How session keys work
Session keys are built on the EIP-7702 delegate call mechanism. When you create a session key, you are authorizing a scoped permission that lets the Tapioca app execute transactions on your behalf — but only within the bounds you define. Each session key specifies:- Allowed contracts — the session key can only interact with the specific contracts you approve (e.g., the Tapioca deposit contract). It cannot touch any other contract or asset in your wallet.
- Allowed actions — the key is scoped to specific function calls (e.g., deposit, withdraw). It cannot execute arbitrary transactions.
- Spending limits — you can set a maximum amount per transaction or per session, so the key cannot move more than you’ve authorized.
- Expiration time — every session key has a hard expiry. Once it expires, it becomes invalid and cannot be used, regardless of what permissions it held.
The security model
Session keys cannot drain your wallet. Because each key is strictly scoped to specific contracts and amounts, a compromised or leaked session key can only be used for the exact actions it was authorized for — and only until it expires. Your main smart account signing key remains entirely separate and is never shared with Tapioca.Creating a session key
When you first connect to Tapioca or start a new interaction, the app may prompt you to create a session key if one isn’t already active. You can also create one manually:Create a new key
Click New Session Key. Review the permissions scope shown — this lists the contracts, actions, and spending limits the key will be authorized for.
Set expiry
Choose an expiration time for the session key. Shorter sessions are more secure; longer sessions reduce how often you need to re-authorize.
Viewing active session keys
All your active session keys are visible at Settings > Session Keys. For each key, you can see:- The contracts and actions it is authorized for
- The spending limits in place
- The expiration date and time
- The date it was created
Revoking a session key
You can revoke any session key at any time, even before it expires:- Go to Settings > Session Keys.
- Find the key you want to revoke.
- Click Revoke and confirm the action.
Session keys that have already expired are shown in a separate Expired section for your records. You do not need to revoke expired keys — they are already inactive.
Frequently asked questions
Can a session key be used to withdraw all my funds?
Can a session key be used to withdraw all my funds?
No. Each session key is created with explicit spending limits. If a session key is authorized for a maximum of 500 USDC, it cannot move more than 500 USDC regardless of your total balance. The scope is enforced at the smart contract level — it is not just an app-side restriction.
What happens when a session key expires?
What happens when a session key expires?
An expired session key becomes permanently inactive. The Tapioca app will prompt you to create a new session key the next time you initiate an action that requires one. Your funds are unaffected by a session key expiring.
Do I need a session key to view my balance or read data?
Do I need a session key to view my balance or read data?
No. Session keys are only required for on-chain write actions — deposits, withdrawals, and rebalancing. Viewing your portfolio, balance, and yield history does not require any active session key.
What is EIP-7702 and why does Tapioca use it?
What is EIP-7702 and why does Tapioca use it?
EIP-7702 is an Ethereum standard that introduces a delegate call mechanism, allowing smart accounts to authorize scoped, time-limited permissions for external callers. Tapioca uses EIP-7702 to implement session keys in a standardized way that is auditable and compatible with Base’s infrastructure, rather than using a custom or proprietary authorization scheme.