Skip to main content
Agent wallets let a server-side agent (for example, an AI agent or an automated trading service) operate a Dynamic embedded wallet as a Dynamic user. The agent authenticates with a user JWT instead of your developer API token, so every wallet it creates or signs with belongs to that user. The user can be either:
  • A human — the agent signs them in with email OTP (the human relays the code) or a wallet signature (the human signs the sign-in message with their own wallet), then acts on their behalf.
  • The agent itself — the agent authenticates with an agent signing token: a secp256k1 private key that the agent holds, which serves as its identity. It signs in programmatically and mints its own JWT — no human in the loop, including at re-authentication time.
This differs from the other two ways to authenticate the Node SDK:
  • API token (authenticateApiToken) — your server-level credential. Wallets belong to your developer account. See the Node SDK Quickstart.
  • Delegated access (createDelegatedEvmWalletClient) — the user approves delegation in your client app and Dynamic sends credentials to your webhook. See Delegated Access for EVM Wallets.
  • Agent wallets (authenticateJwt) — the agent completes a Dynamic sign-in directly (email OTP or Sign-In With Ethereum), receives a user JWT, and acts as that user. No browser required, and with an agent signing token, no human required.
Before you start: Node.js 18+, a Dynamic environment ID from the Dynamic Dashboard, embedded wallets enabled for your environment, and the auth methods your agent signs in with (email, external wallet) enabled in the dashboard. Install @dynamic-labs-wallet/node version 1.0.62 or later (auth client and session-key helpers) alongside your chain package, for example @dynamic-labs-wallet/node-evm.
The examples in this section use the EVM client. DynamicSvmWalletClient, DynamicBtcWalletClient, and DynamicTonWalletClient inherit the same authentication methods.

How the flow works

  1. Generate a session key pair. The public key travels; the private key stays in your custody.
  2. Sign in — with email OTP (human user) or a private key (human user or autonomous agent) — and pass the session public key, which binds it into the minted JWT.
  3. Use agent wallets: call authenticateJwt with the JWT and a getSessionSignature callback, then create wallets and sign with backUpToDynamic: true. The SDK attaches a signed-session proof to backup and recovery calls automatically.
  4. Refresh the JWT with refreshAuthToken for long-running sessions, and sign in again when the refresh limit is reached.
For complete runnable scripts covering both sign-in paths, see Example Usage. For what your application must persist and the security model, see Storage & Security.

API reference

Last modified on July 9, 2026