Non-custodial wallets
Every builder gets a server wallet with:
- EVM address — for Base, Ethereum, Arbitrum, Optimism, and Tempo
- Solana address — for Solana
Private keys are generated and stored inside a Trusted Execution Environment (TEE). They never leave the secure enclave — not even xWell can access them.
How signing works
When an agent needs to make a payment:
- xWell backend sends a signing request to the TEE
- The signer authorization policy is checked
- If authorized, the transaction is signed inside the TEE
- The signed transaction is returned to xWell
- xWell submits it to the blockchain
The agent never sees or holds private keys. All signing happens server-side in the TEE.
Signer authorization
During onboarding, you authorize xWell’s server as a signer on your wallet. This is a one-time step.
You can revoke this authorization at any time from the dashboard, which immediately prevents all agent payments.
Wallet control model
| Action | Who can do it |
|---|
| View wallet address | Builder + Agent |
| View balances | Builder + Agent |
| Sign payments | xWell server (via TEE) |
| Change policies | Builder only |
| Revoke signer access | Builder only |
| Export wallet | Builder only |
Security guarantees
- Keys never leave TEE — hardware enclave protects private keys
- Builder controls signing — signer authorization can be revoked anytime
- Agent permissions enforced server-side — chain restrictions, spending caps, and service access are checked before any signing request reaches the TEE
- API keys are hashed — stored as SHA-256 hashes, shown only once at creation
- Per-agent isolation — each agent gets its own API key and permission set
