> ## Documentation Index
> Fetch the complete documentation index at: https://www.dynamic.xyz/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Agent Wallets

> Authenticate a server-side agent with a Dynamic user JWT and a session key, then create wallets and sign — on behalf of a human user or fully autonomously.

Agent wallets let a server-side agent (for example, an AI agent or an automated trading service) operate a Dynamic embedded wallet as a Dynamic user. The agent authenticates with a user JWT instead of your developer API token, so every wallet it creates or signs with belongs to that user. The user can be either:

* **A human** — the agent signs them in with email OTP (the human relays the code) or a wallet signature (the human signs the sign-in message with their own wallet), then acts on their behalf.
* **The agent itself** — the agent authenticates with an **agent signing token**: a secp256k1 private key that the agent holds, which serves as its identity. It signs in programmatically and mints its own JWT — no human in the loop, including at re-authentication time.

This differs from the other two ways to authenticate the Node SDK:

* **API token** (`authenticateApiToken`) — your server-level credential. Wallets belong to your developer account. See the [Node SDK Quickstart](/node/quickstart).
* **Delegated access** (`createDelegatedEvmWalletClient`) — the user approves delegation in your client app and Dynamic sends credentials to your webhook. See [Delegated Access for EVM Wallets](/node/evm/delegated-access).
* **Agent wallets** (`authenticateJwt`) — the agent completes a Dynamic sign-in directly (email OTP or Sign-In With Ethereum), receives a user JWT, and acts as that user. No browser required, and with an agent signing token, no human required.

<Note>
  Before you start: Node.js 18+, a Dynamic environment ID from the [Dynamic Dashboard](https://app.dynamic.xyz/dashboard/developer/api), embedded wallets enabled for your environment, and the [auth methods](/overview/authentication/dynamic-auth/auth-methods) your agent signs in with (email, external wallet) enabled in the dashboard. Install `@dynamic-labs-wallet/node` version 1.0.62 or later (auth client and session-key helpers) alongside your chain package, for example `@dynamic-labs-wallet/node-evm`.
</Note>

The examples in this section use the EVM client. `DynamicSvmWalletClient`, `DynamicBtcWalletClient`, and `DynamicTonWalletClient` inherit the same authentication methods.

## How the flow works

1. Generate a session key pair. The public key travels; the private key stays in your custody.
2. Sign in — with [email OTP](/node/agents/sign-in-with-email-otp) (human user) or [a private key](/node/agents/sign-in-with-a-private-key) (human user or autonomous agent) — and pass the session public key, which binds it into the minted JWT.
3. [Use agent wallets](/node/agents/use-agent-wallets): call `authenticateJwt` with the JWT and a `getSessionSignature` callback, then create wallets and sign with `backUpToDynamic: true`. The SDK attaches a signed-session proof to backup and recovery calls automatically.
4. Refresh the JWT with `refreshAuthToken` for long-running sessions, and sign in again when the refresh limit is reached.

For complete runnable scripts covering both sign-in paths, see [Example Usage](/node/agents/example-usage). For what your application must persist and the security model, see [Storage & Security](/node/agents/storage-and-security).

## API reference

* [authenticateJwt](/node/reference/auth/authenticate-jwt)
* [refreshAuthToken](/node/reference/auth/refresh-auth-token)
* [generateSessionKeyPair](/node/reference/auth/generate-session-key-pair)
* [signSessionMessage](/node/reference/auth/sign-session-message)
* [createAuthClient](/node/reference/auth/create-auth-client)
* [Email OTP sign-in](/node/reference/auth/email-otp-sign-in)
* [Wallet sign-in](/node/reference/auth/wallet-sign-in)
