Production AI Agent Wallet: GHCR Image with Auto-Provision and Healthcheck
Production AI agent wallet infrastructure doesn't have to mean trusting third parties with your private keys or accepting rate limits from hosted services. Self-hosting your wallet-as-a-service gives you complete control over your AI agent's financial operations, from private key storage to transaction policies, all running on your own infrastructure.
Why Self-Hosting Matters for AI Agents
When your AI agent manages real funds, custody becomes critical. Hosted solutions create single points of failure — API outages, account suspensions, or service shutdowns can instantly disable your autonomous systems. Self-hosting eliminates these dependencies while ensuring your private keys never leave your infrastructure.
The stakes extend beyond uptime. AI agents often require custom transaction policies, specialized DeFi integrations, or compliance with specific regulatory requirements. Self-hosted infrastructure gives you the flexibility to configure these systems exactly as needed, without waiting for a SaaS provider to support your use case.
WAIaaS: Production-Ready Self-Hosted Wallet Infrastructure
WAIaaS delivers enterprise-grade wallet infrastructure through a single Docker image. The platform provides 39 REST API route modules, supports 15 DeFi protocol providers, and includes comprehensive policy management with 21 policy types across 4 security tiers.
The Docker image ghcr.io/minhoyoo-iotrust/waiaas:latest includes auto-provisioning capabilities that generate secure master passwords on first startup. Default port binding runs on 127.0.0.1:3100:3100, keeping your wallet API isolated to localhost by default.
Auto-Provisioning for Secure Deployment
Starting a production wallet should be both secure and simple. WAIaaS supports auto-provisioning with Docker Secrets for production environments:
# Quick start with auto-generated security
docker run -d \
--name waiaas \
-p 127.0.0.1:3100:3100 \
-v waiaas-data:/data \
-e WAIAAS_AUTO_PROVISION=true \
ghcr.io/minhoyoo-iotrust/waiaas:latest
# Retrieve auto-generated master password
docker exec waiaas cat /data/recovery.key
The auto-provision feature generates cryptographically secure master passwords and stores them in /data/recovery.key. This eliminates the bootstrap problem of securely distributing initial credentials to your deployment environment.
Production Docker Compose Configuration
The included docker-compose.yml provides production-ready defaults with healthchecks and restart policies:
services:
daemon:
image: ghcr.io/minhoyoo-iotrust/waiaas:latest
container_name: waiaas-daemon
ports:
- "127.0.0.1:3100:3100"
volumes:
- waiaas-data:/data
environment:
- WAIAAS_DATA_DIR=/data
- WAIAAS_DAEMON_HOSTNAME=0.0.0.0
env_file:
- path: .env
required: false
restart: unless-stopped
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3100/health"]
interval: 30s
timeout: 5s
start_period: 10s
retries: 3
volumes:
waiaas-data:
driver: local
The healthcheck monitors the /health endpoint every 30 seconds, ensuring container orchestration systems can detect and restart failed instances. Named volumes preserve wallet data across container updates.
Docker Secrets for Production
Production deployments require secure credential management. WAIaaS includes a production secrets overlay via docker-compose.secrets.yml:
# Create secret files
mkdir -p secrets
echo "your-secure-password" > secrets/master_password.txt
chmod 600 secrets/master_password.txt
# Deploy with secrets overlay
docker compose -f docker-compose.yml -f docker-compose.secrets.yml up -d
This approach keeps sensitive credentials outside of environment variables and container images, following Docker security best practices.
Setting Up Your Self-Hosted AI Agent Wallet
Step 1: Deploy with Docker Compose
Clone the repository and start the services:
git clone https://github.com/minhoyoo-iotrust/WAIaaS.git
cd WAIaaS
docker compose up -d
The daemon starts on port 3100 with automatic provisioning enabled. Check the logs to confirm successful startup:
docker compose logs -f
Step 2: Create Your First Wallet
Use the CLI to create a wallet for your AI agent:
# Install the CLI
npm install -g @waiaas/cli
# Initialize configuration
waiaas init
# Create a Solana wallet
curl -X POST http://127.0.0.1:3100/v1/wallets \
-H "Content-Type: application/json" \
-H "X-Master-Password: $(docker exec waiaas cat /data/recovery.key)" \
-d '{"name": "trading-agent", "chain": "solana", "environment": "mainnet"}'
The wallet creation returns a unique identifier and public address. Store the wallet ID for session creation.
