Delegation & protection

Delegation, mandates, preflight verification, Gator/ERC-7710, venue boundaries, audit trails, and fail-closed policy for CLI, MCP, and REST.

Thirdfy governs who may act and whether each action is allowed before wallets sign or venues accept orders. Delegation scopes, custody modes, venue readiness, and policy checks apply whether you integrate via CLI, MCP, or REST.

Start here (most builders)

If you are building your own agent (solo automation, not fan-out to thousands of user wallets), use agent_wallet + email login. This is the simplest production path. No Creator Platform signup required to receive an agent API key.

Step	What happens
1	Email OTP — CLI `thirdfy-agent login email` (two steps) or MCP `startEmailOnboarding` / `completeEmailOnboarding`
2	Thirdfy bootstraps agent API key, owner session, and managed execution wallets (`executionWallets` / `agentWalletBootstrap`)
3	Fund the execution wallet for your venue (Base USDC, Arbitrum for Hyperliquid Bridge2, etc.)
4	`preflight` → execute with `runMode=agent_wallet`

No MetaMask EIP-712 delegation grant on this lane. Email proves agent ownership; Thirdfy still runs preflight, credits, and policy before every write.

Optional: Creator Platform or MCP agentRegister for directory profile, skills packages, and gauge review. Not required for first execution.

Path	MetaMask EIP-712?	Typical first-time setup
`agent_wallet` + email	No	~30–60 minutes (register, login, fund, first preflight)
Gator / ERC-7710	Yes (delegation grant)	~1–2 hours (grant sign + activate + venue setup)
execute-intent fanout	Per subscriber	Publisher setup + subscriber mandates

Walkthrough: Quick start — simplest dev path. CLI: Authentication. MCP: Onboarding.

Which model should I use?

Pick the lane that matches your use case. For solo agent_wallet + email (no MetaMask grant), use Start here (most builders). Use the chart below when you need user wallet delegation, fan-out, or a venue-specific signer.

flowchart TD
  A["What are you building?"] --> U{"Primary use case"}
  U -->|"Solo agent you run"| AW["agent_wallet + email login"]
  U -->|"User external wallet"| B{"Venue or chain"}
  U -->|"Many delegated subscribers"| G["execute-intent + mandates"]
  B -->|"EVM swap, earn, bridge"| C["Gator / ERC-7710"]
  B -->|"Hyperliquid perps"| D["HL API wallet + fund execution wallet"]
  B -->|"Polymarket orders"| E["Privy signer + CLOB credentials"]
  B -->|"CEX e.g. Bitfinex"| F["credentialRef API keys"]
  AW --> H["preflight, then walletExecute or run"]
  C --> H
  D --> H
  E --> H
  F --> H
  G --> H

If your lane is…	Delegation / signer model	Read first
Solo agent (start here)	`agent_wallet` + email login. Managed execution wallet	Start here (most builders)
EVM on Base (user wallet)	Gator-compatible ERC-7710 caveats on generated calldata	Gator lifecycle
Hyperliquid perps	Off-chain API wallet. Fund execution wallet for Bridge2. Not ERC-7710 for orders	Venue boundaries
Polymarket	Privy signer + encrypted CLOB credentials. Not ERC-7710 for orders	Integrations: Polymarket
Many subscribers	Mandate + execute-intent fanout	Execute intents

Why delegation for autonomous agents

Autonomous agents need bounded authority to act on user capital. Users retain custody. Thirdfy validates every intent before execution. The same model applies when a human delegates to an agent and when a publisher agent fans out actions to many delegated subscribers through execute-intent.

Without delegation and policy:

Agents could not scale to thousands of delegated wallets safely.
Users could not revoke or time-limit authority.
Venues with different signer models (EVM, perps API wallet, CLOB) would not have a single governance layer.

Delegation establishes permission. Preflight and the policy engine enforce it on every write.

Two layers of protection

Layer	What it controls	Thirdfy surface
Permission	Who may act, for how long, on which venues	Delegation grants, mandates, revocation
Per-action verification	Whether this specific action is allowed right now	`preflight`, directory preflight, execute gates

Hosted platforms such as EarnClaw, a separate hosted agent platform that integrates with Thirdfy for execution, may add a third layer before production launch: template evals and launch validation on the EarnClaw side. A production-ready agent can still fail Thirdfy preflight on a bad trade. Verification at launch and verification per action are complementary.

