accessKey.signAuthorization
Signs a key authorization for an access key. This is a local signing operation, so no transaction is sent.
Usage
import { Account, P256 } from 'viem/tempo'
import { client } from './viem.config'
// 1. Define root account
const account = Account.fromSecp256k1('0x...')
// 2. Define access key attached to the root account
const accessKey = Account.fromP256(P256.randomPrivateKey(), {
access: account,
})
// 3. Sign the key authorization
const keyAuthorization = await client.accessKey.signAuthorization({
accessKey,
})import { Account, createClient } from 'viem/tempo'
export const client = createClient({
account: Account.fromSecp256k1('0x...'),
})With Periodic Spending Limits
Use the period field on limits to set a recurring spending cap that resets after the given number of seconds:
import { parseUnits } from 'viem'
import { Account, Period, P256 } from 'viem/tempo'
import { client } from './viem.config'
const account = Account.fromSecp256k1('0x...')
const accessKey = Account.fromP256(P256.randomPrivateKey(), {
access: account,
})
const keyAuthorization = await client.accessKey.signAuthorization(
account,
{
accessKey,
limits: [
{
token: '0x20c0000000000000000000000000000000000001',
limit: parseUnits('1000', 6),
period: Period.months(1), // resets every month
},
],
},
)With Call Scopes
Use scopes to restrict which contracts and functions the access key can call:
import { parseUnits } from 'viem'
import { Account, P256 } from 'viem/tempo'
import { client } from './viem.config'
const account = Account.fromSecp256k1('0x...')
const accessKey = Account.fromP256(P256.randomPrivateKey(), {
access: account,
})
const keyAuthorization = await client.accessKey.signAuthorization(
account,
{
accessKey,
limits: [
{
token: '0x20c0000000000000000000000000000000000001',
limit: parseUnits('10000', 6),
},
],
scopes: [
{
address: '0x20c0000000000000000000000000000000000001',
selector: 'transfer(address,uint256)', // or "0xa9059cbb"
recipients: ['0xcafebabecafebabecafebabecafebabecafebabe'], // optional
},
],
},
)import { parseUnits } from 'viem'
import { Account, P256, Scopes } from 'viem/tempo'
import { client } from './viem.config'
const account = Account.fromSecp256k1('0x...')
const accessKey = Account.fromP256(P256.randomPrivateKey(), {
access: account,
})
const keyAuthorization = await client.accessKey.signAuthorization(
account,
{
accessKey,
limits: [
{
token: '0x20c0000000000000000000000000000000000001',
limit: parseUnits('10000', 6),
},
],
scopes: [
Scopes.tip20('0x20c0000000000000000000000000000000000001')
.transfer({
recipients: ['0xcafebabecafebabecafebabecafebabecafebabe'],
}),
],
},
)Authorize Public Keys
Instead of passing an AccessKeyAccount, you can sign an authorization for a key by its public key or address directly:
import { Account, P256 } from 'viem/tempo'
import { client } from './viem.config'
const account = Account.fromSecp256k1('0x...')
// Sign authorization by public key
const keyAuthorization = await client.accessKey.signAuthorization({
accessKey: {
publicKey: '0x...',
type: 'p256',
},
}) You can also sign by address:
import { Account } from 'viem/tempo'
import { client } from './viem.config'
const account = Account.fromSecp256k1('0x...')
// Sign authorization by address
const keyAuthorization = await client.accessKey.signAuthorization({
accessKey: {
address: '0x...',
type: 'p256',
},
}) Submitting the Authorization
The signed keyAuthorization can be attached to any write action.
// Authorize the key alongside a transfer, sent with the access key
const { receipt } = await client.token.transferSync({
account: accessKey,
token: '0x20c0000000000000000000000000000000000001',
to: '0xcafebabecafebabecafebabecafebabecafebabe',
amount: 100n,
keyAuthorization,
})Return Type
type ReturnType = KeyAuthorization.SignedA signed key authorization object that can be passed as keyAuthorization to any write action.
Parameters
account
- Type:
RootAccount
The root account signing the authorization. Must be a local account with signing capabilities (e.g. created via Account.from).
accessKey
- Type:
{ accessKeyAddress: Address; keyType: string } | { address: Address; type: string } | { publicKey: Hex; type: string }
The access key to authorize. Accepts an AccessKeyAccount, or an object with { address, type } or { publicKey, type }.
admin (optional)
- Type:
boolean
Whether to authorize the key as an admin key. Admin keys are unrestricted and can manage the account's other access keys; expiry, limits, and scopes are ignored. Requires the T6 hardfork (TIP-1049).
expiry (optional)
- Type:
number
Unix timestamp when the key expires.
limits (optional)
- Type:
{ token: Address; limit: bigint; period?: number }[]
Spending limits per token. Optionally include period (in seconds) to make the limit periodic. It resets after each period.
scopes (optional)
- Type:
{ address: Address; selector?: Hex | string; recipients?: Address[] }[]
Call scopes restricting which contracts/selectors this key can call.
witness (optional)
- Type:
Hex
Optional 32-byte witness bound into the authorization's signing hash. Can be burned onchain via accessKey.burnWitness to invalidate the authorization before it is submitted (TIP-1053).