From add95f51758061bd7698ddddf89a3fe34482dd15 Mon Sep 17 00:00:00 2001 From: Derek Cofausper <256792747+decofe@users.noreply.github.com> Date: Fri, 10 Apr 2026 09:49:20 +0000 Subject: [PATCH 1/3] docs: add cast keychain reference page Co-Authored-By: 0xrusowsky <90208954+0xrusowsky@users.noreply.github.com> Amp-Thread-ID: https://ampcode.com/threads/T-019d76b5-e92a-7588-87bc-4969a2f98a2d --- src/pages/sdk/foundry/cast-keychain.mdx | 220 ++++++++++++++++++++++++ vocs.config.ts | 12 +- 2 files changed, 231 insertions(+), 1 deletion(-) create mode 100644 src/pages/sdk/foundry/cast-keychain.mdx diff --git a/src/pages/sdk/foundry/cast-keychain.mdx b/src/pages/sdk/foundry/cast-keychain.mdx new file mode 100644 index 00000000..5175b28a --- /dev/null +++ b/src/pages/sdk/foundry/cast-keychain.mdx @@ -0,0 +1,220 @@ +--- +title: cast keychain +description: Manage Tempo access keys from the command line — authorize, revoke, scope, and query keys via the Account Keychain precompile. +--- + +# cast keychain + +`cast keychain` provides a CLI interface to Tempo's [Account Keychain precompile](/protocol/transactions/AccountKeychain). It lets you authorize access keys, set spending limits and call scopes, revoke keys, and query key state — all from the terminal. + +:::info +`cast keychain` only works on Tempo networks. It will fail with an error on non-Tempo chains. +::: + +## Authorize a key + +Create a new access key for your account: + +```bash +cast keychain authorize \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +| Parameter | Description | +|---|---| +| `KEY_ID` | Address derived from the access key's public key | +| `SIGNATURE_TYPE` | `secp256k1`, `p256`, or `webauthn` | +| `EXPIRY` | Unix timestamp when the key expires (`0` for never) | + +:::tip +An expiry of `0` means the key never expires. On-chain this is stored as the max `u64` value (`18446744073709551615`), which is what `key-info` will display. +::: + +### Spending limits + +Restrict how much the key can spend per token with `--limit`: + +```bash +cast keychain authorize secp256k1 0 \ + --limit :1000000 \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +Format: `TOKEN:AMOUNT` or `TOKEN:AMOUNT:PERIOD_SECONDS` + +- `TOKEN:AMOUNT` — lifetime spending cap +- `TOKEN:AMOUNT:PERIOD` — spending cap that resets every `PERIOD` seconds + +Multiple `--limit` flags can be passed for different tokens. + +### Call scopes + +Restrict which contracts and functions the key can call with `--scope`: + +```bash +# Only allow transfer and approve on a specific token +cast keychain authorize secp256k1 0 \ + --scope :transfer,approve \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY + +# Allow any call to a specific contract +cast keychain authorize secp256k1 0 \ + --scope \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY + +# Restrict transfer to a specific recipient +cast keychain authorize secp256k1 0 \ + --scope :transfer@ \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +`--scope` format: `ADDRESS` or `ADDRESS:SELECTORS` + +- `ADDRESS` alone allows unrestricted calls to that contract +- `SELECTORS` is a comma-separated list of named selectors (`transfer`, `transfer_with_memo`, `approve`) or raw 4-byte hex (`0xaabbccdd`) +- Append `@RECIPIENT` to restrict the first argument (e.g. transfer recipient). Multiple recipients can be chained: `transfer@0xAlice@0xBob` + +Multiple `--scope` flags can be combined. Without any `--scope`, the key can call any contract. + +Alternatively, pass scopes as JSON with `--scopes` (mutually exclusive with `--scope`): + +```bash +cast keychain authorize secp256k1 0 \ + --scopes '[ + {"target":"","selectors":["transfer","approve"]}, + {"target":""} + ]' \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +Selectors in `--scopes` can also include recipient restrictions: + +```json +[{"target":"","selectors":[{"selector":"transfer","recipients":[""]}]}] +``` + +### Full example + +Authorize a `secp256k1` key that expires in 24 hours, can spend up to 1,000,000 units of a specific token, and is scoped to `transfer` calls only: + +```bash +EXPIRY=$(($(date +%s) + 86400)) + +cast keychain authorize secp256k1 $EXPIRY \ + --limit :1000000 \ + --scope :transfer \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +## Revoke a key + +Permanently revoke an access key: + +```bash +cast keychain revoke \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +Revoked keys cannot be re-authorized. + +## Update spending limit + +Change the spending limit for a key-token pair: + +```bash +cast keychain update-limit \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +## Set call scopes + +Replace all call scope entries for an existing key. At least one `--scope` or `--scopes` is required: + +```bash +cast keychain set-scope \ + --scope :transfer \ + --scope \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +JSON scopes are also supported: + +```bash +cast keychain set-scope \ + --scopes '[{"target":"","selectors":["transfer","approve"]}]' \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +## Remove a call scope + +Remove a target contract from the key's allowed call list: + +```bash +cast keychain remove-scope \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +## Query key info + +Look up an access key's configuration (read-only, no wallet needed): + +```bash +cast keychain key-info \ + --rpc-url $TEMPO_RPC_URL +``` + +Output: + +``` +Key ID: 0x... +Signature Type: secp256k1 +Expiry: 1735689600 +Enforce Limits: true +Revoked: false +``` + +Use `--json` for machine-readable output. + +## Query remaining limit + +Check how much spending allowance remains for a key-token pair: + +```bash +cast keychain remaining-limit \ + --rpc-url $TEMPO_RPC_URL +``` + +Use `--json` for machine-readable output. + +## Command aliases + +| Command | Alias | +|---|---| +| `authorize` | `auth` | +| `revoke` | `rev` | +| `update-limit` | `ul` | +| `key-info` | `info` | +| `remaining-limit` | `rl` | +| `set-scope` | `ss` | +| `remove-scope` | `rs` | + +## Using with access keys + +All write commands support the `--tempo.access-key` and `--tempo.root-account` flags for delegated signing. See the [Tempo-specific CLI flags reference](/sdk/foundry#tempo-specific-cli-flags). + +## Learn more + +- [Account Keychain precompile specification](/protocol/transactions/AccountKeychain) — full protocol-level details +- [Foundry for Tempo](/sdk/foundry) — installation, setup, and Tempo-specific CLI flags diff --git a/vocs.config.ts b/vocs.config.ts index 72e0861a..f1233dde 100644 --- a/vocs.config.ts +++ b/vocs.config.ts @@ -682,7 +682,17 @@ export default defineConfig({ }, { text: 'Foundry', - link: '/sdk/foundry', + collapsed: true, + items: [ + { + text: 'Overview', + link: '/sdk/foundry', + }, + { + text: 'cast keychain', + link: '/sdk/foundry/cast-keychain', + }, + ], }, { text: 'Python', From 992fadc61be4b6d124ef50e03f8d2e249c96ad3c Mon Sep 17 00:00:00 2001 From: Derek Cofausper <256792747+decofe@users.noreply.github.com> Date: Tue, 14 Apr 2026 15:34:24 +0000 Subject: [PATCH 2/3] docs: merge cast keychain into foundry index page Move cast keychain content into the Foundry page as its own section instead of a separate subpage. Strip command output examples to keep only the commands themselves. Co-authored-by: 0xrusowsky <90208954+0xrusowsky@users.noreply.github.com> Amp-Thread-ID: https://ampcode.com/threads/T-019d8c9d-af39-74af-b485-7399e100a4f8 --- src/pages/sdk/foundry/cast-keychain.mdx | 220 ------------------------ src/pages/sdk/foundry/index.mdx | 194 +++++++++++++++++++++ vocs.config.ts | 12 +- 3 files changed, 195 insertions(+), 231 deletions(-) delete mode 100644 src/pages/sdk/foundry/cast-keychain.mdx diff --git a/src/pages/sdk/foundry/cast-keychain.mdx b/src/pages/sdk/foundry/cast-keychain.mdx deleted file mode 100644 index 5175b28a..00000000 --- a/src/pages/sdk/foundry/cast-keychain.mdx +++ /dev/null @@ -1,220 +0,0 @@ ---- -title: cast keychain -description: Manage Tempo access keys from the command line — authorize, revoke, scope, and query keys via the Account Keychain precompile. ---- - -# cast keychain - -`cast keychain` provides a CLI interface to Tempo's [Account Keychain precompile](/protocol/transactions/AccountKeychain). It lets you authorize access keys, set spending limits and call scopes, revoke keys, and query key state — all from the terminal. - -:::info -`cast keychain` only works on Tempo networks. It will fail with an error on non-Tempo chains. -::: - -## Authorize a key - -Create a new access key for your account: - -```bash -cast keychain authorize \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY -``` - -| Parameter | Description | -|---|---| -| `KEY_ID` | Address derived from the access key's public key | -| `SIGNATURE_TYPE` | `secp256k1`, `p256`, or `webauthn` | -| `EXPIRY` | Unix timestamp when the key expires (`0` for never) | - -:::tip -An expiry of `0` means the key never expires. On-chain this is stored as the max `u64` value (`18446744073709551615`), which is what `key-info` will display. -::: - -### Spending limits - -Restrict how much the key can spend per token with `--limit`: - -```bash -cast keychain authorize secp256k1 0 \ - --limit :1000000 \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY -``` - -Format: `TOKEN:AMOUNT` or `TOKEN:AMOUNT:PERIOD_SECONDS` - -- `TOKEN:AMOUNT` — lifetime spending cap -- `TOKEN:AMOUNT:PERIOD` — spending cap that resets every `PERIOD` seconds - -Multiple `--limit` flags can be passed for different tokens. - -### Call scopes - -Restrict which contracts and functions the key can call with `--scope`: - -```bash -# Only allow transfer and approve on a specific token -cast keychain authorize secp256k1 0 \ - --scope :transfer,approve \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY - -# Allow any call to a specific contract -cast keychain authorize secp256k1 0 \ - --scope \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY - -# Restrict transfer to a specific recipient -cast keychain authorize secp256k1 0 \ - --scope :transfer@ \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY -``` - -`--scope` format: `ADDRESS` or `ADDRESS:SELECTORS` - -- `ADDRESS` alone allows unrestricted calls to that contract -- `SELECTORS` is a comma-separated list of named selectors (`transfer`, `transfer_with_memo`, `approve`) or raw 4-byte hex (`0xaabbccdd`) -- Append `@RECIPIENT` to restrict the first argument (e.g. transfer recipient). Multiple recipients can be chained: `transfer@0xAlice@0xBob` - -Multiple `--scope` flags can be combined. Without any `--scope`, the key can call any contract. - -Alternatively, pass scopes as JSON with `--scopes` (mutually exclusive with `--scope`): - -```bash -cast keychain authorize secp256k1 0 \ - --scopes '[ - {"target":"","selectors":["transfer","approve"]}, - {"target":""} - ]' \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY -``` - -Selectors in `--scopes` can also include recipient restrictions: - -```json -[{"target":"","selectors":[{"selector":"transfer","recipients":[""]}]}] -``` - -### Full example - -Authorize a `secp256k1` key that expires in 24 hours, can spend up to 1,000,000 units of a specific token, and is scoped to `transfer` calls