Fine-Grained Control: Using the Admin Policy Editor for Agent Wallets
Giving an AI agent a wallet without proper security controls is like handing a toddler your credit card and hoping for the best. The Admin Policy Editor in WAIaaS provides fine-grained control over agent wallets through 21 policy types, 4 security tiers, and default-deny enforcement that ensures your AI can only access what you explicitly allow.
Why Agent Wallet Security Matters
AI agents are powerful but unpredictable. They can misinterpret instructions, fall victim to prompt injection attacks, or simply make expensive mistakes. Without proper guardrails, an agent with wallet access could drain your funds in seconds.
Traditional wallet security focuses on protecting private keys. But with AI agents, the threat model is different: the agent has legitimate access to the wallet, but you need to control what it can do with that access. This requires policy-based security that operates at the transaction level, not just the authentication level.
WAIaaS 3-Layer Security Architecture
WAIaaS implements a comprehensive security model with three distinct layers:
Layer 1: Session Authentication
AI agents never see your private keys. Instead, they authenticate using JWT session tokens with configurable time limits and renewal policies.
# Create a session for your AI agent (masterAuth required)
curl -X POST http://127.0.0.1:3100/v1/sessions \
-H "Content-Type: application/json" \
-H "X-Master-Password: my-secret-password" \
-d '{"walletId": "<wallet-uuid>"}'
Sessions support per-session TTL, maximum renewals, and absolute lifetime limits. The defaults allow unlimited renewals, but you can lock them down for high-security environments.
Layer 2: Policy Engine with Default-Deny
The policy engine evaluates every transaction against 21 policy types. Unlike traditional allow-lists, WAIaaS uses default-deny: transactions are blocked unless explicitly permitted.
Key policies include:
- ALLOWED_TOKENS: Whitelist which tokens the agent can transfer (blocks all others)
- CONTRACT_WHITELIST: Whitelist which contracts the agent can interact with
- SPENDING_LIMIT: Amount-based 4-tier security (INSTANT/NOTIFY/DELAY/APPROVAL)
- APPROVED_SPENDERS: Control which protocols can receive token approvals
- TIME_RESTRICTION: Limit trading to business hours
- RATE_LIMIT: Prevent transaction spam
Layer 3: Human Approval Channels
For high-value transactions, WAIaaS can require human approval via WalletConnect, Telegram, or push notifications. The agent's transaction enters a pending state until you explicitly approve or reject it.
Using the Admin Policy Editor
The Admin Web UI at /admin provides a visual interface for creating and managing policies. Here's how to configure comprehensive security for an AI trading agent:
Step 1: Access the Admin Interface
# Start WAIaaS
waiaas start
# Open admin interface
open http://127.0.0.1:3100/admin
The admin interface provides wallet management, session control, policy editing, and DeFi positions monitoring in a single dashboard.
Step 2: Create a Spending Limit Policy
The SPENDING_LIMIT policy is the cornerstone of agent security. It creates four tiers based on transaction amounts:
curl -X POST http://127.0.0.1:3100/v1/policies \
-H "Content-Type: application/json" \
-H "X-Master-Password: my-secret-password" \
-d '{
"walletId": "<wallet-uuid>",
"type": "SPENDING_LIMIT",
"rules": {
"instant_max_usd": 50,
"notify_max_usd": 200,
"delay_max_usd": 1000,
"delay_seconds": 900,
"daily_limit_usd": 2000,
"monthly_limit_usd": 10000
}
}'
This configuration means:
- Transactions ≤ $50: Execute immediately (INSTANT)
- Transactions ≤ $200: Execute with notification (NOTIFY)
- Transactions ≤ $1000: 15-minute delay, cancellable (DELAY)
- Transactions > $1000: Require human approval (APPROVAL)
Step 3: Implement Default-Deny Token Control
Without an ALLOWED_TOKENS policy, your agent can transfer any token. Create a whitelist to lock this down:
{
"type": "ALLOWED_TOKENS",
"rules": {
"tokens": [
{
"address": "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v",
"symbol": "USDC",
"chain": "solana"
},
{
"address": "native:solana",
"symbol": "SOL",
"chain": "solana"
}
]
}
}
Now your agent can only trade SOL and USDC. Attempts to transfer other tokens will be denied with a POLICY_DENIED error.
