Embedded Wallets
How to
Wallet Operation
Sign Authorization

Sign Authorization

API Documentation: Sign Authorization (EIP-7702)

Overview

This endpoint produces an EIP-7702 (opens in a new tab) authorization so an MPC wallet can temporarily delegate control of a contract account to a trusted executor. EIP-7702 only applies to EVM-compatible chains, so this API will always operate on an EVM network.

⚠️

Sign Authorization (EIP-7702) is not supported for Solana & Bitcoin network

  • HTTP Method: POST
  • Endpoint: /api/<VERSION>/wallet/sign-authorization

Request Body Parameters

  • contractAddress (required): Contract account that will issue the authorization (checksummed EVM address).
  • chainId (optional): The chain ID of the network used for transactions.
  • executor (optional): Externally owned account that will be allowed to execute on behalf of the contract. Falls back to the requester if not provided.
  • nonce (optional): Authorization nonce; auto-derived from the MPC wallet service if omitted.

Example Request Body

{
  "contractAddress": "0xcA11b...",
  "chainId": 1,
  "executor": "0x12345...",
  "nonce": 0
}

Request

Request Headers

  • Authorization (required): JWT token generated when the user authenticated without an MPC wallet.
  • x-client-secret (required if x-app-id is empty): Client Secret generated when creating an app in the Xellar Dashboard.
  • x-app-id (required if x-client-secret is empty): App ID generated when creating an app in the Xellar Dashboard. Add your origin in the Xellar Dashboard when using x-app-id.

Example Request Syntax

curl -X POST \
  -H "Content-Type: application/json" \
  -H "x-client-secret: $YOUR_CLIENT_SECRET" \
  -H "x-app-id: $YOUR_APP_ID" \
  -H "Authorization: Bearer $YOUR_ACCESS_TOKEN" \
  -d '{
    "contractAddress": "0xcA11bde05977b3631167028862bE2a173976CA11",
    "chainId": 1,
    "executor": "0x1234567890abcdef1234567890abcdef12345678",
    "nonce": 0
  }' \
  <BASE_URL>/api/<VERSION>/wallet/sign-authorization

Response

The API returns the signed authorization payload so you can broadcast or reuse it with a compatible EIP-7702 executor.

  • status (number): HTTP status code.
  • message (string): High-level description of the result.
  • data.authorization (object): EIP-7702 authorization fields, including signature parts.
    • address: Authorizing contract address.
    • chainId: EVM chain ID used to sign.
    • nonce: Authorization nonce.
    • r, s, v: Signature components.
    • yParity: Explicit parity flag for compatibility with clients that expect it.

Example Response

{
  "status": 200,
  "message": "Sign Authorization executed successfully",
  "data": {
    "authorization": {
      "address": "0xcA11bde05977b3631167028862bE2a173976CA11",
      "chainId": 1,
      "nonce": 0,
      "r": "0x45804...",
      "s": "0x530bb...",
      "v": 27,
      "yParity": 0
    }
  }
}

Error Response (407 - Permission Required)

If the user has not granted permission to the connected app, the API returns a 407 status code. For more details see User Permission System:

{
  "status": 407,
  "message": "https://passport-dev.xellar.co?ask_permission=true&app_id=<YOUR_APP_ID>",
  "data": null
}
Send TransactionSign Hash