Tenzro
Tutorial — Custody

Install an ERC-7579 SessionKey

Bind a short-lived signing key to a smart account, scoped to a target allowlist, selector allowlist, validity window, and value ceilings — without giving up root.
Level
Advanced
Time
~15 min
Prerequisites
Deployed SmartAccount, root signer available
Stack
Rust SDK
01

Generate the session key

use tenzro_crypto::ed25519::Ed25519KeyPair;

let session = Ed25519KeyPair::generate();
let session_pub = session.public_key();
02

Encode SessionKeyValidator config

The SESSION_KEY_VALIDATOR at 0x101e reads: session_pub, target_allowlist, selector_allowlist, valid_after, valid_until, per_call_value_ceiling, cumulative_value_ceiling.

03

Install via the standard selector

The install selector is 0x9517e29f — byte-identical to Safe / Biconomy Nexus / ZeroDev Kernel / Rhinestone, so calldata is portable.

# CLI shorthand wrapping the SDK
tenzro custody install-module \
  --account 0x... \
  --validator session-key \
  --target-allowlist 0xaaa,0xbbb \
  --selector-allowlist 0xa9059cbb \
  --valid-until +1h \
  --per-call-max 1ether
04

Sign UserOperations with the session key

Every UserOperation is now AND-validated by every installed module — SOCIAL_RECOVERY_VALIDATOR, SPENDING_LIMIT_VALIDATOR, and your SESSION_KEY_VALIDATOR all have to approve. Combined valid_after = max(...), valid_until = min_nonzero(...).

05

Revoke when done

Call the standard uninstall selector 0xa71763a8. Or just let the key expire — valid_until auto-revokes on the chain side.

← All tutorials