Example webapp that showcases how to deploy AI agents with non-custodial wallets. It uses Crossmint smart wallets and deploys agents in a TEE for secure key management.
Report Bug
·
Request Feature
ℹ️ Beta Software Notice
This codebase is currently in beta and has not undergone formal security audits. It serves as an illustration and blueprint for implementing non-custodial wallet architectures in AI agent systems. Before using this in production:
- Conduct Security Audits: Thoroughly review and audit the codebase, especially the wallet management and TEE deployment components
- Stay Updated: Star and watch this repository to receive updates as we add functionality and enhance security measures
We are actively improving the security and functionality of this codebase. Your feedback and contributions are welcome!
Table of Contents
[ ] Solana Smart Wallets (~Feb 10)
[ ] Add support for more TEE networks: Marlin, Lit (~Feb 10)
[ ] Sample code for user-initiated wallet actions
[ ] Non-custodial agent software updates
The goal of this project is to help launchpads and other agent hosting patforms to easily deploy AI agents with wallets, following an architecture that is non-custodial for the launchpad, yet allows the agent owner and user to control the wallet.
It implements the architecture proposed on this blog.
- Agent framework agnostic. Compatible with ElizaOS, Zerepy, GAME, Langchain, Vercel AI, and more.
- Chain agnostic. Currently works for all EVM chains, with Solana coming soon.
- Non-custodial for the launchpad: launchpad owner can't access the agent's funds / wallet. Required for regulatory compliance in the US.
- Dual-key architecture. Both agent owner and agent itself can control the wallet.
- The frontend uses NextJS and the agents are deployed into a TEE by Phala network
When developing AI agents with cryptocurrency capabilities, two critical challenges emerge:
1. Security Considerations:
The traditional custodial approach creates significant security risks. If a launchpad platform holds custody of agent wallets, a single security breach could compromise all agents' funds. Non-custodial architecture eliminates this single point of failure, ensuring that each agent maintains independent control of its assets.
2. Regulatory Compliance:
In jurisdictions like the United States, platforms that have the ability to control or transmit user funds may fall under money transmitter regulations. This creates complex regulatory requirements and potential legal exposure. Non-custodial architecture helps platforms avoid classification as money transmitters by ensuring they never have direct access to or control over user funds.
- Install pnpm as package manager
- Install OrbStack for local container management
- Launch the Orbstack app on your computer and select "Docker" from the OrbStack setup menu
- Create a developer project in Crossmint staging console and production
-
Obtain free API Keys from the Staging environment of Crossmint Console. You'll need both a server-side and client-side API Key. Refer to these instructions to Get a server-side API Key and a client-side one.
- Ensure the Wallet Type is set to
Smart walletunder Settings > General - Ensure API keys have the required scopes:
- Server-side: All 'wallet API' scopes
- Client-side: All 'wallet API' and 'users' scopes. Whitelist
http://localhost:3001as an origin and check the "JWT Auth" box
- Ensure the Wallet Type is set to
-
Webapp setup
cd launchpad-starter-next-app pnpm install cp .env.example .envEnter your Crossmint API keys in the
.envfile. Leave the Docker URL and Phala API key as is for now.Then start the webapp:
pnpm dev
The Next.js app will be available at http://localhost:3001
-
Agent setup
Open a new terminal in the project root folder, and run:
cd agent-tee-phala/image pnpm installThen, build the image code:
pnpm build
Note: When running the nextjs app, the docker image will build and deploy in a simulated TEE environment. This simulated environment allows you to test your docker image code locally before deploying to production TEEs & Docker hub.
In order to run the docker image within a TEE, we need to first build the image.
- From the root directory of this project, run the following command to build the Docker image: its important to use the
--platform linux/amd64flag to ensure the image is built for the correct architecture.
docker build --pull --rm -f 'agent-tee-phala/image/Dockerfile' --platform linux/amd64 -t '{your-image-name}:{version}' 'agent-tee-phala/image'Example:
docker build --pull --rm -f 'agent-tee-phala/image/Dockerfile' --platform linux/amd64 -t 'agentlaunchpadstarterkit:latest' 'agent-tee-phala/image'- Publish the image to Docker Hub.
In the
launchpad-starter-next-app/src/server/services/container.ts, there's a inline comment that explains how to update the docker image name and version. Go to line 47 to find the instructions.
-
API Keys
- Replace staging API keys with production keys from Crossmint Console
- Ensure API keys have the required scopes:
- Server-side: All 'wallet API' scopes
- Client-side: All 'wallet API' and 'users' scopes. Whitelist your webapp url as an origin and check the "JWT Auth" box.
-
Security Checklist
- Verify and audit all code in your agent image folder to ensure it meets security standards
- Publish reproduceable build code to an open source repository for transparency
- Implement client-side checks to prevent agent deployments to TEEs that cannot remotely attest they are running audited code versions
- Configure TEE to disallow code upgrades without explicit end user approval (feature coming soon to Phala and Marlin)
-
Deploy Agent to TEE (Phala Cloud)
- Create an account on Phala Cloud
- Create a new project and copy the API key
- Update the
PHALA_CLOUD_API_KEYin your webapp's environment variables to add your Phala Cloud API key- NOTE: adding the API key to the environment variables will automatically use production environments in Phala Cloud.
- To use local environments, you can just leave
PHALA_CLOUD_API_KEYempty.
-
Deploy Webapp
- Deploy your Next.js application to your preferred hosting platform (Vercel, AWS, etc.)
- Set up environment variables in your hosting platform's dashboard
-
Testing
- Verify wallet creation flow works end-to-end
- Test agent deployment and communication
- Confirm authentication and authorization are working as expected
This software is provided "AS IS", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software.