|
| 1 | +--- |
| 2 | +title: Designing Server Wallets for AI Agents with ERC 8004 |
| 3 | +image: 'img/tutorials/tutorials-banners/designing-server-wallets.png' |
| 4 | +description: Designing Server Wallets for AI Agents with ERC 8004. |
| 5 | +tags: [AI agent, ERC 8004, server wallet, embedded wallets, ethereum, solana] |
| 6 | +date: October 28, 2025 |
| 7 | +author: MetaMask Developer Relations |
| 8 | +--- |
| 9 | + |
| 10 | +At MetaMask, we have specialized in creating fast and secure non custodial wallets in ethereum and now across the whole of the web3 ecosystem. With ERC‑8004 standardizing how AI agents express “what they intend to do,” we can see a clear need for a fast, safe, multi‑chain signing backend, more commonly known as a Server Wallet. The interesting thing about Server Wallets is that it will be a requirement for even non web2 native developers in the very near future. Hence, thinking about an ideal architecture around it becomes necessary. |
| 11 | + |
| 12 | +This guide outlines an opinionated, production‑oriented architecture you can adopt today and hints at where we’re going next with a one-click ERC‑8004 server wallet experience. |
| 13 | + |
| 14 | +## What are Server Wallets? |
| 15 | + |
| 16 | +A server wallet is a backend signer that holds and uses private keys on behalf of the app or AI Agent, while clients authenticate requests and receive signatures to submit on chain. The idea is that the signing key lives in a secure environment, so it is never exposed directly to the AI agent and is protected by certain policies set for its execution. |
| 17 | + |
| 18 | +## Reference architecture |
| 19 | + |
| 20 | +- The client holds an “Agent Key” used to authenticate who is asking to sign; separate from the on‑chain account key that actually controls funds. |
| 21 | +- Backend exposes minimal APIs that forward requests into a Trusted Execution Environment (TEE, e.g., AWS Nitro Enclaves). |
| 22 | +- TEE enclave is the only environment allowed to verify Agent Key, generate account keys, decrypt keys, apply policy, and produce signatures. It has no external networking and no persistent storage |
| 23 | +- The encrypted key and metadata live in a database outside the enclave, encrypted by the Agent Key. |
| 24 | + |
| 25 | +## Request flow |
| 26 | + |
| 27 | +- Client creates a request describing the action and signs it with the Agent Key to prove origin and integrity. |
| 28 | +- Backend passes the request into the enclave, which has no external networking, SSH or persistent storage to reduce exposure. |
| 29 | +- Enclave verifies the signature, checks policy, signs if allowed, and returns only the signature and decision metadata to the backend. |
| 30 | + |
| 31 | +## Core Security Operations |
| 32 | + |
| 33 | +### Key generation |
| 34 | + |
| 35 | +- The Client send a request with the Agent Key |
| 36 | +- The account keypair is created inside the enclave and encrypted using the Agent Key |
| 37 | +- The encrypted blob is then stored in a database alongside the public address of the Agent Key |
| 38 | + |
| 39 | +### Importing Key |
| 40 | + |
| 41 | +- The agent has the Private Key on the client side. |
| 42 | +- The SDK encrypts the Private key with the Agent Key |
| 43 | +- The import API is called with the encrypted blob which stores it in the database alongside the public address of the Agent Key |
| 44 | + |
| 45 | +### Signing |
| 46 | + |
| 47 | +- The client authenticates a request with the Agent Key |
| 48 | +- The TEE validates, enforces policy and signs the request |
| 49 | +- Finally, it returns a signature without exposing key material. |
| 50 | + |
| 51 | +### Export |
| 52 | + |
| 53 | +- The client sends an export request with the Agent Key |
| 54 | +- The TEE validates, enforces policy and signs the request |
| 55 | +- Finally, it returns the encrypted blog stored in the database, which the can be decrypted on the client side with the Agent Key. |
| 56 | + |
| 57 | +### Rotation |
| 58 | + |
| 59 | +- A new Agent Key is generated on the client side. |
| 60 | +- It is authenticated with the existing Agent Key by the enclave, enforcing the policies. |
| 61 | +- The encrypted blob decrypted is re-encrypted using the new Agent Key and stored against the new public address of the Agent Key. |
| 62 | + |
| 63 | +### Some reference TEE Policies |
| 64 | + |
| 65 | +- Spend limits: cap value per transaction and per day. |
| 66 | +- Scope limits: allowlisted contracts, methods, and tokens. |
| 67 | +- Chain limits: allow only the networks you support. |
| 68 | +- Frequency limits: throttle bursts to reduce risk. |
| 69 | +- Simulation checks: sign only if a dry‑run looks safe. |
| 70 | +- Human approval: require a second click for unusual activity. |
| 71 | + |
| 72 | +## Some interesting architectural questions |
| 73 | + |
| 74 | +While finalising our version of the server wallets, we came across very valid and genuine questions, which needed to be answered. Some of these questions |
| 75 | + |
| 76 | +- Why use Trusted Execution Environments (TEEs) |
| 77 | + - Currently MetaMask Embedded Wallet SDKs give access to the signer directly to the frontend/ backend environment where the operations need to happen. |
| 78 | + - With a wallet secret present in the environment of execution, able to access the TEE operations, both are equally secure. |
| 79 | + - However with TEE, we can add a policy engine, which can restrict certain operations. |
| 80 | + - For a general user account, this is not much useful for most cases, however for an AI agent, the chance for AI hallucinating and performing weird things are much more. More than security we have to make sure this issue is resolved. |
| 81 | +- Why not TSS MPC |
| 82 | + - The MPC Core Kit SDKs offered with MetaMask Embedded Wallets are a great option for this, however TSS signing speed becomes a bottleneck. |
| 83 | + - Even with our DKLS19 solution it takes 4-5secs to sign with 5 nodes holding the key. |
| 84 | + - We can reduce the number of nodes to do it and have it on a high quality server but still it cannot match the speed of single key signing |
| 85 | + - MPC’s decentralization benefits are real, but for this product goal—fast server-side signing with tight policy and attestation—the latency and complexity tradeoffs are unnecessary |
| 86 | +- Why not Smart Accounts |
| 87 | + - Smart accounts do and can resolve most of these issues, especially with 7715 permission, however they have their limitations. |
| 88 | + - One of the biggest pain points is that they may not be able to work cross-chain and with non EVM networks like Solana. |
| 89 | + - The operations to update policies will be significantly expensive as compared to a TEE policy engine. |
| 90 | + - Performance will also be a bottleneck for different chains. General trading bots are also used for high frequency trading, which is where the issue lies. |
| 91 | + |
| 92 | +## How does this fit ERC‑8004? |
| 93 | + |
| 94 | +With ERC 8004 in action, every AI agent needs a signing identity that can register itself on‑chain and prove control of that identity when it interacts, so others can discover, trust, and audit the agent’s actions across ecosystems. In practice, this means pairing a signer with the ERC‑8004 identity registry entry and the agent’s off‑chain registration file so requests are attributable and verifiable end to end. |
| 95 | + |
| 96 | +Hence server wallets by default become an integral part of making AI agents with ERC 8004\. |
| 97 | + |
| 98 | +:::info Coming soon |
| 99 | + |
| 100 | +MetaMask Embedded Wallets is packaging this architecture into a one‑click server wallet experience so teams can go from idea to production with attestation, policy, and secure signing out of the box, with optional ERC‑8004 alignment for interop when you need it. Watch this space for early access details as we finalize SDKs, tutorials, and reference deployments. |
| 101 | + |
| 102 | +::: |
0 commit comments