Step 4: Whitelist DeFi Protocols
For a DeFi trading agent, use CONTRACT_WHITELIST to restrict which protocols it can interact with:
{
"type": "CONTRACT_WHITELIST",
"rules": {
"contracts": [
{
"address": "JUP6LkbZbjS1jKKwapdHNy74zcZ3tLUZoi5QNyVTaV4",
"name": "Jupiter",
"chain": "solana"
}
]
}
}
The agent can now only swap on Jupiter. Attempts to interact with other protocols will be blocked.
Step 5: Configure Time-Based Restrictions
Limit your agent's trading to market hours to avoid volatile overnight price movements:
{
"type": "TIME_RESTRICTION",
"rules": {
"allowedHours": {
"start": 9,
"end": 17
},
"timezone": "UTC"
}
}
Step 6: Set Up Human Approval Channels
For APPROVAL-tier transactions, configure WalletConnect to receive approval requests on your mobile wallet:
# Connect your wallet for approvals
waiaas owner connect
# Check connection status
waiaas owner status
When your agent attempts a high-value transaction, you'll receive a WalletConnect request to approve or reject it.
Advanced Policy Configuration
Rate Limiting
Prevent your agent from spam trading:
{
"type": "RATE_LIMIT",
"rules": {
"maxTransactions": 10,
"period": "hourly"
}
}
Network Restrictions
Lock your agent to specific chains:
{
"type": "ALLOWED_NETWORKS",
"rules": {
"networks": [
{"network": "solana-mainnet"},
{"network": "ethereum-mainnet"}
]
}
}
DeFi-Specific Policies
For lending agents, limit loan-to-value ratios:
{
"type": "LENDING_LTV_LIMIT",
"rules": {
"maxLtv": 0.75
}
}
For perpetual trading agents, limit leverage:
{
"type": "PERP_MAX_LEVERAGE",
"rules": {
"maxLeverage": 5
}
}
Monitoring and Alerts
The Admin UI provides real-time monitoring of:
- Active sessions and their permissions
- Pending transactions awaiting approval
- Policy violations and denials
- DeFi positions across all integrated protocols
Error Handling in Your Agent
Your AI agent should handle policy denials gracefully:
try {
const tx = await client.sendToken({
to: 'recipient-address',
amount: '100'
});
} catch (error) {
if (error.code === 'POLICY_DENIED') {
console.log('Transaction blocked by policy:', error.message);
// Maybe try a smaller amount or different token
}
}
The API returns structured errors with specific codes like POLICY_DENIED, INSUFFICIENT_BALANCE, and TOKEN_EXPIRED, making it easy to implement retry logic.
Quick Start: Secure Agent Setup
Here's how to create a secure AI agent wallet in 5 steps:
- Install and initialize WAIaaS:
npm install -g @waiaas/cli
waiaas init
waiaas start
- Create a wallet and session:
waiaas wallet create --name "trading-agent" --chain solana
waiaas quickset --mode mainnet
Configure basic security policies via the Admin UI:
- Open http://127.0.0.1:3100/admin
- Create SPENDING_LIMIT policy with conservative limits
- Add ALLOWED_TOKENS whitelist
- Set up CONTRACT_WHITELIST for approved DeFi protocols
Connect approval channel:
waiaas owner connect
- Test with your agent:
const client = new WAIaaSClient({
baseUrl: 'http://127.0.0.1:3100',
sessionToken: process.env.WAIAAS_SESSION_TOKEN,
});
const balance = await client.getBalance();
console.log(`Secured balance: ${balance.balance} ${balance.symbol}`);
What's Next
With proper policy configuration, you can give your AI agents powerful wallet capabilities while maintaining complete control over risk exposure. The Admin Policy Editor makes it easy to adjust security parameters as your agent's needs evolve.
Explore the full WAIaaS documentation at https://waiaas.ai and get started with the open-source code at https://github.com/minhoyoo-iotrust/WAIaaS.