Session keys are a powerful concept in the Web3 space. Similar to JSON Web Tokens (JWTs) in traditional systems, session keys enable decentralized user verification, allowing for secure interactions without constant manual approval.
What are Session Keys?
Session keys are temporary cryptographic keys that allow an application to perform specific blockchain actions on a user's behalf for a limited time. Instead of signing every individual move or trade, a player can authorize a session key once, enabling a seamless, "invisible" experience while maintaining security through strict permissions and expiry limits.
Session Keys in Action
Session keys are generated on the player's device and used to authenticate requests. They act as "programmable JWTs," typically expiring after a period of inactivity or logout. These keys allow users to interact with an app according to predefined rules, such as spending limits or specific contract functions.
Incorporating session keys into your project offers several advantages:
- Security: Session Keys are scoped, and smart contracts can dictate which instructions a specific session key can accept. By storing expiry and access information at the contract level, session keys become less vulnerable to security risks. Additionally, layered security further protects user assets.
- User Experience (UX): Session keys significantly improve crypto UX by eliminating the need for constant wallet popups while a user performs actions within a dApp for a specified duration.
- Interoperability: Session keys function at the contract level, allowing users to continue using their preferred browser wallets while interacting with a dApp that supplies a session key in the background. This maintains app interoperability and enhances UX.
Gaming and Session Keys
One of the most promising applications of session keys lies in the gaming domain. Given that many modern apps involve payments, trades, and other transactions, session keys can drastically improve the gaming experience.
By allowing users to pre-authorize a range of transactions, games become smoother and more engaging. Players no longer need to pause their game for every transaction, leading to uninterrupted gameplay.
Let's explore the four major steps involved in this process.
- When a user log in, they should generate a session key on their device and send it to your server. The sensitive part of the session key (the session private key) is always securely stored on the player's device and is not disclosed.
- The player includes the public part of the session key in subsequent requests from the player's device to the server for authentication. Such requests should be digitally signed by the secret part of the session key.
- On the server, validate the session key and the signature before processing the request. Periodically refresh the session key during the player's session to maintain security.
- Users can invalidate the session key whenever they want, e.g. after logging out or after a certain period of inactivity.
The Bright Side of Session Keys
Session keys can potentially redefine user interactions with apps, offering a seamless experience that's unprecedented in the Web3 domain:
- Bypassing Confirmations: No more disruptions! Session keys can help bypass continuous transaction confirmations, especially beneficial in applications where frequent small transactions are made.
- Offline Operations: Session keys enable users to execute transactions even when offline. For example, a user can participate in an NFT drop without having to be online at the time of the drop.
Setting New UX Standards
The introduction of session keys is setting a new standard for Web3 user experience. By enabling features like offline transactions and bypassing constant confirmations, session keys create more intuitive and user-friendly applications.
Excited to use session keys? Let's get started by looking at our documentation and our Youtube video for more.
Related reading
- Gas sponsorship via paymasters pairs naturally with session keys for a fully gasless UX
- Exploring EIP-7702 and how next-gen smart accounts handle session key management
- Embedded wallets explained: the wallet layer that powers session key flows