Session Key Policy Registry
Session keys are restricted to a whitelist of allowed policies on Abstract Mainnet through the Session Key Policy Registry contract, which manages a whitelist of approved session keys. Applications must pass a security review before being added to the registry to enable the use of session keys for their policies.Restricted Session Key Policies
Session key policies that requestapprove
and/or setApprovalForAll
functions must be passed with additional constraints
that restrict the approval to a specific contract address.
For example, the following policy must include a constraints
array that restricts the approval to a specific contract address,
or will be rejected with “Unconstrained token approval/transfer destination in call policy.”
Session Key Signer Accounts
Session keys specify a signer account; an that is permitted to perform the actions specified in the session configuration. Therefore, the private key of the signer(s) you create are SENSITIVE VALUES! Exposing the signer private key enables attackers to execute any of the actions specified in a session configuration for any AGW that has approved a session key with that signer’s address.Recommended Implementation
Below is an example implementation of creating a unique signer account for each session key, and storing them encrypted in the browser’s local storage.Example Repo: Encrypted Unique Signer Keys in Local Storage
View the example repository for generating unique signer accounts and storing
them encrypted in the browser’s local storage.
Risks of Using Session Keys
Temporary keys enable transactions without owner signatures; this functionality introduces several legal risks that developers should be aware of, particularly around security and data management. These include:- If session keys are compromised, they can be used for unauthorized transactions, potentially leading to financial losses.
- Failing to follow recommended practices, such as creating new keys per user or managing expiration, could result in security vulnerabilities.
- Storing session keys, even when encrypted, risks data breaches. You should comply with applicable data protection laws.