Step 3: Create an AI Agent Session
Sessions provide scoped access for AI agents without exposing the master password:
curl -X POST http://127.0.0.1:3100/v1/sessions \
-H "Content-Type: application/json" \
-H "X-Master-Password: $(docker exec waiaas cat /data/recovery.key)" \
-d '{"walletId": "<wallet-uuid-from-step-2>"}'
The response includes a session token (wai_sess_...) that your AI agent uses for transactions. Sessions support configurable TTL, maximum renewals, and absolute lifetime limits.
Step 4: Configure Security Policies
Self-hosted infrastructure means you control the security model. Create spending limits and transaction policies:
curl -X POST http://127.0.0.1:3100/v1/policies \
-H "Content-Type: application/json" \
-H "X-Master-Password: $(docker exec waiaas cat /data/recovery.key)" \
-d '{
"walletId": "<wallet-uuid>",
"type": "SPENDING_LIMIT",
"rules": {
"instant_max_usd": 10,
"notify_max_usd": 100,
"delay_max_usd": 1000,
"delay_seconds": 300,
"daily_limit_usd": 5000
}
}'
The policy engine implements 4 security tiers (INSTANT, NOTIFY, DELAY, APPROVAL) with default-deny enforcement. Transactions execute immediately for small amounts, require delays for medium amounts, and demand human approval for large transactions.
Step 5: Test Agent Integration
Your AI agent can now interact with the wallet through the REST API:
# Check balance
curl http://127.0.0.1:3100/v1/wallet/balance \
-H "Authorization: Bearer wai_sess_<your-session-token>"
# Send tokens
curl -X POST http://127.0.0.1:3100/v1/transactions/send \
-H "Content-Type: application/json" \
-H "Authorization: Bearer wai_sess_<your-session-token>" \
-d '{
"type": "TRANSFER",
"to": "recipient-address",
"amount": "0.001"
}'
Monitoring and Maintenance
Self-hosted infrastructure requires operational visibility. WAIaaS includes comprehensive monitoring through structured logs and health endpoints.
The included healthcheck monitors daemon availability, but production deployments should also monitor wallet balances, policy violations, and transaction success rates. The Admin Web UI at /admin provides a dashboard for wallet management, session control, and DeFi positions.
For automated maintenance, the Docker image supports watchtower auto-updates. Configure watchtower to monitor the ghcr.io/minhoyoo-iotrust/waiaas:latest tag for security updates:
docker run -d \
--name watchtower \
-v /var/run/docker.sock:/var/run/docker.sock \
containrrr/watchtower \
--interval 3600 \
waiaas-daemon
Beyond Basic Deployment
Self-hosting enables advanced configurations impossible with hosted services. The 15-package monorepo includes specialized components for different deployment scenarios.
The push-relay service provides mobile notifications for transaction approvals. Deploy it alongside the main daemon for complete self-hosted infrastructure:
# Both services from the same codebase
docker compose up daemon push-relay
For high-availability deployments, the stateless API design allows horizontal scaling behind a load balancer. Store the SQLite database on shared storage or migrate to PostgreSQL for multi-instance deployments.
The OpenAPI 3.0 spec at /doc and interactive documentation at /reference support custom client development. Self-hosted infrastructure means you can modify the API surface or add custom endpoints without vendor approval.
Your self-hosted WAIaaS instance provides complete sovereignty over your AI agent's financial infrastructure. From private key storage to transaction policies, everything runs under your control on your infrastructure.
Ready to deploy your own instance? Start with the WAIaaS GitHub repository for the complete source code and deployment guides, or visit waiaas.ai for additional documentation and community resources.