Product Guide

Smart sessions

Suggest Edits

ERC-7579 Smart Session Module

Overview

An ERC-7579 Smart Session Module is a plug-in component used in modular smart accounts (like those defined in ERC-4337) to grant temporary, limited access to a smart account.

Smart Sessions are especially useful when:

  • You want to allow a third party (like a dApp or another wallet) to execute actions on your behalf.
  • You want to interact with a dApp from a mobile device or frontend without re-signing every transaction.
  • You need automation (bots, scheduled tasks) without exposing full control of your wallet.

The session module enables delegated control under pre-defined rules, for a limited time, optionally scoped to certain actions or destinations.

What is a Smart Session?

Think of a Smart Session like a temporary API key for your smart account. It's a signed, time-limited permission slip that lets a delegate (usually another signer or application) execute certain actions on your behalf without re-authentication.

It uses cryptographic signatures to prove:

  • The session was authorized by the account owner.
  • The scope (what operations are allowed).
  • The duration (how long the session is valid).

How It Works

1. Session Initialization

The account owner creates a session by signing a data structure defining:

  • Delegate address (who can act).
  • Validity window (start time and expiry).
  • Permission scope (call targets, function selectors, value limits, etc.).

This is similar to a meta-transaction, but for sessions.

2. Session Module Integration

The smart account includes an ERC-7579-compliant session module that validates session signatures during execution. It implements logic to:

  • Verify the session signature and structure.
  • Check expiration and other constraints.
  • Allow the delegate to perform authorized operations.

3. Session Execution

The delegate uses the session signature to submit a UserOperation (or equivalent call) on behalf of the owner. The session module handles validation, ensuring it fits within the authorized constraints.

4. Expiration and Revocation

Sessions are:

  • Self-expiring based on timestamps.
  • Optionally revocable manually (depending on the module implementation).

Why Is It Useful?

Smart Sessions enhance usability and security by delegating control with granularity:

BenefitDescription
✅ UX ImprovementUsers can approve a session once and interact freely (e.g., batch mint NFTs, play games, trade on DEXes).
✅ Delegated AutomationAllow bots or scripts to act on your behalf with bounded permissions.
✅ Frontend WalletsSupport session-based login and actions for dApps with mobile or embedded wallets.
✅ Multi-device SyncAuthorize a mobile or browser wallet to act as a secondary device without full access.
✅ Reduced RiskSessions are temporary and scoped, reducing attack surface compared to full key sharing.

Example Use Case

Let's say Alice wants to play a web3 game that makes frequent moves on-chain. She doesn't want to sign every action manually.

  1. She authorizes a session for GameFrontendWallet:

    • Valid for 2 hours
    • Only allowed to call the game contract
    • Max 0.01 ETH per move

  2. The GameFrontendWallet uses this session to send moves autonomously.

  3. After 2 hours, the session expires. No further access is possible.

References

Updated 5 days ago