- Protocol scopes — on-chain authority (trade, transfer, withdraw, …). Signed into each action and re-validated by the protocol.
- Off-chain scopes — server-side capabilities (
account_info,delete_session_key). Never signed; enforced by the server.
How session keys are used

Delegated attenuation
The key you create can never exceed the authority of the key that signs the creation action. A child key’s scopes, expiry, and subaccounts must each be a subset of its parent’s. A key withoutadmin cannot mint an admin child; a key expiring next week cannot mint a child expiring next month. The protocol enforces this when the create action is applied.
The signing parent must itself hold the create_session_key protocol scope.
Create a session key
private/create_session_key is a signed action: your wallet (or a parent session key with create_session_key scope) EIP-712-signs a create-session-key action, which you then submit to the API. See Action signing for how to build the nonce, signature, and signature_expiry_sec fields.
Wallet the session key is registered for (0x-prefixed).
The delegated EVM address being authorized (0x-prefixed).
Unix seconds (UTC) after which the key is expired. Must not exceed the
parent’s expiry.
Subaccounts this key may act on. Omit or empty ⇒ all current and future
subaccounts. Must be a subset of the parent’s subaccounts.
Wire-string protocol scopes signed into the action (e.g.
"trade:orderbook:all", "withdraw"). Validated and attenuated in-protocol.
See Access scopes.Off-chain scopes (
account_info, delete_session_key). Backend-only, not
signed.Human-readable label.
If non-empty, the key may only authenticate from these IPs.
Strictly-increasing anti-replay nonce (see Action
signing).
Address that produced
signature — the wallet or a parent session key.0x-prefixed 65-byte
r||s||v EIP-712 signature over the create action.Unix seconds after which the signed action is rejected. A typical client
default is
now + 600 (10 min).EIP-712 action module address (the
CREATE_SESSION_KEY_MODULE). Part of the
signed struct hash — client and server must agree. A fixed protocol constant,
identical across deployments; see Action
signing.module is a fixed protocol constant (identical across deployments), but it
must still match exactly or the signature will be rejected. Verify your
encoding with the signing-preview helpers described in Action
signing.Edit a session key
private/edit_session_key updates off-chain fields only: label, ip_whitelist, and offchain_scopes. It requires no re-signing.
Authorization depends on what you change:
- Label only → requires the off-chain
account_infoscope. - IP whitelist or off-chain scopes → requires protocol
admin(or the owning wallet).
Wallet the key belongs to.
The session key address to edit.
New label.
Replacement IP whitelist. Empty ⇒ no IP restriction.
Replacement off-chain scopes.
IP whitelist
If a key’s whitelist is non-empty, login from any other IP is rejected. An empty whitelist imposes no IP restriction.Lifecycle at a glance
1
Create
Wallet (or a parent key with
create_session_key scope) signs a create
action granting a subset of its own scopes, expiry, and subaccounts.2
Authenticate
The session key logs in via EIP-191 session
login; its IP whitelist and expiry are
enforced at this step.
3
Sign actions
The key EIP-712-signs each action; the protocol re-checks that the key’s
scopes cover the action (see Action
signing).
4
Edit metadata
Adjust label, IP whitelist, or off-chain scopes with
edit_session_key.
Protocol scopes require a fresh create_session_key.5
Expire
The key stops working once
expiry_sec passes.Related
Access scopes
The full protocol and off-chain scope catalog and per-route gating.
Action signing
How the create action (and every trading action) is signed with EIP-712.

