# Give an AI agent a wallet

Provision secure, policy-gated wallets for your AI agents to interact with the blockchain. Use Openfort to restrict agent permissions and manage signing without exposing private keys.

## Install the Openfort CLI

Install the CLI globally and log in:

```bash
npm install -g @openfort/cli
openfort login
```

## Teach your agent to use Openfort

Register the CLI as an MCP server so your agent can call Openfort tools directly:

```bash
openfort mcp add
```

Or, if your agent supports skills, sync the agent skill files:

:::code-group

```bash [Claude Code]
claude -p "Read https://github.com/openfort-xyz/agent-skills and set up Openfort CLI"
```

```bash [Amp]
amp --execute "Read https://github.com/openfort-xyz/agent-skills and set up Openfort CLI"
```

```bash [Codex CLI]
codex exec "Read https://github.com/openfort-xyz/agent-skills and set up Openfort CLI"
```

:::

## Walkthrough

::::steps

### 1. Set up backend wallet signing

Before your agent can sign transactions, generate the backend wallet signing keys:

> **Prompt your agent**: "Run `backend-wallet setup` to generate and register the signing keys for this project."

This creates an ECDSA P-256 key pair and registers it with Openfort. The credentials are saved locally — no need to set environment variables manually.

### 2. Provision an agent wallet

Create an on-chain wallet for your agent:

> **Prompt your agent**: "Use `accounts evm create` to provision a new EVM wallet for this agent."

This returns an account ID (e.g., `acc_...`) and an EOA address. Save the account ID — you'll need it for transactions and policies.

### 3. Define a policy

Restrict what your agent can do on-chain. First register the contract your agent should interact with, then create a policy scoped to it.

> **Prompt your agent**: "Register the USDC contract on Base Sepolia (address `0x036CbD53842c5426634e7929541eC2318f3dCF7e`, chain ID `84532`) using `contracts create`. Then create a project-scoped policy using `policies create` that only allows `signEvmTransaction` operations."

:::info
If you're using a test API key, you must use testnet chain IDs (e.g., `84532` for Base Sepolia, `11155111` for Ethereum Sepolia). Mainnet chain IDs will be rejected.
:::

### 4. Send a transaction

Test the wallet by sending a gasless transaction through the policy:

> **Prompt your agent**: "Use `accounts evm send-transaction` to send a transaction from account `acc_<YOUR_ID>` on chain `84532`, calling the USDC contract's `transfer` function. Use the policy `ply_<YOUR_ID>` for gas sponsorship."

::::

## x402 payments (advanced)

Agents can handle [x402](https://www.x402.org/) payment flows — automatically paying for HTTP resources that return `402 Payment Required`.

This requires additional environment variables:

| Variable | Description |
|---|---|
| `OPENFORT_SECRET_KEY` | Your Openfort secret API key |
| `OPENFORT_BACKEND_WALLET_ID` | The `acc_...` ID from Step 2 |
| `X402_FACILITATOR_URL` | URL of the x402 facilitator service |
| `CDP_API_KEY_NAME` | Coinbase Developer Platform API key name |
| `CDP_API_KEY_SECRET` | Coinbase Developer Platform API key secret |

> **Prompt your agent**: "Write a script that makes an HTTP request to `<YOUR_RESOURCE_URL>`. If it gets a 402 response, parse the `x402` payment requirements from the response headers, then use the Openfort SDK to sign a USDC `TransferWithAuthorization` (EIP-3009) and retry the request with the payment signature in the headers."

## Next steps

* [Server-side security](/docs/products/server/security)
* [Managing accounts](/docs/products/server/accounts)
* [Policies overview](/docs/configuration/policies)