Smart Sessions provide a powerful way to delegate specific permissions to session keys with fine-grained control. These policies act as a security framework that allows you to precisely define what actions session keys can perform, under what conditions, and for how long.

What are Smart Session Policies?

Smart Session policies are rules and constraints that govern:
  • Which contract functions can be called
  • What parameters are allowed
  • How much value can be transferred
  • When the permissions are valid
  • Which blockchain networks are authorized
These policies enable secure delegation of account capabilities while maintaining strict control over potential risks.

Key Benefits

  • Enhanced Security: Grant minimal permissions required for specific operations
  • Better UX: Enable seamless interactions without compromising security
  • Precise Control: Define exact conditions under which operations can occur
  • Time-Bound Access: Automatically expire permissions after a set duration
  • Cross-Chain Safety: Specify which networks permissions are valid on

Policy Components

Each policy consists of several potential components:
  • Contract Address: The target smart contract
  • Function Selectors: Specific functions that can be called
  • Rules: Parameter-level constraints
  • Time Bounds: Valid duration for the permissions
  • Value Limits: Maximum amounts that can be transferred
  • Network Restrictions: Specific blockchain networks where the policy is valid

Session Creation Parameters

Session Creation Parameters

PropertyTypeRequiredDescription
sessionPublicKeyHexYesPublic key for the session (required for K1 algorithm validators)
sessionValidatorAddressAddressNoAddress of the session validator
sessionValidatorTypestringNoType of the session validator (usually “simple K1 validator”)
saltHexNoOptional salt for the session
sessionValidUntilnumberNoTimestamp until which the session is valid
sessionValidAfternumberNoTimestamp after which the session becomes valid
chainIdsbigint[]NoChain IDs where the session should be enabled
actionPoliciesInfoActionPolicyInfo[]YesArray of action policy data for the session

Action Policy Configuration

PropertyTypeRequiredDescription
contractAddressAddressYesThe smart contract address this policy applies to
validUntilnumberNoTimestamp when the session expires
validAfternumberNoTimestamp when the session becomes active
valueLimitbigintNoMaximum amount of native tokens (ETH) per transaction
tokenLimitsArray<TokenLimit>NoArray of ERC20 token spending limits
usageLimitbigintNoMaximum number of times this policy can be used
sudobooleanNoIf true, grants unlimited permissions (not compatible with rules)
functionSelectorstringOne of these requiredSpecific function to allow
rulesRule[]One of these requiredArray of parameter rules
abiAbiOne of these requiredFull contract ABI

Parameter Conditions

ConditionValueDescription
EQUAL0Exact match comparison
GREATER_THAN1Value must be greater than reference
LESS_THAN2Value must be less than reference
GREATER_THAN_OR_EQUAL3Value must be greater than or equal to reference
LESS_THAN_OR_EQUAL4Value must be less than or equal to reference
NOT_EQUAL5Value must not match reference

Rule Configuration

PropertyTypeRequiredDescription
conditionParamConditionYesType of comparison to perform
offsetIndexnumberYesPosition of parameter in calldata
isLimitedbooleanYesWhether to track usage count
refstring | number | bigintYesValue to compare against
usageUsageIf isLimited is trueUsage tracking configuration

Usage Configuration

PropertyTypeDescription
limitbigintMaximum number of times this rule can be used
usedbigintCurrent usage count (typically starts at 0)

Token Limit Structure

PropertyTypeDescription
tokenAddressToken contract address
limitbigintMaximum amount that can be spent

Best Practices

  1. Principle of Least Privilege: Always grant the minimum permissions necessary.
  2. Time Constraints: Consider adding time range policies to limit session duration.
  3. Combine Policies: Use multiple policies together for enhanced security.