Embedded wallet infrastructure for the agent economy.
Agents aren't users with wallets — they're delegated capabilities under a human's UCAN. Sign once, delegate a scoped cap, revoke at any time.
7 npm packages · 5 contracts on Base Sepolia · in-house bundler + paymaster W22–W24
Agentic internet activity will surpass human internet activity within 36 months. Cloudflare's 2024 bot-management telemetry already shows automated traffic at 49.6% of HTTPS requests. Every agent that touches value — a payment, a signature, a service call — needs a wallet.
What incumbents can't ship.
Privy, Dynamic, and Magic were built for human users — social login, KYC, per-signature pricing, server-side policy engines. Agents don't social-login, don't carry phones, and sign thousands of low-value transactions per hour. The architectural gap is a moat.
Capability-scoped agent credentials
A human signs once, delegates a UCAN cap with explicit bounds — max spend, allowed counterparty, chain, expiry. The agent acts within those limits. Revoke anytime and the agent halts mid-loop. <2s propagation via libp2p gossip on mainnet.
Keys never leave the device
WASM enclave executes DKLSv1 MPC signing inside the browser. No server sees private key material. No AWS Nitro TEE dependency. No key reconstitution in cloud memory — the architectural liability that Privy's SSS model carries.
Flat-rate, not per-signature
Predictable billing per agent platform, not per signature. Agents sign thousands of transactions — the incumbent per-op pricing model collapses at agent scale. In-house bundler + paymaster makes the unit economics work.
Passkey-first sign-in
WebAuthn out of the box. Hardware biometric entropy (TouchID, FaceID) on secp256r1. Phish-resistant by default. Password and email fallbacks only when policy permits.
Federate, don't replace
Plug in Okta, Entra, or any OIDC provider for staff SSO. Federate end-user auth with whoever your users already trust. No re-onboarding, no migration tax.
Audit trail your security team will approve
Immutable logging, searchable audit queries, SOC 2 Type I in progress. Pen-test reports under NDA for design partners. UCAN delegation chains are CID-content-addressed — every action is cryptographically traceable.
Why three companies architecturally can't follow us.
- 01
Privy
Stripe · $1.1BServer-evaluated rule-lists + SSS in AWS Nitro TEE. To ship UCAN-bounded delegation they'd throw away the rule engine, the dashboard, and the per-signature billing model that justified the Stripe acquisition. They won't.
- 02
Dynamic
Fireblocks · $90M"Delegated Access" routes encrypted shards via webhook to the developer's backend. The dev holds RSA decryption keys and absorbs the liability. Agents need autonomous delegation chains without a centralized oracle. Dynamic's architecture can't provide it.
- 03
Crossmint
Visa · MastercardVisa/Mastercard integrations require a TEE-custody narrative for compliance. Client-side enclaves break that narrative. They architecturally cannot pivot.
Here's what's real today. What ships next.
- 7 packages on npm:
@hyperauth/client, enclave, vault-wasm, server, react, widget, uinpmjs.com/org/hyperauth - 5 contracts on Base Sepolia:
HyperAuthAccount, HyperAuthFactory, DIDRegistry, SessionSBT, AccountHelper - WASM enclave runs locally in your browser, not on our servers.
- Live demo at did.run — UCAN minting + agent signing + revocation
- In-house
Bundler.sol+Paymaster.solon Base mainnet (replaces Pimlico dependency) - libp2p revocation relay <2s p99 SLO
- AWS KMS adapter in
@hyperauth/serverfor server-resident agents
- Composio Issue #3068 — agent wallet SDK engagement (comment posted, PR in progress)
- 3 LOI conversations targeted by Demo Day
Building an agent platform? You need this primitive.
Install @hyperauth/server. Clone the starter. Your agent signs its first transaction on Base Sepolia in under 10 minutes. No email signup, no OAuth, no cloud key storage.
Design-partner program open for AI-agent platforms — and the funds backing them.