Policy Engine

Policies let you govern wallet behavior by defining rules that accept or reject operations based on transaction parameters like destination address, value, and network.

Policy fields

Field	Description	Valid values
`scope`	Level at which the policy applies	`project` or `account` (API key auth only)
`rules`	Ordered list of rules	Array of rules
`action`	What to do when criteria match	`accept` or `reject`
`operation`	The wallet operation being governed	See Supported operations
`criteria`	Logical expressions evaluated against the operation	Array of criteria

Evaluation

Rules are processed in order. The first matching rule’s action is applied. If no rule matches, the request is rejected (fail-secure default). For API key auth wallets, a project-level policy is evaluated first, followed by any account-level policy.

API key configuration

To manage policies via SDK or API, your API key must have the Manage (modify policies) scope enabled under API restrictions > API-specific restrictions.

Create a policy

User Authentication
API Key Authentication

User authentication wallets support project-scope policies only. Create policies using the CDP SDK from your backend.

Node (TypeScript)
Python

const policy = await cdp.policies.createPolicy({
  policy: {
    scope: "project",
    description: "Accept EVM txs to allowlisted addresses",
    rules: [
      {
        action: "accept",
        operation: "signEndUserEvmTransaction",
        criteria: [
          {
            type: "evmAddress",
            addresses: ["0x000000000000000000000000000000000000dEaD"],
            operator: "in",
          },
        ],
      },
    ],
  },
});
console.log("Created policy:", policy.id);

policy = await cdp.policies.create_policy({
    "scope": "project",
    "description": "Accept EVM txs to allowlisted addresses",
    "rules": [
        {
            "action": "accept",
            "operation": "signEndUserEvmTransaction",
            "criteria": [
                {
                    "type": "evmAddress",
                    "addresses": ["0x000000000000000000000000000000000000dEaD"],
                    "operator": "in",
                },
            ],
        }
    ],
})
print(f"Created policy: {policy.id}")

API key auth wallets support both project-scope and account-scope policies. Policies can be created via the CDP Portal UI or the SDK.

CDP Portal

Navigate to Policies and click Create new policy to use the JSON editor.

SDK

Node (TypeScript)
Python

const account = await cdp.evm.getOrCreateAccount({ name: "PolicyAccount" });

// Create an account-level policy
const policy = await cdp.policies.createPolicy({
  policy: {
    scope: "account",
    description: "Account Allowlist Example",
    rules: [
      {
        action: "accept",
        operation: "signEvmTransaction",
        criteria: [
          {
            type: "ethValue",
            ethValue: "1000000000000000000", // 1 ETH in wei
            operator: "<=",
          },
          {
            type: "evmAddress",
            addresses: ["0x000000000000000000000000000000000000dEaD"],
            operator: "in",
          },
        ],
      },
    ],
  },
});

// Apply the policy to the account
await cdp.evm.updateAccount({
  address: account.address,
  update: { accountPolicy: policy.id },
});
console.log("Applied policy:", policy.id);

from cdp.policies.types import CreatePolicyOptions, EthValueCriterion, EvmAddressCriterion, SignEvmTransactionRule
from cdp.update_account_types import UpdateAccountOptions

account = await cdp.evm.get_or_create_account(name="PolicyAccount")

policy = await cdp.policies.create_policy(
    policy=CreatePolicyOptions(
        scope="account",
        description="Account Allowlist Example",
        rules=[
            SignEvmTransactionRule(
                action="accept",
                criteria=[
                    EthValueCriterion(ethValue="1000000000000000000", operator="<="),
                    EvmAddressCriterion(
                        addresses=["0x000000000000000000000000000000000000dEaD"],
                        operator="in",
                    ),
                ],
            )
        ],
    )
)

await cdp.evm.update_account(
    address=account.address,
    update=UpdateAccountOptions(account_policy=policy.id),
)
print(f"Applied policy: {policy.id}")

Supported operations

User authentication

Operation	Description
`signEndUserEvmTransaction`	End-user EVM transaction signing
`sendEndUserEvmTransaction`	End-user EVM transaction signing and sending
`signEndUserEvmMessage`	End-user EIP-191 message signing
`signEndUserEvmTypedData`	End-user EIP-712 typed data signing
`signEndUserSolTransaction`	End-user Solana transaction signing
`sendEndUserSolTransaction`	End-user Solana transaction signing and broadcast
`signEndUserSolMessage`	End-user Solana message signing

API key authentication

Operation	Description
`signEvmTransaction`	EVM transaction signing
`sendEvmTransaction`	EVM transaction signing and sending
`signEvmMessage`	EIP-191 message signing
`signEvmTypedData`	EIP-712 typed data signing
`signEvmHash`	Hash signing
`prepareUserOperation`	Smart account user operation preparation
`sendUserOperation`	Smart account user operation sending
`signSolTransaction`	Solana transaction signing
`sendSolTransaction`	Solana transaction signing and sending
`signSolMessage`	Solana message signing

GET STARTED

PAYMENTS

TRADING

WALLETS

ONCHAIN TOOLS

WEBHOOKS

CONSUMER APIS

BUSINESS APIS

INSTITUTIONAL APIS

Policy fields

Evaluation

API key configuration

Create a policy

CDP Portal

SDK

Supported operations

User authentication

API key authentication

GET STARTED

PAYMENTS

TRADING

WALLETS

ONCHAIN TOOLS

WEBHOOKS

CONSUMER APIS

BUSINESS APIS

INSTITUTIONAL APIS

Documentation Index

​Policy fields

​Evaluation

​API key configuration

​Create a policy

​CDP Portal

​SDK

​Supported operations

​User authentication

​API key authentication

Policy fields

Evaluation

API key configuration

Create a policy

CDP Portal

SDK

Supported operations

User authentication

API key authentication