Privileges
Privileges let you pre-approve a scope of operations so your agent can act without triggering an approval each time. Think of it as a signed permission slip: “you may spend up to $X, only to these addresses, only on this chain, and only for the next N hours.”
How It Works
- You define a scope — spend limit, allowed addresses, chain, and expiration
- You approve it once — creates an encoded token
- Agent attaches the token — qualifying transactions are signed instantly, no 2FA
- Token expires — after the time limit or spend cap is reached, the agent needs a new token or falls back to normal approvals
Scope Parameters
| Parameter | What it controls |
|---|---|
allowedAddresses | Which addresses the agent can send to. Empty [] = any address (riskier). |
chainId | Which chain the token applies to |
requestedAmountUsd | Maximum cumulative USD value across all transactions |
requestedExpirySeconds | How long the token is valid |
Using Privileges (CLI)
Once you have a Privilege token, pass --permission-token to any signing or transaction command:
waap-cli send-tx \
--to 0xCetusPool \
--value 0.01 \
--chain-id sui:mainnet \
--permission-token <encoded-token>The transaction goes through immediately — no Telegram prompt, no waiting.
Obtaining a token from the CLI
Coming soon. Creating and managing Privileges directly from waap-cli is in development. Today, the CLI can consume a Privilege via --permission-token <encoded-token> but cannot mint or list them — that flow lives in the WaaP SDK (see below). For a headless agent, you currently need to mint a Privilege through a browser-based flow and pass the resulting token to the CLI.
When to Use Them
| Scenario | Without Privilege | With Privilege |
|---|---|---|
| Yield agent repositioning every few hours | Telegram approval each time | Auto-approved within scope |
| Trading agent executing 50 trades/day | 50 Telegram approvals/day | Auto-approved up to limit |
| One-time large transfer | Approve manually (good) | Not recommended — use normal approval |
Rule of thumb: Use Privileges for routine, low-value, repetitive operations. Keep normal approvals for anything large or unusual.
SDK Integration
For browser-based apps, Privileges are requested via window.waap.requestPermissionToken(). See the Privileges SDK guide for full implementation details.
Privileges vs Policy Controls
Privileges and Policy Controls both shape what your agent can do without prompting, but they operate at different layers:
- Policy Controls are the global wallet-level baseline — daily spend limit, 2FA method, risk threshold. They apply to every transaction the wallet signs.
- Privileges are scoped, time-bounded grants that bypass 2FA for specific operations within the policy baseline. A Privilege never overrides the policy’s daily spend cap; it just removes the 2FA prompt for transactions inside its declared scope.
Use Policy Controls to set the floor; use Privileges to grant per-task autonomy on top of that floor.
Related
- Approvals & Notifications — What happens when a Privilege isn’t present
- Policy Controls — Set the baseline limits that Privileges operate within
- CLI Commands — Full command reference