Intents API — TEE signing for AI agents

AI agent private key security
solved by hardware

When AI agents hold private keys, one prompt injection drains the wallet. 1claw's Intents API keeps signing keys inside a Trusted Execution Environment — your agent submits intents, never touches keys.

Learn about Intents API Start free

Intents API available on Business and Enterprise plans. Start free to explore the vault.

The threat model

Why AI agents holding private keys is dangerous

The promise of AI agents in crypto is autonomy — agents that can trade, rebalance, bridge, and manage DeFi positions without human intervention. But every current implementation shares the same fatal flaw: the agent has the private key.

A private key in agent memory is a single point of failure. Unlike a password, there's no recovery mechanism. Unlike a credit card, there's no chargeback. One compromised key means complete, irreversible loss of funds.

Prompt injection. An agent processing untrusted input (web3 event data, oracle responses, user messages) can be tricked into executing arbitrary transactions. If it holds the key, it can sign anything.
Memory dumps and logging. Keys stored in process.env or runtime variables can be extracted via error logs, crash dumps, or debugging tools.
Supply chain attacks. A compromised npm package or Python dependency in the agent's stack can read environment variables and exfiltrate keys silently.
No guardrails. With direct key access, there's nothing preventing the agent from sending the entire wallet balance to an attacker's address in a single transaction.

agent.py — key in memoryextractable

# Typical DeFi agent pattern

from web3 import Web3

w3 = Web3("https://rpc.example.com")

acct = w3.eth.account.from_key(

os.environ["PRIVATE_KEY"]

)

The private key is now in process memory. Any code in this process — including compromised dependencies — can read it.

Trusted Execution Environment

Keys stay in the TEE — agents submit intents

1claw's Intents API runs inside a Confidential GKE cluster with AMD SEV-SNP. Private keys are decrypted only inside TEE memory. The agent sends a transaction intent — the TEE signs it and broadcasts it. The key never leaves hardware.

Hardware isolation

The signing service runs on AMD SEV-SNP (Secure Encrypted Virtualization with Secure Nested Paging). Even the host operating system and hypervisor cannot read TEE memory. Private keys are decrypted from Cloud KMS only inside the enclave.

Private key read blocking

When Intents API is enabled on an agent, the vault API blocks direct reads of private_key and ssh_key type secrets, returning 403. The agent physically cannot exfiltrate the key — it can only request signatures.

Key derivation without exposure

Ethereum addresses are derived from the private key inside the TEE using secp256k1 public key extraction and keccak256 hashing. The address is returned to the caller — the key stays in hardware memory.

SDK — submit intentkey in TEE

// Agent submits intent — never sees the key
const result = await client.agents.submitTransaction(
  agentId,
  {
    to: "0xDEF1C0DE...",
    value: "0.5",
    chain: "ethereum",
    data: "0xa9059cbb...",
    simulate_first: true
  }
);

// ✓ Simulated via Tenderly
// ✓ Signed inside TEE (secp256k1)
// ✓ Broadcast via RPC
// ✓ Private key never left hardware

Per-agent guardrails

Defense in depth, not just hardware

TEE signing removes key exposure, but production DeFi needs more. 1claw enforces per-agent transaction controls server-side — before the key is ever accessed.

Address allowlists

Restrict each agent to specific contract addresses. Transactions to unlisted addresses are rejected before signing.

Per-tx value cap

Set a maximum ETH value per transaction. Prevents a compromised agent from draining the wallet in one call.

Daily spend limit

Rolling 24-hour cumulative cap on all transactions. Limits total exposure even if the agent is fully compromised.

Chain restrictions

Limit agents to specific chains (e.g., only Base and Arbitrum). Prevents unexpected cross-chain transactions.

Simulate before you sign

Every transaction can be simulated via Tenderly before the TEE signs it. Set simulate_first: true on the request, or enforce it org-wide with intents_api.require_simulation. If the simulation reverts, the transaction is recorded as simulation_failed and never signed.

Full Tenderly simulation with gas estimation, balance changes, and revert reasons
Bundle simulation — test multi-step sequences before committing
Tenderly dashboard URL in response for deep debugging
109+ EVM chains supported via Tenderly's network coverage

TEE-backed transaction signing

Your agent doesn't need the private key

Stop putting private keys in environment variables. 1claw Intents API gives your agent the ability to sign transactions without ever exposing the key. Hardware isolation, guardrails, and simulation built in.