Session Keys
Session Keys are temporary, permission-scoped keys that allow an application to execute transactions on behalf of a user's Smart Account without requiring a signature for every action.
In Zyfai, Session Keys are the mechanism that enables autonomous Agent execution. During onboarding, you select the networks and protocols you are comfortable engaging with, based on your personal risk preferences. A single Session Key is then generated and signed, granting the Zyfai Agent permission to act on your behalf, but only within the boundaries you defined.
How Session Keys Work in Zyfai
A Session Key does not grant open access to your Smart Account. It is scoped to a specific Target Registry, which defines the exact contracts, functions, and parameters the Agent is allowed to interact with.
This means:
- The Agent can only execute transactions that match the list of approved functions in the Target Registry.
- Any action outside the Target Registry is rejected at the contract level, regardless of what the Agent requests.
- You sign once during setup. No re-signing is needed when new pools or protocols are added to the registry.
Session Key signing is hardened using EigenCompute KMS's Trusted Execution Environment (TEE), where the session private key is isolated and inaccessible to any operator, including Zyfai.
Enforcement
Session Keys define the scope of what an Agent is allowed to do. The Security Proxy Gateway is the system that enforces it.
The Gateway validates every transaction at three levels: contract address, function selector, and calldata parameters, before it reaches the chain.
For a full breakdown of the enforcement architecture, see the Security Proxy Gateway section.
Audits & Source Code
The Session Key infrastructure, including the Executor Module and Target Registry contracts, is fully open source and was audited by Sherlock in December 2025.
- GitHub repository: Zyfai Executor Module & Target Registry
- Zyfai's End-to-End Audit Report: Sherlock audit - December 2025