From intent to execution

Every write follows the same governance lifecycle:

Phase	What happens	CLI / MCP / REST
Proposal	Agent submits action name and params	`run`, `executeIntent`, `walletExecute`, `agentRun`
Verification	Thirdfy checks delegation, mandate, credits, venue readiness, catalog	`preflight`, directory `preflight`
Authorization	Active binding and policy must cover the action	Gator caveats, `runMode` lane, mandate match
Execution	Broadcast, sponsor gas, bill credits, record outcome	`run`, execute paths after gates pass

Agents reason in natural language but broadcast structured transactions. The risk is mismatch: wrong token, wrong amount, unintended route, or missing venue setup. Thirdfy blocks before sign or broadcast when policy or readiness fails.

Independent governance gate

The agent's model proposes. Thirdfy API validates. The runtime does not approve its own writes.

Hosted runtimes on EarnClaw (and similar partner platforms) run their own schedule and decision loop. EarnClaw hosts the agent; adapters call Thirdfy preflight and execute for each write. The runtime does not self-check policy.
CLI and MCP are connectors. Policy, delegation, and credits live in the Thirdfy API, not in your agent repository.
Fail-closed by default. If verification fails, nothing broadcasts.

Where Thirdfy fits


┌──────────────────────────────────────────────────────────────────────────────┐
│     SECURITY — Thirdfy as Governance Layer Between Agents and Capital        │
└──────────────────────────────────────────────────────────────────────────────┘

  ┌──────────────────┐     ┌──────────────────┐     ┌──────────────────┐
  │   DEVELOPERS     │     │     THIRDFY      │     │  USERS &         │
  │   (Agent         │────▶│  GOVERNANCE      │────▶│  ENTERPRISES     │
  │   Creators)      │     │  LAYER           │     │  (Delegated)     │
  │                  │     │                  │     │                  │
  │  Submit intents  │     │  • Validate      │     │  Delegate,       │
  │                  │     │  • Enforce policy│     │  set mandates,   │
  │                  │     │  • Audit trail   │     │  execute         │
  └──────────────────┘     └──────────────────┘     └──────────────────┘
         │                            │
         │     No intent reaches      │
         │     users without          │
         └────► validation ◄──────────┘

Intent-based security

We verify what actions are allowed, not just who holds keys. Thirdfy inserts a runtime policy enforcement layer between agents and financial infrastructure.

Every intent validated before execution. The policy engine evaluates against mandate and policy. Compliant means authorized. Not compliant means rejected.
Verifiable enforcement records. Every authorization decision produces a traceable event.
Mandates. Programmable policies for capital allocation, counterparties, timing, and execution parameters.

Thirdfy validates action params, policy, and mandate. It does not replace your own strategy review of what the agent was asked to do in natural language.

Signing moments

What does the user sign? Depends on execution mode:

Mode	User signs	Format
Non-custodial (ERC-7710 / Gator)	Delegation grant (scope, expiry)	EIP-712 typed message
Execution (per intent)	On-chain transaction	Signed tx (user wallet or custody platform)

For non-custodial flows: users sign an EIP-712 delegation message to authorize an agent within scope and time limits. At execution time, the wallet signs the actual on-chain transaction. Thirdfy never holds signing keys.

Delegation modes

Mode	Description
x402 custodial	Thirdfy-managed. Credits and execution flow through Thirdfy infrastructure.
Non-custodial (ERC-7710 / Gator)	User holds keys. Delegation is scoped and time-limited via supported wallets. Status: active, expired, revoked.

Gator and ERC-7710 lifecycle

Thirdfy uses a Gator-compatible ERC-7710 delegation model (delegationModel=gator_erc7710) for external wallet authority:

delegation create — API builds a Gator-style payload with erc20PeriodTransfer caveats for the owner wallet to sign.
Wallet sign — Owner signs with MetaMask or another supported wallet. Private keys never leave the wallet.
delegation activate — Persists the signed delegation, manager, executor/session account, expiry, and permission metadata.
delegation inspect / balance — Shows status, expiry, revocation, executor, and remaining period allowance.
Execute — hybrid, thirdfy, or compatible paths run only when the active binding and on-chain caveats cover the requested action.

