Skip to main content

The two-key model

Enact separates your root account from per-agent access keys: 
Root Account (passkey-secured, never exposed)
├── Agent Session A  →  $100 limit, expires 30 days
├── Agent Session B  →  $50 limit, expires 7 days
└── Agent Session C  →  $200 limit, expires 90 days
Root account — your main wallet. Created once via browser passkey. The private key is derived inside your device’s secure enclave and never stored anywhere. You use this to authorize and revoke agents. Access keys — scoped secp256k1 keys generated per agent session. Stored in .env. Have hard spending limits enforced at the protocol level by Tempo’s Account Keychain precompile.

What if an access key is compromised?

An attacker with your AGENT_PRIVATE_KEY can only:
  • Spend up to the remaining limit on that key
  • Make token transfers up to the spending cap
They cannot:
  • Access your root wallet
  • Create new sessions or authorize new keys
  • Exceed the on-chain spending cap
  • Spend tokens not included in the session’s token limits

Revocation

Revoke a session from the Enact dashboard or CLI. This calls revokeKey() on the Account Keychain precompile, immediately invalidating the key on-chain. Once revoked, any transaction signed by that key is rejected at the protocol level — no further action required.

Spending limit enforcement

Limits are enforced by Tempo’s Account Keychain precompile at 0xaAAAaaAA00000000000000000000000000000000. This is a protocol-level contract — it cannot be bypassed by the access key holder. The root account sets the limit; the access key can only spend up to that amount per token.
For production deployments, always set conservative spending limits. You can create new sessions with higher limits — you cannot undo a payment already made.