Skip to main content

Security

Never expose API keys in client-side code, public repositories, or application logs.
  • Store API keys in a secrets manager — Use AWS Secrets Manager, HashiCorp Vault, or your platform’s secrets solution. Avoid .env files in production.
  • Rotate keys every 90 days — Set a recurring reminder. See API Keys for rotation instructions.
  • Use separate keys per environment — Never share keys between development, staging, and production.
  • Enable IP allowlisting — On Growth and Enterprise plans, restrict API access to known server IPs.
  • Use sandbox for testing — Never test with production keys or real funds.

Policy Configuration

Start with the most restrictive policies possible and gradually relax them as you gain confidence in your agent’s behavior.
await aw.policies.update("agent_abc123", {
  // Start with low limits
  maxTransactionAmount: "100",
  dailyLimit: "1000",
  monthlyLimit: "10000",

  // Whitelist trusted addresses only
  allowedAddresses: ["0xTrustedVendor1", "0xTrustedVendor2"],

  // Restrict to stablecoins
  allowedTokens: ["USDC"],

  // Prevent runaway loops
  velocityLimit: {
    maxCount: 50,
    windowSeconds: 3600,
  },

  // Human review for larger amounts
  requireHumanApproval: true,
  humanApprovalThreshold: "500",
});

Policy Tips

  • Use allowedAddresses — Whitelisting is more secure than blacklisting.
  • Set velocity limits — Prevent agents from entering infinite transaction loops.
  • Enable human approval — For amounts above a meaningful threshold.
  • Review weekly — Adjust policies as agent behavior patterns become clear.
  • Use templates — Create reusable templates for common configurations.

Monitoring

Subscribe to Key Events

await aw.webhooks.create({
  url: "https://your-app.com/webhooks",
  events: [
    "payment.completed",
    "payment.failed",
    "policy.violated",
    "agent.frozen",
  ],
});

What to Monitor

MetricWhy
Policy violationsIndicates misconfigured agents or unexpected behavior
Failed transactionsMay indicate insufficient funds or chain issues
Freeze eventsTriggered by anomaly detection or manual action
Daily spend per agentCatch budget overruns early
API error ratesDetect integration issues
Webhook delivery failuresEnsure your handler is healthy

Audit Logs

Review audit logs regularly for unexpected activity: 
curl -X GET "https://api.agentwallex.com/api/v1/audit-logs?page_num=1&page_size=50" \
  -H "X-API-Key: awx_your_api_key"

Production Readiness Checklist

Use this checklist before going live:
  • API keys — Production keys created and stored in a secrets manager
  • Environment — SDK initialized with environment: "production"
  • Policies configured — Per-agent spending limits, address whitelists, and velocity controls
  • Human approval — Enabled for high-value transactions with appropriate thresholds
  • Webhooks registered — Handlers deployed for payment.completed, payment.failed, and policy.violated
  • Webhook signatures verified — Handler validates X-AgentWallex-Signature on every delivery
  • Error handling — SDK errors caught and logged with retry logic for transient failures
  • Monitoring — Alerts set for policy violations, failed transactions, and freeze events
  • Audit log access — Team members can view audit logs in the dashboard
  • Emergency procedures — Documented how to freeze an agent and who has authority
  • Key rotation schedule — Calendar reminder set for 90-day key rotation
  • Sandbox testing — All flows tested end-to-end on testnet before switching to production
  • Wallet funding — Production wallets funded with sufficient balance for expected transaction volume
  • Rate limits understood — Application handles 429 responses with exponential backoff
The AgentWallex team is available to review your integration before you go live. Contact support@agentwallex.com for a pre-launch review.