Wallet sign step (EIP-712). Steps 1–2 produce a delegation payload; the wallet owner must sign in MetaMask (or another supported wallet) before delegation activate. There is no way to skip this for non-custodial Gator flows. Plan for a human or operator with wallet access. If your team has never used a wallet, budget extra time for this step.

CLI vs MCP: thirdfy-agent delegation create → wallet sign → delegation activate is one shell flow. MCP uses separate tools (delegationCreate, delegationActivate, etc.). See MCP execution tools.

CLI alias: delegation grant maps to the create/sign/activate flow.

Surface	Tools
CLI	`thirdfy-agent delegation create`, `activate`, `status`, `inspect`, `balance`, `redeem`, `revoke`
MCP	`delegationCreate`, `delegationActivate`, `delegationStatus`, `delegationInspect`, `delegationBalance`, `delegationRedeem`, `delegationRevoke`
REST	See Delegation API

Full command reference: Agent CLI reference.

MetaMask integration

Thirdfy supports MetaMask Smart Accounts and scoped wallet permissions for production delegation flows. The Jeff Agent with MetaMask pilot validated end-to-end authorize flows: users grant scoped delegation, agents execute under policy, and users can revoke.

Wallet apps vs API: Consumer wallets may request permissions through ERC-7715-style smart account kits. The Thirdfy API exposes Gator/ERC-7710 delegation payloads for create, activate, and verify. Both aim at scoped, time-limited authority without Thirdfy holding user keys.

Operators: How to Hire an Agent. Builders: CLI walkthrough below and Delegation and JSON.

Execution lanes (`runMode`)

Mode	When to use	Typical gate
`self`	User or agent signs with their own keys	`getSelfReadiness`; delegation optional depending on action
`hybrid` / `thirdfy`	Thirdfy-mediated or hybrid custody flows	`delegationStatus` and mandate checks
`agent_wallet`	Agent-owned execution wallet at the API	`agentWalletBootstrap` + funding checks before writes

agent_wallet is not a delegated user flow. When runMode is agent_wallet and the identity is agent-owned, the API executes from the agent wallet and bypasses subscription/delegation binding checks. Policy, credits, and funding gates still apply.

Approval patterns

Pattern	Typical `runMode`	Who signs after preflight passes
User reviews each execution	`self`	User wallet signs the transaction
Agent executes under policy	`agent_wallet`, delegated `hybrid` / `thirdfy`	Managed agent wallet or delegated executor
User grants scope once, agent acts within mandate	Gator + `hybrid` / `thirdfy`	Executor within caveats; preflight on every action

Fanout and directory checks

Publisher fanout. One registered agent can act for many delegated subscribers under mandate. See Execute intents for the execute-intent model.

Directory readiness. Apps and operators should call authenticated directory routes (readiness, delegation-status, preflight) before showing execute controls. The API resolves agentApiKey server-side in validation-only lanes so browsers never need agent secrets.

Venue-specific delegation boundaries

Domain	Delegation model
EVM swaps, earn, approvals	Gator/ERC-7710 caveats must cover generated calldata
Hyperliquid perps	Off-chain API wallet signer. Not ERC-7710. Bridge/funding may use Gator on EVM.
Polymarket CLOB	Privy signer + encrypted CLOB credentials. Not ERC-7710 for orders.
CEX (Bitfinex)	API keys stored in Thirdfy API (`credentialRef`). Separate from Gator.

Details per venue: Integrations.

Before broadcast (on-chain writes)

For EVM spot and earn paths, Thirdfy applies additional safety before sponsored broadcast:

Quote broadly, execute narrowly. Compare routes, then build only the best executable path for the current chain, wallet mode, and provider.
Simulation where possible. Read-only eth_call or gas estimation before handing calldata to the wallet when the provider supports it.
Unknown providers fail closed. Actions must be registered in the capability matrix for the target chain and execution mode.

Off-chain venues (Hyperliquid, Polymarket, CEX) use credential resolution, readiness, policy profiles, and venue-specific setup checks instead of Gator calldata redemption.

Mandates and policy engine

Mandates are user-defined policies that govern what actions an agent can perform. When you delegate, you set a mandate. Every intent is validated against it.

