The Product
Session Keys - How AI Agents Get Autonomy
How bounded delegated signing enables safe autonomous execution.
Updated Feb 23, 2026
This is the piece that makes Papillae genuinely useful for autonomous systems rather than just another payment app with an API.
The problem with standard non-custodial wallets and AI agents is simple. The agent can understand the instruction. The agent can compute the route. The agent can prepare the transaction. But then it needs a human to sign. If the human has to sign every payment, the agent is not autonomous - it is a slightly smarter form-filling assistant.
Session keys solve this.
A session key is a limited signing authority. The user defines the boundaries:
1Maximum per transaction: $5002Maximum per day: $2,0003Allowed corridors: USD-PHP, USD-NGN4Recipient whitelist: Mom (0xabc...), Ahmed (0xdef...)5Expiry: 30 daysThese boundaries are enforced by the smart contract. Not by Papillae's policy. Not by a terms of service clause. By code that executes deterministically on-chain. When the AI agent wants to send $200 to Mom, it calls the contract. The contract checks the session key boundaries. $200 is within the daily limit. Mom is on the whitelist. USD-NGN is an allowed corridor. Transaction executes. No human required.
When the agent wants to send $600 - above the $500 per-transaction limit - the contract refuses the execution. The agent escalates to the user for explicit approval. The user reviews, approves with their own signature, and the payment goes.
The session key itself can be revoked at any time by the user. Revoking is immediate and permanent until a new session key is issued. If the user's device is compromised, revoking the session key removes the agent's ability to execute anything within seconds.
This architecture means the worst case exposure from a compromised session key is bounded by the user-defined limits - not unlimited. An attacker who gets the session key cannot drain the wallet. They can only move up to the per-day limit, to whitelisted recipients, on allowed corridors. In most configurations that is a small fraction of the user's actual balance.