Skip to main content

Introduction

The Policy Engine is your platform's source of truth for access control. Declare rules once; the engine enforces them everywhere — across transactions, key operations, and any action your platform exposes.

Capabilities

CapabilityStateless PolicyStateful PolicyNotes
Multi-chain supportOne policy language across supported chains.
Offchain operationsCan gate key export, key refresh, quorum change, and similar off-chain operations.
Per-transaction transfer limitsExample: amount <= 100 for a single request.
Address controls: whitelisting (per-account)Restrict allowed destination/source addresses via policy conditions.
Address controls: source account/wallet restrictionsRestrict signing requests to specific source wallets/accounts.
Cumulative transfer limits (daily/weekly/monthly)Requires historical aggregation. See Stateful Policy Onboarding: Duo, Trio, Silent Network.
Transaction rate limitingRequires counting events inside a time window. See Stateful Policy Onboarding: Duo, Trio, Silent Network.
Time-window aware rulesRequires rolling/fixed window logic. See Stateful Policy Onboarding: Duo, Trio, Silent Network.
Fine-grained access controlSupports issuer-based and condition-based controls.
MPC-focused architectureDesigned for transactions signed by MPC nodes.
Key-bound policiesPolicies are bound to a specific key_id.
Auditable evaluationEvaluation outcomes are logged per action.

Concepts

A Policy is a JSON document that defines the complete set of constraints for a key. Policy contains multiple Rule. A Rule contains multiple Condition or ConditionGroup.

  • Rule: A composite statement about if the transaction/request satisfies all the condition groups or conditions to execute the action.
  • Condition: A boolean statement that evaluates a specific attribute of the transaction (e.g., checking if amount is less than 100).
  • ConditionGroup: A combination of boolean statements about the transaction/request.

Validation: Policies are integrity-checked using a Message Authentication Code (MAC).

Policy Structure

A Policy object follows this structure:

FieldTypeDescription
versionstringMust be "1.0".
descriptionstringOptional description (max 512 chars).
rulesRule[]List of rules to evaluate.

Rule Structure

FieldTypeDescription
descriptionstringOptional description (max 512 chars).
issuerIssuer[]Entities authorized to issue the request that will be evaluated by the engine.
actionstring"allow", "deny".
logicstring"or", "and" (combining conditions). Defaults to "and" if omitted.
chain_typestring"off", "ethereum", "solana".
conditionsCondition[]List of conditions or condition groups.

Issuer

Defines who is making the request which is usually defined by the authentication payload in the request.

  • type: "UserId", "SessionId", or "*" (any).
  • id: The specific ID of the user or session.

Conditions

Conditions are the building blocks of rules. They compare transaction attributes against expected values.

Condition Fields

FieldTypeDescription
transaction_typestringThe type of transaction (see below).
transaction_attrstringThe specific attribute to check (see below).
operatorstringComparison operator.
valueanyThe static value to compare against.
abiobject(Optional) ABI/IDL for decoding data.

Transaction Types

Used to deserialize the transaction payload correctly.

  • eip712: Typed Data signing.
  • eip191: Personal Sign.
  • erc20: Fungible Token interaction.
  • erc721: NFT interaction.
  • nativeTransfer: Pure ETH/SOL transfer.
  • solanaTransaction: General Solana transaction.

Transaction Attributes

The specific field within the transaction to evaluate.

NameDescriptionExample
senderTransaction sender. EIP-1559 "from" field in erc20, erc721 and ETH transfer transactions"0x742d35Cc...8f44e"
receiverTransaction destination. EIP-1559 "to" field in erc20, erc721 and ETH transfer transactions. Or, sender account key in SOL transfer transaction"0x538f44e...d35Cc"
nativeValueAmount of native token (ETH/SOL)."1000000000000000000" (1 ETH)
chainIdBlockchain Network ID.1
functionSelectorEthereum function signature (4 bytes)."0xa9059cbb"
messageEIP-191 message content."Sign this message"
verifyingContractEIP-712 contract address."0xCcCC...cccC"
primaryTypeEIP-712 primary type."Mail"
domainNameEIP-712 domain name."Ether Mail"
splTransferAmountSolana SPL token amount.1000000
splTokenMintSolana SPL token mint address."EPjFWdd5...TDt1v"
solanaAccountKeysList of accounts in a Solana transaction.["Account1...", "Account2..."]

If an attribute is not found in the list above, the engine will try to resolve it as a parameter from the provided ABI. To resolve naming collisions between built-in attributes and ABI parameters, you can use the abi: prefix (e.g. abi:sender). This forces the engine to look up the attribute in the ABI parameters instead of using the built-in value.

Operators

The operands to evaluate Transaction Attributes against the Policy's expected values.

  • eq: Equal
  • neq: Not Equal
  • lt: Less Than
  • lte: Less Than or Equal
  • gt: Greater Than
  • gte: Greater Than or Equal
  • in: Value is in a list.
  • all: All values match (for arrays).

Policy evaluation flow

Policy

A Policy evaluation is based on the results of Rule evaluations:

  • Precedence: DENY rules take precedence over ALLOW rules.
  • Default Behavior: If no rules match the request, the default action is DENY. Or, if there's no Policy attached to the key, policy evaluation will never happen.

Rule

A Rule defines an action (ALLOW or DENY) that is triggered when:

  • The request Issuer and the Transaction Type matches the Policy configuration. If these 2 attributes aren't matched, the evaluation will be skipped for that Rule.
  • Conditions (or Condition Groups) are satisfied.

Stateful Policy Onboarding

  • Start Here - Build your first stateful policy with controllers, entries, and end-to-end flow examples.

Incoming

  • External State: Create webhook policy rules to reference external business logic for approving or denying transactions.