Using Session Keys

Session keys are programmable access tokens with specific permissions, designed for controlled interactions. Examples include:

Granting access to specific areas or features.
Limiting usage to a set amount of resources (e.g., 1000 units of currency).
Time-bound validity (e.g., expiring after 3 days).

Permissions can be combined, enabling fine-tuned, context-specific capabilities.

This section will guide you through the process of registering a session key and using it to mint an asset with a player's smart account. Choose your preferred implementation approach:

Standard (EIP-1193 provider)

Using EIP-7715. The request method of the EIP-1193 provider can be used to request signatures. First, get the provider:

client.tsx

import openfort from "./openfortConfig"
// This example assumes you have already checked that Openfort 'embeddedState' is 
// `ready` and the user is `authenticated`
const provider = openfort.embeddedWallet.getEthereumProvider();

Smart wallets support sending a batch of transactions in a single, atomic submission to the network.

To register a session key with a smart wallet, call the wallet_grantPermissions method.

As an example, you might batch together a transaction to approve a USDC spender and to transfer USDC like so:

import { generatePrivateKey, privateKeyToAccount } from 'viem/accounts';
 
const sessionKey = generatePrivateKey();
const accountSession = privateKeyToAccount(sessionKey).address;
 
await provider.request({
  method: 'wallet_grantPermissions',
  params: [
    {
      signer:{
        type: "account",
        data:{
          id: accountSession
        }
      },
      expiry: 60 * 60 * 24,
      permissions: [
        {
          type: 'contract-call',
          data: {
            address: '0x2522f4fc9af2e1954a3d13f7a5b2683a00a4543a',
            calls: []
          },
          policies: []
        }
      ],
    },
  ],
});

Integration with Wallet Libraries

Popular libraries provide convenient methods for registering session keys:

Library	Method
Viem	Use the `wallet_grantPermissions` action

Openfort SDK method

1. Create a Session Key Client side

After you have authenticated your user with your regular authentication system, you can create a session key for them. To create a session key, you need to generate a key pair on the client-side and send the address computed from the public key to your server.

Using one of the official Openfort client libraries everything is handled for you.

Install the client-side library:

npm

npm install @openfort/openfort-js --save

Initialize Openfort and create a session key:

// Set your public key. Remember to switch to your live PUBLIC key in production.
// See your keys here: https://dashboard.openfort.io/developers/configuration/api-keys
import Openfort from '@openfort/openfort-js'
const openfort = new Openfort({
  baseConfiguration: {
      publishableKey: "YOUR_OPENFORT_PUBLISHABLE_KEY"
  }
});

1. Create a Session Key Server side

Using ethers, you can create a key pair on the server side of you application.

const sessionKey = ethers.Wallet.createRandom();

The parameter sessionKey contains the address that you will need to register.

After creating the session key, you can go ahead and register it.

2. Register a Session Key Server side Client side

To register a session key, first send the address from the session key to your server. You can get the address from the session key object created above like this:

const address = sessionKey.address;

Then, from your server you can make a request to the Openfort API or use one of our server libraries to register the session key.

Install Openfort in your server-side and initialize it with your secret key.

npm

npm install @openfort/openfort-node

Initialize with your secret key:

Node

import Openfort from '@openfort/openfort-node'
const openfort = new Openfort('sk_test_...');

The created session key would be valid since the 25th of May 2023 at 7:50 GMT (timestamp 1685001000) and last for 1 hour (timestamp 1685001000). For a useful resource to calculate timestamps online, visit UNIX Timestamp.

Note how the externalOwnerAddress parameter is used to indicate the address of owner of the account that will be created under the specified player. It's only necessary to specify this parameter when the player is doesn't yet have an account in that chain.

Also, note how a policy is used to indicate the policy that will be used to sponsor the gas fees of the transaction to register the session key.

In this example externalOwnerAddress is used to indicate the address of the owner of the account that will be created under the specified player.

curl

curl https://api.openfort.io/v1/sessions \
  -H "Authorization: Bearer $YOUR_SECRET_KEY" \
  -d player=pla_... \
  -d address="0x76e6...9341" \
  -d chainId=80002 \
  -d validUntil=1685004600 \
  -d validAfter=0 \
  -d externalOwnerAddress="0x41e6...9341" \
  -d policy=pol_...

After registering the session key, you can see it in the dashboard under the player's page.

3. Sign the Session Key Client side

The owner of the account of the player needs then to authorize the new session key.

To do so, it needs to sign the userOperationHash from the nextAction object returned by the API call to register the session key.

nextAction response object from transaction_intents

"nextAction": {
    "type": "sign_with_wallet",
    "payload": {
        "signableHash": "0x91b4efe3648c79467f7b50aa9bb1b4eae383a52dd6d741d39ece29ed2ef8362d"
    }
},

Once the content of the nextAction parameter above is signed by the owner signer of the account, it has to be sent to Openfort using the endpoint /v1/sessions/:id/signature as shown below:

Sign and send the session key registration:

curl

curl https://api.openfort.io/v1/sessions/ses_.../signature \
  -H "Authorization: Bearer $YOUR_PUBLISHABLE_KEY" \
  -d signature="xyz..."

4. Using the Session Key Server side Client side

After the session key is registered, it can be used to authenticate requests from the player. Whenever you create a transaction intent from your backend, a signature will be needed from the session key or owner of the players' smart account.

Create a transaction intent:

curl

curl https://api.openfort.io/v1/transaction_intents \
  -H "Authorization: Bearer $YOUR_SECRET_KEY" \
  -d player=pla_... \
  -d address="0x76e6...9341" \
  -d chainId=80002 \
  -d policy=pol_...

After creating the transaction intent, the session key will need to sign the nextAction userOperationHash and send it to Openfort.

To do so, pass the userOperationHash to the sendSignatureTransactionIntentRequest method of the Openfort client library. Load session key and sign a transaction intent:

const openfortTransactionResponse =
  await openfort.sendSignatureTransactionIntentRequest(
    collectResponseJSON.data.id,
    userOperationHash
  )

5. Revoke a Session Key Client side Server side

The owner of the account can always revoke the session key.

To do so, it needs to sign the userOperationHash from the nextAction object returned by the API call to revoke the session key.

Create a transaction intent:

curl

curl https://api.openfort.io/v1/sessions/revoke \
  -H "Authorization: Bearer $YOUR_SECRET_KEY" \
  -d player=pla_... \
  -d address="0x76e6...9341" \
  -d chainId=80002 \
  -d policy=pol_...

Sign the transaction to revoke the session key and remove from client side:

const openfortTransactionResponse =
  await openfort.sendSignatureTransactionIntentRequest(
    revokeResponseJSON.data.id,
    userOperationHash
  );