← Back to Glossary

Session Key

A temporary, scoped key that delegates limited authority to a dApp or agent without exposing the primary account signer.

A session key is a temporary cryptographic key with constrained permissions, used in smart contract wallets to grant time-limited and scope-limited access to dApps, automated agents, or specific workflows without exposing the primary account key.

How Session Keys Work

When a user wants to interact with a dApp without signing every individual transaction, they generate a session key and register it with their smart account along with a set of permissions. These permissions typically define which contracts the session key can call, which functions are allowed, spending limits per transaction or per session, and a validity window (start time and expiration).

The smart account validates UserOperations signed by the session key against these constraints during validateUserOp. If the operation falls within the defined scope, it executes. If it exceeds any constraint, the validation fails and the operation is rejected.

Use Cases

Gaming and social dApps use session keys to enable seamless interactions without wallet popup interruptions for every action. Automated trading systems use session keys scoped to specific DEX contracts and bounded by spending limits. AI agents interacting with on-chain protocols use session keys to execute operations autonomously within predefined guardrails.

Security Considerations

The most common vulnerability in session key implementations is insufficient scope validation. Teams typically validate the target contract address and function selector correctly but fail to validate calldata parameters. A session key scoped to approve(address,uint256) on a specific ERC-20 should also validate the spender address and amount — without parameter validation, a compromised session key can approve unlimited spending to an attacker-controlled address.

Session key revocation must be immediate and on-chain. Off-chain revocation lists create windows where a revoked key can still be used before the revocation propagates. The smart account must check revocation status during validateUserOp, not rely on external enforcement.

Articles Using This Term

Learn more about Session Key in these articles:

ERC-4337 Smart Accounts: Six Failure Modes We're Already Seeing in Audits

ERC-4337 Smart Accounts: Six Failure Modes We're Already Seeing in Audits

ERC-4337 account abstraction introduces programmable trust boundaries that break assumptions baked into decades of wallet security thinking. Here's where teams get it wrong.

Mar 12, 202613 min read

Related Terms

Account Abstraction

A design pattern that replaces fixed EOA logic with programmable smart contract accounts, enabling custom validation, recovery, and gas payment mechanisms.

UserOperation

A struct in ERC-4337 that encodes a user intent including calldata, gas limits, and signature, submitted to bundlers instead of directly to the blockchain.

Need expert guidance on Session Key?

Our team at Zealynx has deep expertise in blockchain security and DeFi protocols. Whether you need an audit or consultation, we're here to help.

Get a Quote

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx