tempo_alloy::contracts::precompiles::account_keychain

Module IAccountKeychain

Expand description

Account Keychain interface for managing authorized keys

This precompile allows accounts to authorize secondary keys with:

Different signature types (secp256k1, P256, WebAuthn)
Expiry times for key rotation
Per-token spending limits for security

Only the main account key can authorize/revoke keys, while secondary keys can be used for regular transactions within their spending limits.

interface IAccountKeychain {
    enum SignatureType { Secp256k1, P256, WebAuthn }
    struct LegacyTokenLimit { address token; uint256 amount; }
    struct TokenLimit { address token; uint256 amount; uint64 period; }
    struct SelectorRule { bytes4 selector; address[] recipients; }
    struct CallScope { address target; SelectorRule[] selectorRules; }
    struct KeyRestrictions { uint64 expiry; bool enforceLimits; TokenLimit[] limits; bool allowAnyCalls; CallScope[] allowedCalls; }
    struct KeyInfo { SignatureType signatureType; address keyId; uint64 expiry; bool enforceLimits; bool isRevoked; }
    event KeyAuthorized(address indexed account, address indexed publicKey, uint8 signatureType, uint64 expiry);
    event KeyRevoked(address indexed account, address indexed publicKey);
    event SpendingLimitUpdated(address indexed account, address indexed publicKey, address indexed token, uint256 newLimit);
    event AccessKeySpend(address indexed account, address indexed publicKey, address indexed token, uint256 amount, uint256 remainingLimit);
    function authorizeKey(address keyId, SignatureType signatureType, uint64 expiry, bool enforceLimits, LegacyTokenLimit[] calldata limits) external;
    function authorizeKey(address keyId, SignatureType signatureType, KeyRestrictions calldata config) external;
    function revokeKey(address keyId) external;
    function updateSpendingLimit(address keyId, address token, uint256 newLimit) external;
    function setAllowedCalls(address keyId, CallScope[] calldata scopes) external;
    function removeAllowedCalls(address keyId, address target) external;
    function getKey(address account, address keyId) external view returns (KeyInfo memory);
    function getRemainingLimit(address account, address keyId, address token) external view returns (uint256 remaining);
    function getRemainingLimitWithPeriod(address account, address keyId, address token) external view returns (uint256 remaining, uint64 periodEnd);
    function getAllowedCalls(address account, address keyId) external view returns (bool isScoped, CallScope[] memory scopes);
    function getTransactionKey() external view returns (address);
    error UnauthorizedCaller();
    error KeyAlreadyExists();
    error KeyNotFound();
    error KeyExpired();
    error SpendingLimitExceeded();
    error InvalidSpendingLimit();
    error InvalidSignatureType();
    error ZeroPublicKey();
    error ExpiryInPast();
    error KeyAlreadyRevoked();
    error SignatureTypeMismatch(uint8 expected, uint8 actual);
    error CallNotAllowed();
    error InvalidCallScope();
    error LegacyAuthorizeKeySelectorChanged(bytes4 newSelector);
}

Modules§

abi: Contains dynamic ABI definitions for this contract.

Structs§

AccessKeySpend: Event with signature AccessKeySpend(address,address,address,uint256,uint256) and selector 0xe0815e3aaadddf4dd75bde97fc060f0c38afe18e87a169be86a3f5c28247f192.
CallNotAllowed: Custom error with signature CallNotAllowed() and selector 0x576b38b4.
CallScope: Per-target call scope.
ExpiryInPast: Custom error with signature ExpiryInPast() and selector 0x79955a10.
IAccountKeychainInstance: A IAccountKeychain instance.
InvalidCallScope: Custom error with signature InvalidCallScope() and selector 0x457cabe6.
InvalidSignatureType: Custom error with signature InvalidSignatureType() and selector 0x60cd402d.
InvalidSpendingLimit: Custom error with signature InvalidSpendingLimit() and selector 0x1761dd33.
KeyAlreadyExists: Custom error with signature KeyAlreadyExists() and selector 0xaa1ba2f8.
KeyAlreadyRevoked: Custom error with signature KeyAlreadyRevoked() and selector 0xcdf0b34f.
KeyAuthorized: Emitted when a new key is authorized Event with signature KeyAuthorized(address,address,uint8,uint64) and selector 0x7c46af0758d3eca5e8195833bff1e5153f6249fc0f2968a878fd28544315a03c.
KeyExpired: Custom error with signature KeyExpired() and selector 0x2572e3a9.
KeyInfo: Key information structure
KeyNotFound: Custom error with signature KeyNotFound() and selector 0x5f3f479c.
KeyRestrictions: Optional access-key restrictions configured at authorization time.
KeyRevoked: Emitted when a key is revoked Event with signature KeyRevoked(address,address) and selector 0x14ce4f0c8c12936436b733974fb13d10fc13e8c41c06dc8e19d82001c93d7989.
LegacyAuthorizeKeySelectorChanged: Custom error with signature LegacyAuthorizeKeySelectorChanged(bytes4) and selector 0x5806c0fd.
LegacyTokenLimit: Legacy token spending limit structure used before T3.
SelectorRule: Selector-level recipient rule.
SignatureTypeMismatch: Custom error with signature SignatureTypeMismatch(uint8,uint8) and selector 0xce699eca.
SpendingLimitExceeded: Custom error with signature SpendingLimitExceeded() and selector 0x8a9e71ea.
SpendingLimitUpdated: Emitted when a spending limit is updated Event with signature SpendingLimitUpdated(address,address,address,uint256) and selector 0x2ed96330c6ac81a9996d367bd5d4a227c02b9b3ca4c2b077cb943abc6342d00d.
TokenLimit: Token spending limit structure
UnauthorizedCaller: Custom error with signature UnauthorizedCaller() and selector 0x5c427cd9.
ZeroPublicKey: Custom error with signature ZeroPublicKey() and selector 0xb1eddc82.
authorizeKey_0Call: Legacy authorize-key entrypoint used before T3. Function with signature authorizeKey(address,uint8,uint64,bool,(address,uint256)[]) and selector 0x54063a55.
authorizeKey_0Return: Legacy authorize-key entrypoint used before T3. Container type for the return parameters of the authorizeKey(address,uint8,uint64,bool,(address,uint256)[]) function.
authorizeKey_1Call: Authorize a new key for the caller’s account with T3 extensions. @param keyId The key identifier (address derived from public key) @param signatureType 0: secp256k1, 1: P256, 2: WebAuthn @param config Access-key expiry and optional limits / call restrictions Function with signature authorizeKey(address,uint8,(uint64,bool,(address,uint256,uint64)[],bool,(address,(bytes4,address[])[])[])) and selector 0x980a6025.
authorizeKey_1Return: Authorize a new key for the caller’s account with T3 extensions. @param keyId The key identifier (address derived from public key) @param signatureType 0: secp256k1, 1: P256, 2: WebAuthn @param config Access-key expiry and optional limits / call restrictions Container type for the return parameters of the authorizeKey(address,uint8,(uint64,bool,(address,uint256,uint64)[],bool,(address,(bytes4,address[])[])[])) function.
getAllowedCallsCall: Returns whether an account key is call-scoped and, if so, the configured call scopes. @dev isScoped = false means unrestricted. isScoped = true && scopes.length == 0 means scoped deny-all. @dev Missing, revoked, or expired access keys also return scoped deny-all so callers do not observe stale persisted scope state. Function with signature getAllowedCalls(address,address) and selector 0x0163e7ec.
getAllowedCallsReturn: Returns whether an account key is call-scoped and, if so, the configured call scopes. @dev isScoped = false means unrestricted. isScoped = true && scopes.length == 0 means scoped deny-all. @dev Missing, revoked, or expired access keys also return scoped deny-all so callers do not observe stale persisted scope state. Container type for the return parameters of the getAllowedCalls(address,address) function.
getKeyCall: Get key information @param account The account address @param publicKey The public key @return Key information Function with signature getKey(address,address) and selector 0xbc298553.
getKeyReturn: Get key information @param account The account address @param publicKey The public key @return Key information Container type for the return parameters of the getKey(address,address) function.
getRemainingLimitCall: Get remaining spending limit using the legacy pre-T3 return shape. @param account The account address @param publicKey The public key @param token The token address Function with signature getRemainingLimit(address,address,address) and selector 0x63b4290d.
getRemainingLimitReturn: Get remaining spending limit using the legacy pre-T3 return shape. @param account The account address @param publicKey The public key @param token The token address Container type for the return parameters of the getRemainingLimit(address,address,address) function.
getRemainingLimitWithPeriodCall: Get remaining spending limit together with the active period end. @param account The account address @param publicKey The public key @param token The token address @return remaining Remaining spending amount @return periodEnd Period end timestamp for periodic limits (0 for one-time) Function with signature getRemainingLimitWithPeriod(address,address,address) and selector 0xa7f72cab.
getRemainingLimitWithPeriodReturn: Get remaining spending limit together with the active period end. @param account The account address @param publicKey The public key @param token The token address @return remaining Remaining spending amount @return periodEnd Period end timestamp for periodic limits (0 for one-time) Container type for the return parameters of the getRemainingLimitWithPeriod(address,address,address) function.
getTransactionKeyCall: Get the key used in the current transaction @return The keyId used in the current transaction Function with signature getTransactionKey() and selector 0xb07fbc1a.
getTransactionKeyReturn: Get the key used in the current transaction @return The keyId used in the current transaction Container type for the return parameters of the getTransactionKey() function.
removeAllowedCallsCall: Remove any configured call scope for a key+target pair. Function with signature removeAllowedCalls(address,address) and selector 0xf3941811.
removeAllowedCallsReturn: Remove any configured call scope for a key+target pair. Container type for the return parameters of the removeAllowedCalls(address,address) function.
revokeKeyCall: Revoke an authorized key @param publicKey The public key to revoke Function with signature revokeKey(address) and selector 0x5ae7ab32.
revokeKeyReturn: Revoke an authorized key @param publicKey The public key to revoke Container type for the return parameters of the revokeKey(address) function.
setAllowedCallsCall: Set or replace allowed calls for one or more key+target pairs. @dev Reverts if scopes is empty; use removeAllowedCalls to delete target scopes. @dev scope.selectorRules = [] does NOT block the target; it allows any selector on that target. @dev To block the target entirely, call removeAllowedCalls. To block one selector, omit that selector rule from scope.selectorRules. Function with signature setAllowedCalls(address,(address,(bytes4,address[])[])[]) and selector 0xf5456703.
setAllowedCallsReturn: Set or replace allowed calls for one or more key+target pairs. @dev Reverts if scopes is empty; use removeAllowedCalls to delete target scopes. @dev scope.selectorRules = [] does NOT block the target; it allows any selector on that target. @dev To block the target entirely, call removeAllowedCalls. To block one selector, omit that selector rule from scope.selectorRules. Container type for the return parameters of the setAllowedCalls(address,(address,(bytes4,address[])[])[]) function.
updateSpendingLimitCall: Update spending limit for a key-token pair @param publicKey The public key @param token The token address @param newLimit The new spending limit Function with signature updateSpendingLimit(address,address,uint256) and selector 0xcbbb4480.
updateSpendingLimitReturn: Update spending limit for a key-token pair @param publicKey The public key @param token The token address @param newLimit The new spending limit Container type for the return parameters of the updateSpendingLimit(address,address,uint256) function.

Enums§

IAccountKeychainCalls: Container for all the IAccountKeychain function calls.
IAccountKeychainErrors: Container for all the IAccountKeychain custom errors.
IAccountKeychainEvents: Container for all the IAccountKeychain events.
SignatureType

Functions§

new: Creates a new wrapper around an on-chain IAccountKeychain contract instance.

Module IAccountKeychain

Module IAccountKeychain Copy item path

Modules§

Structs§

Enums§

Functions§

Module IAccountKeychain