Permissions & Keys

Session keys are the mechanism that allows SnowMind to manage your yield without holding custody of your funds. They are temporary, scoped, and revocable.

What Are Session Keys?

A session key is a temporary cryptographic key granted to SnowMind's backend. Unlike your master key (which has full control), session keys are constrained by on-chain policies that limit exactly what operations they can perform.

Permission = 1 Signer + N Policies + 1 Action

Session Key Policies

Policy	Configuration
Call Policy	`supply()`/`withdraw()` and equivalent deposit/redeem functions on approved protocol adapters only
Rate Limit	Maximum N transactions per day
Gas Policy	Maximum total gas budget

What the Session Key Cannot Do

Call transfer() or approve() to arbitrary addresses (not in function whitelist)
Interact with contracts not in the whitelist
Exceed the daily transaction rate limit
Exceed the gas budget

On-Chain Enforcement

All session key policies are enforced by the smart account's Permission Validator at the EVM level. This means even if SnowMind's backend is compromised, the attacker is still bound by these constraints.

Session Key Storage

Session keys are never stored in plaintext. They are encrypted with AES-256-GCM at rest and decrypted only in-memory when building a UserOperation. The encryption key is stored separately from the database for additional security.

Withdrawing

You can withdraw your full balance at any time. This exits all protocol positions and returns your funds to your wallet. If you want to reset permissions, simply withdraw everything and re-deposit when ready.

Key Lifecycle

Grant: User signs a transaction creating the session key with scoped policies
Active: SnowMind uses the key to execute rebalances (supply/withdraw only)