Skip to content
LogoLogo

accessKey.signAuthorization

Signs a key authorization for an access key. This is a local signing operation, so no transaction is sent.

Usage

import { Account, P256 } from 'viem/tempo'
import { client } from './viem.config'
 
// 1. Define root account
const account = Account.fromSecp256k1('0x...')
 
// 2. Define access key attached to the root account
const accessKey = Account.fromP256(P256.randomPrivateKey(), {
  access: account,
})
 
// 3. Sign the key authorization
const keyAuthorization = await client.accessKey.signAuthorization({
  accessKey,
})

With Periodic Spending Limits

Use the period field on limits to set a recurring spending cap that resets after the given number of seconds:

import { parseUnits } from 'viem'
import { Account, Period, P256 } from 'viem/tempo'
import { client } from './viem.config'
 
const account = Account.fromSecp256k1('0x...')
const accessKey = Account.fromP256(P256.randomPrivateKey(), {
  access: account,
})
 
const keyAuthorization = await client.accessKey.signAuthorization(
  account,
  {
    accessKey,
    limits: [ 
      { 
        token: '0x20c0000000000000000000000000000000000001', 
        limit: parseUnits('1000', 6), 
        period: Period.months(1), // resets every month
      }, 
    ], 
  },
)

With Call Scopes

Use scopes to restrict which contracts and functions the access key can call:

import { parseUnits } from 'viem'
import { Account, P256 } from 'viem/tempo'
import { client } from './viem.config'
 
const account = Account.fromSecp256k1('0x...')
const accessKey = Account.fromP256(P256.randomPrivateKey(), {
  access: account,
})
 
const keyAuthorization = await client.accessKey.signAuthorization(
  account,
  {
    accessKey,
    limits: [ 
      { 
        token: '0x20c0000000000000000000000000000000000001', 
        limit: parseUnits('10000', 6), 
      }, 
    ], 
    scopes: [ 
      { 
        address: '0x20c0000000000000000000000000000000000001', 
        selector: 'transfer(address,uint256)', // or "0xa9059cbb"
        recipients: ['0xcafebabecafebabecafebabecafebabecafebabe'], // optional
      }, 
    ], 
  },
)

Authorize Public Keys

Instead of passing an AccessKeyAccount, you can sign an authorization for a key by its public key or address directly:

import { Account, P256 } from 'viem/tempo'
import { client } from './viem.config'
 
const account = Account.fromSecp256k1('0x...')
 
// Sign authorization by public key
const keyAuthorization = await client.accessKey.signAuthorization({ 
  accessKey: { 
    publicKey: '0x...', 
    type: 'p256', 
  }, 
}) 

You can also sign by address:

import { Account } from 'viem/tempo'
import { client } from './viem.config'
 
const account = Account.fromSecp256k1('0x...')
 
// Sign authorization by address
const keyAuthorization = await client.accessKey.signAuthorization({ 
  accessKey: { 
    address: '0x...', 
    type: 'p256', 
  }, 
}) 

Submitting the Authorization

The signed keyAuthorization can be attached to any write action.

// Authorize the key alongside a transfer, sent with the access key
const { receipt } = await client.token.transferSync({
  account: accessKey,
  token: '0x20c0000000000000000000000000000000000001',
  to: '0xcafebabecafebabecafebabecafebabecafebabe',
  amount: 100n,
  keyAuthorization,
})

Return Type

type ReturnType = KeyAuthorization.Signed

A signed key authorization object that can be passed as keyAuthorization to any write action.

Parameters

account

  • Type: RootAccount

The root account signing the authorization. Must be a local account with signing capabilities (e.g. created via Account.from).

accessKey

  • Type: { accessKeyAddress: Address; keyType: string } | { address: Address; type: string } | { publicKey: Hex; type: string }

The access key to authorize. Accepts an AccessKeyAccount, or an object with { address, type } or { publicKey, type }.

admin (optional)

  • Type: boolean

Whether to authorize the key as an admin key. Admin keys are unrestricted and can manage the account's other access keys; expiry, limits, and scopes are ignored. Requires the T6 hardfork (TIP-1049).

expiry (optional)

  • Type: number

Unix timestamp when the key expires.

limits (optional)

  • Type: { token: Address; limit: bigint; period?: number }[]

Spending limits per token. Optionally include period (in seconds) to make the limit periodic. It resets after each period.

scopes (optional)

  • Type: { address: Address; selector?: Hex | string; recipients?: Address[] }[]

Call scopes restricting which contracts/selectors this key can call.

witness (optional)

  • Type: Hex

Optional 32-byte witness bound into the authorization's signing hash. Can be burned onchain via accessKey.burnWitness to invalidate the authorization before it is submitted (TIP-1053).