OTP	Not needed	Inherits owner
Best for	Retail self-custody	Institutional, agents	UX-first apps, gasless onboarding

Tip

A smart account on base lives at the same address as the smart account on arbitrum for the same EOA. Provisioning one chain doesn’t deploy on others — opt in per chain via the SDK.

Where to go next

• EOA wallets — client mode — Shamir 2-of-3, device share, recovery story.
• EOA wallets — TEE mode — Confidential Space, attestation, KMS lockdown.
• Smart accounts — ERC-4337 LightAccount v2, gas sponsorship.
• Recovery model — how clients recover; why TEE never needs to.
• Security model — origin allowlist, KMS, multi-tenancy, audit trail.