Intents API — TEE Transaction Signing

Your DeFi agent shouldn't
hold private keys

1claw Intents lets agents submit transaction intents. The signing happens in a TEE. Keys never leave hardware.

Read the Intents docsTalk to us

Before and after Intents

The difference between hoping your key is safe and knowing it never left the TEE.

Without Intents
  • Private key hardcoded in env or passed to agent at runtime
  • Key extractable via prompt injection, logs, or memory dump
  • No guardrails — agent can drain the wallet in one transaction
agent.ts — raw key signingkey in memory

// ❌ Agent holds the private key

const wallet = new Wallet(

process.env.PRIVATE_KEY

);

const tx = await wallet.sendTransaction({

to: "0xDEF1...",

value: parseEther("1.0")

});

The private key is in env, memory, and logs. One prompt injection drains the wallet.
With 1claw Intents
  • Agent submits an intent — signing happens inside the TEE
  • Private key never exported — stays in HSM/TEE memory
  • Per-agent guardrails enforce allowlists, caps, and chain restrictions
agent.ts — 1claw Intentskey in TEE

// ✓ Agent submits intent — never sees the key

const tx = await client.agents.submitTransaction(agentId, {

to: "0xDEF1...",

value: "1.0",

chain: "base",

simulate_first: true

});

Simulated via Tenderly. Signed in TEE. Broadcast.

Private key never left hardware.

Transaction guardrails

Guardrails you configure, not hope for

Every constraint is enforced server-side before the key is ever touched.

Per-agent address allowlists

Restrict each agent to specific contract addresses. Transactions to unlisted addresses are rejected before signing — even if the agent is compromised.

Value caps (per tx & per day)

Set a max ETH value per transaction and a rolling 24-hour daily limit. The signing proxy enforces caps atomically — no race conditions.

Chain restrictions + Tenderly simulation

Limit agents to specific chains. Optionally simulate every transaction via Tenderly before broadcast — reverts are caught before they hit the chain.

109+ supported EVM chains

EIP-1559 and legacy signing. Multi-chain nonce management. Tenderly simulation on all networks.

Ethereum

ETH

Base

ETH

Arbitrum One

ETH

Optimism

ETH

Polygon

MATIC

BNB Chain

BNB

Avalanche

AVAX

Linea

ETH

Scroll

ETH

zkSync

ETH

Blast

ETH

Mantle

MNT

Gnosis

xDAI

Celo

CELO

Moonbeam

GLMR

Sonic

S

Berachain

BERA

Unichain

ETH

World Chain

ETH

Taiko

ETH

Fraxtal

frxETH

Lisk

ETH

Ronin

RON

Metis

METIS

BOB

ETH

Ink

ETH

Soneium

ETH

Immutable

IMX

Flare

FLR

Story

IP

Plus testnets (Sepolia, Base Sepolia, Holesky, and more). Any EVM chain supported by Tenderly can be added. See full list →

Autonomous agent billing

Your agent can pay for
its own compute

With x402, agents submit payment intents just like transaction intents. 1claw signs the USDC settlement on Base via the Coinbase CDP facilitator. The agent never holds or controls funds.

  • Agent submits payment intent — no USDC in agent memory
  • Settlement signed in TEE, broadcast on Base (EIP-155:8453)
  • Per-request micropayments — no subscriptions needed for agents
  • Replay protection via SHA-256 proof hashing
Learn about x402
x402-flow.ts
// Agent pays for API access via x402
const response = await fetch("https://api.1claw.xyz/v1/...", {
  headers: {
    "X-PAYMENT": paymentProof
  }
});

// ✓ Payment signed in TEE, settled on Base
// ✓ Agent never held USDC
Enterprise-grade signing infrastructure

Built for production DeFi teams

Intents is available on Business and Enterprise plans. Custom pricing for high-volume DeFi teams with dedicated TEE nodes and SLA guarantees.

Talk to usView pricing

Already using 1claw Vault? Enable Intents on your agents →