only: - -```bash -EXPIRY=$(($(date +%s) + 86400)) - -cast keychain authorize secp256k1 $EXPIRY \ - --limit :1000000 \ - --scope :transfer \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY -``` - -## Revoke a key - -Permanently revoke an access key: - -```bash -cast keychain revoke \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY -``` - -Revoked keys cannot be re-authorized. - -## Update spending limit - -Change the spending limit for a key-token pair: - -```bash -cast keychain update-limit \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY -``` - -## Set call scopes - -Replace all call scope entries for an existing key. At least one `--scope` or `--scopes` is required: - -```bash -cast keychain set-scope \ - --scope :transfer \ - --scope \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY -``` - -JSON scopes are also supported: - -```bash -cast keychain set-scope \ - --scopes '[{"target":"","selectors":["transfer","approve"]}]' \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY -``` - -## Remove a call scope - -Remove a target contract from the key's allowed call list: - -```bash -cast keychain remove-scope \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY -``` - -## Query key info - -Look up an access key's configuration (read-only, no wallet needed): - -```bash -cast keychain key-info \ - --rpc-url $TEMPO_RPC_URL -``` - -Output: - -``` -Key ID: 0x... -Signature Type: secp256k1 -Expiry: 1735689600 -Enforce Limits: true -Revoked: false -``` - -Use `--json` for machine-readable output. - -## Query remaining limit - -Check how much spending allowance remains for a key-token pair: - -```bash -cast keychain remaining-limit \ - --rpc-url $TEMPO_RPC_URL -``` - -Use `--json` for machine-readable output. - -## Command aliases - -| Command | Alias | -|---|---| -| `authorize` | `auth` | -| `revoke` | `rev` | -| `update-limit` | `ul` | -| `key-info` | `info` | -| `remaining-limit` | `rl` | -| `set-scope` | `ss` | -| `remove-scope` | `rs` | - -## Using with access keys - -All write commands support the `--tempo.access-key` and `--tempo.root-account` flags for delegated signing. See the [Tempo-specific CLI flags reference](/sdk/foundry#tempo-specific-cli-flags). - -## Learn more - -- [Account Keychain precompile specification](/protocol/transactions/AccountKeychain) — full protocol-level details -- [Foundry for Tempo](/sdk/foundry) — installation, setup, and Tempo-specific CLI flags diff --git a/src/pages/sdk/foundry/index.mdx b/src/pages/sdk/foundry/index.mdx index 18c284e3..b6d46b44 100644 --- a/src/pages/sdk/foundry/index.mdx +++ b/src/pages/sdk/foundry/index.mdx @@ -315,4 +315,198 @@ The following flags are available for `cast` and `forge script` for Tempo-specif Ledger and Trezor wallets are not yet compatible with any `--tempo.*` option. +## cast keychain + +`cast keychain` provides a CLI interface to Tempo's [Account Keychain precompile](/protocol/transactions/AccountKeychain). It lets you authorize access keys, set spending limits and call scopes, revoke keys, and query key state — all from the terminal. + +:::info +`cast keychain` only works on Tempo networks. It will fail with an error on non-Tempo chains. +::: + +### Authorize a key + +Create a new access key for your account: + +```bash +cast keychain authorize \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +| Parameter | Description | +|---|---| +| `KEY_ID` | Address derived from the access key's public key | +| `SIGNATURE_TYPE` | `secp256k1`, `p256`, or `webauthn` | +| `EXPIRY` | Unix timestamp when the key expires (`0` for never) | + +:::tip +An expiry of `0` means the key never expires. On-chain this is stored as the max `u64` value (`18446744073709551615`), which is what `key-info` will display. +::: + +#### Spending limits + +Restrict how much the key can spend per token with `--limit`: + +```bash +cast keychain authorize secp256k1 0 \ + --limit :1000000 \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +Format: `TOKEN:AMOUNT` or `TOKEN:AMOUNT:PERIOD_SECONDS` + +- `TOKEN:AMOUNT` — lifetime spending cap +- `TOKEN:AMOUNT:PERIOD` — spending cap that resets every `PERIOD` seconds + +Multiple `--limit` flags can be passed for different tokens. + +#### Call scopes + +Restrict which contracts and functions the key can call with `--scope`: + +```bash +# Only allow transfer and approve on a specific token +cast keychain authorize secp256k1 0 \ + --scope :transfer,approve \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY + +# Allow any call to a specific contract +cast keychain authorize secp256k1 0 \ + --scope \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY + +# Restrict transfer to a specific recipient +cast keychain authorize secp256k1 0 \ + --scope :transfer@ \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +`--scope` format: `ADDRESS` or `ADDRESS:SELECTORS` + +- `ADDRESS` alone allows unrestricted calls to that contract +- `SELECTORS` is a comma-separated list of named selectors (`transfer`, `transfer_with_memo`, `approve`) or raw 4-byte hex (`0xaabbccdd`) +- Append `@RECIPIENT` to restrict the first argument (e.g. transfer recipient). Multiple recipients can be chained: `transfer@0xAlice@0xBob` + +Multiple `--scope` flags can be combined. Without any `--scope`, the key can call any contract. + +Alternatively, pass scopes as JSON with `--scopes` (mutually exclusive with `--scope`): + +```bash +cast keychain authorize secp256k1 0 \ + --scopes '[ + {"target":"","selectors":["transfer","approve"]}, + {"target":""} + ]' \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +Selectors in `--scopes` can also include recipient restrictions: + +```json +[{"target":"","selectors":[{"selector":"transfer","recipients":[""]}]}] +``` + +#### Full example + +Authorize a `secp256k1` key that expires in 24 hours, can spend up to 1,000,000 units of a specific token, and is scoped to `transfer` calls only: + +```bash +EXPIRY=$(($(date +%s) + 86400)) + +cast keychain authorize secp256k1 $EXPIRY \ + --limit :1000000 \ + --scope :transfer \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +### Revoke a key + +```bash +cast keychain revoke \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +Revoked keys cannot be re-authorized. + +### Update spending limit + +```bash +cast keychain update-limit \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +### Set call scopes + +Replace all call scope entries for an existing key. At least one `--scope` or `--scopes` is required: + +```bash +cast keychain set-scope \ + --scope :transfer \ + --scope \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +JSON scopes are also supported: + +```bash +cast keychain set-scope \ + --scopes '[{"target":"","selectors":["transfer","approve"]}]' \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +### Remove a call scope + +```bash +cast keychain remove-scope \ + --rpc-url $TEMPO_RPC_URL \ + --private-key $PRIVATE_KEY +``` + +### Query key info + +```bash +cast keychain key-info \ + --rpc-url $TEMPO_RPC_URL +``` + +Use `--json` for machine-readable output. + +### Query remaining limit + +```bash +cast keychain remaining-limit \ + --rpc-url $TEMPO_RPC_URL +``` + +Use `--json` for machine-readable output. + +### Command aliases + +| Command | Alias | +|---|---| +| `authorize` | `auth` | +| `revoke` | `rev` | +| `update-limit` | `ul` | +| `key-info` | `info` | +| `remaining-limit` | `rl` | +| `set-scope` | `ss` | +| `remove-scope` | `rs` | + +### Using with access keys + +All write commands support the `--tempo.access-key` and `--tempo.root-account` flags for delegated signing. See [Tempo-specific CLI flags](#tempo-specific-cli-flags) above. + +### Learn more + +- [Account Keychain precompile specification](/protocol/transactions/AccountKeychain) — full protocol-level details diff --git a/vocs.config.ts b/vocs.config.ts index f1233dde..72e0861a 100644 --- a/vocs.config.ts +++ b/vocs.config.ts @@ -682,17 +682,7 @@ export default defineConfig({ }, { text: 'Foundry', - collapsed: true, - items: [ - { - text: 'Overview', - link: '/sdk/foundry', - }, - { - text: 'cast keychain', - link: '/sdk/foundry/cast-keychain', - }, - ], + link: '/sdk/foundry', }, { text: 'Python', From 696478c098588df56d127d42b58d7d5475b46062 Mon Sep 17 00:00:00 2001 From: Derek Cofausper <256792747+decofe@users.noreply.github.com> Date: Tue, 14 Apr 2026 16:02:51 +0000 Subject: [PATCH 3/3] docs: strip cast keychain to match existing cast command style Single code block with inline comments, no separate headings/tables/prose. Co-Authored-By: 0xrusowsky <90208954+0xrusowsky@users.noreply.github.com> Amp-Thread-ID: https://ampcode.com/threads/T-019d8c9d-af39-74af-b485-7399e100a4f8 --- src/pages/sdk/foundry/index.mdx | 152 +++----------------------------- 1 file changed, 14 insertions(+), 138 deletions(-) diff --git a/src/pages/sdk/foundry/index.mdx b/src/pages/sdk/foundry/index.mdx index b6d46b44..73cb2e99 100644 --- a/src/pages/sdk/foundry/index.mdx +++ b/src/pages/sdk/foundry/index.mdx @@ -317,196 +317,72 @@ Ledger and Trezor wallets are not yet compatible with any `--tempo.*` option. ## cast keychain -`cast keychain` provides a CLI interface to Tempo's [Account Keychain precompile](/protocol/transactions/AccountKeychain). It lets you authorize access keys, set spending limits and call scopes, revoke keys, and query key state — all from the terminal. +`cast keychain` provides a CLI interface to Tempo's [Account Keychain precompile](/protocol/transactions/AccountKeychain). :::info -`cast keychain` only works on Tempo networks. It will fail with an error on non-Tempo chains. +`cast keychain` only works on Tempo networks. ::: -### Authorize a key - -Create a new access key for your account: - ```bash -cast keychain authorize \ +# Authorize a new access key (signature types: secp256k1, p256, webauthn; expiry 0 = never): +cast keychain authorize secp256k1 0 \ --rpc-url $TEMPO_RPC_URL \ --private-key $PRIVATE_KEY -``` - -| Parameter | Description | -|---|---| -| `KEY_ID` | Address derived from the access key's public key | -| `SIGNATURE_TYPE` | `secp256k1`, `p256`, or `webauthn` | -| `EXPIRY` | Unix timestamp when the key expires (`0` for never) | - -:::tip -An expiry of `0` means the key never expires. On-chain this is stored as the max `u64` value (`18446744073709551615`), which is what `key-info` will display. -::: - -#### Spending limits - -Restrict how much the key can spend per token with `--limit`: -```bash +# Authorize with a spending limit (TOKEN:AMOUNT or TOKEN:AMOUNT:PERIOD_SECONDS): cast keychain authorize secp256k1 0 \ --limit :1000000 \ --rpc-url $TEMPO_RPC_URL \ --private-key $PRIVATE_KEY -``` - -Format: `TOKEN:AMOUNT` or `TOKEN:AMOUNT:PERIOD_SECONDS` - -- `TOKEN:AMOUNT` — lifetime spending cap -- `TOKEN:AMOUNT:PERIOD` — spending cap that resets every `PERIOD` seconds - -Multiple `--limit` flags can be passed for different tokens. -#### Call scopes - -Restrict which contracts and functions the key can call with `--scope`: - -```bash -# Only allow transfer and approve on a specific token +# Authorize with call scopes (restrict to specific contracts/functions): cast keychain authorize secp256k1 0 \ --scope :transfer,approve \ --rpc-url $TEMPO_RPC_URL \ --private-key $PRIVATE_KEY -# Allow any call to a specific contract -cast keychain authorize secp256k1 0 \ - --scope \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY - -# Restrict transfer to a specific recipient +# Authorize with call scope restricted to a specific recipient: cast keychain authorize secp256k1 0 \ --scope :transfer@ \ --rpc-url $TEMPO_RPC_URL \ --private-key $PRIVATE_KEY -``` - -`--scope` format: `ADDRESS` or `ADDRESS:SELECTORS` - -- `ADDRESS` alone allows unrestricted calls to that contract -- `SELECTORS` is a comma-separated list of named selectors (`transfer`, `transfer_with_memo`, `approve`) or raw 4-byte hex (`0xaabbccdd`) -- Append `@RECIPIENT` to restrict the first argument (e.g. transfer recipient). Multiple recipients can be chained: `transfer@0xAlice@0xBob` - -Multiple `--scope` flags can be combined. Without any `--scope`, the key can call any contract. - -Alternatively, pass scopes as JSON with `--scopes` (mutually exclusive with `--scope`): - -```bash -cast keychain authorize secp256k1 0 \ - --scopes '[ - {"target":"","selectors":["transfer","approve"]}, - {"target":""} - ]' \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY -``` - -Selectors in `--scopes` can also include recipient restrictions: - -```json -[{"target":"","selectors":[{"selector":"transfer","recipients":[""]}]}] -``` - -#### Full example -Authorize a `secp256k1` key that expires in 24 hours, can spend up to 1,000,000 units of a specific token, and is scoped to `transfer` calls only: - -```bash +# Full example: 24h expiry + spending limit + call scope: EXPIRY=$(($(date +%s) + 86400)) - cast keychain authorize secp256k1 $EXPIRY \ --limit :1000000 \ --scope :transfer \ --rpc-url $TEMPO_RPC_URL \ --private-key $PRIVATE_KEY -``` - -### Revoke a key -```bash +# Revoke an access key (permanent, cannot be re-authorized): cast keychain revoke \ --rpc-url $TEMPO_RPC_URL \ --private-key $PRIVATE_KEY -``` - -Revoked keys cannot be re-authorized. -### Update spending limit - -```bash +# Update spending limit for a key-token pair: cast keychain update-limit \ --rpc-url $TEMPO_RPC_URL \ --private-key $PRIVATE_KEY -``` - -### Set call scopes - -Replace all call scope entries for an existing key. At least one `--scope` or `--scopes` is required: -```bash +# Replace all call scopes for a key: cast keychain set-scope \ --scope :transfer \ --scope \ --rpc-url $TEMPO_RPC_URL \ --private-key $PRIVATE_KEY -``` - -JSON scopes are also supported: - -```bash -cast keychain set-scope \ - --scopes '[{"target":"","selectors":["transfer","approve"]}]' \ - --rpc-url $TEMPO_RPC_URL \ - --private-key $PRIVATE_KEY -``` -### Remove a call scope - -```bash +# Remove a target contract from allowed call list: cast keychain remove-scope \ --rpc-url $TEMPO_RPC_URL \ --private-key $PRIVATE_KEY -``` - -### Query key info -```bash +# Query key info (read-only): cast keychain key-info \ --rpc-url $TEMPO_RPC_URL -``` - -Use `--json` for machine-readable output. -### Query remaining limit - -```bash +# Query remaining spending limit: cast keychain remaining-limit \ --rpc-url $TEMPO_RPC_URL ``` -Use `--json` for machine-readable output. - -### Command aliases - -| Command | Alias | -|---|---| -| `authorize` | `auth` | -| `revoke` | `rev` | -| `update-limit` | `ul` | -| `key-info` | `info` | -| `remaining-limit` | `rl` | -| `set-scope` | `ss` | -| `remove-scope` | `rs` | - -### Using with access keys - -All write commands support the `--tempo.access-key` and `--tempo.root-account` flags for delegated signing. See [Tempo-specific CLI flags](#tempo-specific-cli-flags) above. - -### Learn more - -- [Account Keychain precompile specification](/protocol/transactions/AccountKeychain) — full protocol-level details -