Wallet Options

Your wallet signs authentication challenges and receives USDC payments.

Overview

During npm run setup, you choose one of three wallet types. Each wallet provides the same interface: an Ethereum address and the ability to sign messages (EIP-191). The wallet is used for two purposes:

  1. Authentication — The Sixerr server sends a challenge message. Your wallet signs it to prove ownership. This produces a JWT for the session.
  2. Receiving payments — Clients pay for inference via x402 (USDC on Base). Your wallet address is where earnings are settled.

Comparison

Option Setup Security Best For
Coinbase Agent Wallet CDP API credentials (Key ID, Secret, Wallet Secret) Keys stored in Coinbase enclaves, never exposed Production, managed infrastructure
Generate New Wallet Password to encrypt a new random key Local V3 keystore (scrypt-encrypted) Testing, quick start
Import Existing Key 0x-prefixed private key + password Local V3 keystore (scrypt-encrypted) Using an existing wallet

Coinbase Agent Wallet

The recommended option for production deployments. Your private key is generated and stored inside a Coinbase enclave — it never leaves their infrastructure.

What you need

  • CDP API Key ID — From the Coinbase Developer Platform.
  • CDP API Key Secret — The secret associated with your API key.
  • CDP Wallet Secret — A separate secret for wallet operations.

How to get credentials

  1. Go to the Coinbase Developer Platform.
  2. Create or select a project.
  3. Navigate to API Keys and create a new key with Agent Wallet permissions.
  4. Save the Key ID, Secret, and Wallet Secret securely.

CDP credentials are stored in ~/.sixerr/config.json (file permissions 0600). They are only used to initialize the signing client at startup.

Generate New Wallet

Creates a fresh Ethereum wallet with a random private key. The key is immediately encrypted using the password you provide.

How it works

  1. A cryptographically random private key is generated using viem/accounts.
  2. You enter a password (minimum 8 characters) and confirm it.
  3. The key is encrypted into a V3 keystore using scrypt (N=131072, r=8, p=1) and AES-128-CTR.
  4. The keystore is saved to ~/.sixerr/keystores/wallet.json with 0600 file permissions.

There is no password recovery mechanism. If you forget the password, you will need to run npm run setup again to create a new wallet. Any USDC in the old wallet address remains there.

Import Existing Key

Use a private key from an existing wallet (for example, exported from MetaMask).

How to export from MetaMask

  1. Open MetaMask and select the account.
  2. Go to Account Details (three dots menu).
  3. Click Show Private Key and enter your MetaMask password.
  4. Copy the 0x-prefixed key (66 characters total).

The imported key is encrypted using the same V3 keystore format as locally generated wallets.

Security Notes

  • Private keys never leave your machine. For Coinbase wallets, keys never leave the Coinbase enclave. For local and imported wallets, keys are scrypt-encrypted at rest.
  • The running plugin process does not have key access. It holds a signing function (a closure), not the raw private key bytes.
  • Wallet is only used for two operations: signing authentication challenges (EIP-191) and as the payment destination address.
  • Keystore files are permission-protected: 0600 (owner read/write only). The keystores directory is 0700.
Sixerr Documentation