Agent submits intent.
Policy engine evaluates against mandate and protocol constraints.
Compliant = authorized. Intent fans out or executes.
Not compliant = rejected. No execution.

You can control capital allocation, counterparties, timing, and execution parameters.

Revocation

Users can revoke delegation at any time. Revocation stops future authorizations. Pending executions (tx not yet signed) are cancelled. Transactions already broadcast complete. Every revocation is recorded for audit.

CLI walkthrough

Typical delegated execution sequence:

thirdfy-agent delegation create --json ...
# User signs EIP-712 grant in wallet
thirdfy-agent delegation activate --json ...
thirdfy-agent preflight --json ...
thirdfy-agent run --json ...
thirdfy-agent intent-status --intent-id <id> --json

See Delegation and JSON for automation details.

Custody boundary

Does Thirdfy custody assets? No. Thirdfy never holds user funds in a pooled account.

Funds sit in user-owned wallets. For x402 custodial flows, funds sit in a per-user provider wallet the user owns. Thirdfy validates intents; the key holder executes.

Venue readiness

Do this before your first live write, not after a runtime failure.

Pick the provider from Integrations (Hyperliquid, Polymarket, Morpho, etc.).
List prerequisites with MCP getProviderActions or CLI thirdfy-agent actions --json for that provider and chain.
Run preflight validation-only with the action you plan to execute.
Complete setup (allowances, Bridge2 funding, CLOB credentials, CEX keys) per the venue page.

Surface	Command / tool
CLI	`thirdfy-agent actions --json` then `thirdfy-agent preflight --json`
MCP	`getProviderActions`, then preflight or readiness tools
REST	`GET /api/v1/agent/actions/catalog` and directory preflight routes

Trading, yield, prediction, and CEX actions each have different setup. The catalog and provider tools are the source of truth for prerequisites.

Fail-closed policy

If identity, delegation, policy, or catalog validation fails, writes block with explicit reasons. Reads that are allowlisted for anonymous or bootstrap modes remain constrained by tool authProfile.

What preflight checks

Category	Examples
Identity and lane	`runMode`, agent vs subscriber context
Delegation	Binding active, not revoked or expired, caveats cover the action
Mandate and policy	Amounts, allowlists, counterparties, timing
Wallet and funding	Balances, allowances, venue funding (Bridge2, CLOB setup, etc.)
Catalog and capability	Action allowed for provider, chain, and execution mode
Credits and quotas	Billing identity, sponsorship eligibility

Use thirdfy-agent preflight --json, MCP preflight tools, or directory preflight for validation-only runs before live writes.

Common blocker families

Family	What it usually means	What to do
Delegation	Missing, expired, or revoked grant	Create, activate, or renew delegation
Funding	Wrong wallet funded or insufficient balance	Fund the execution wallet; check venue-specific paths
Venue setup	Credentials, geoblock, or allowances incomplete	Follow Integrations hub setup for that venue
Policy	Mandate or allowlist violation	Adjust mandate or choose a permitted action
Capability	Action not supported on this chain or lane	Check catalog and `runMode` for the provider

Audit and traceability

Thirdfy records authorization decisions across the stack:

Delegation lifecycle. Create, activate, inspect, revoke events and binding status.
Preflight outcomes. Validation-only runs before writes (CLI, MCP, directory).
Execution and credits. Completed actions with provider attribution on credit debits.
Fanout context. Subscriber scope on execute-intent when a publisher acts for many wallets.

Use these records for operator review, support, and compliance workflows.

Security

Thirdfy does not custody or control user funds. Our security model focuses on protecting delegation permissions, policy enforcement, API integrity, and system availability.

User and agent wallets hold keys. Thirdfy validates intents and routes execution when policy allows.
Delegation grants are scoped and revocable. Preflight fails closed when binding or mandate checks fail.
API keys, agent credentials, and venue secrets are handled per product auth docs. Do not embed secrets in agent repos.

Report issues: security@thirdfy.com or Discord.

Service uptime

Thirdfy targets 99.9% monthly uptime for MCP services and public APIs, excluding scheduled maintenance. Uptime is measured as successful API request availability from independent monitoring endpoints. Service credits or other remedies for SLA breaches are defined in enterprise agreements for affected customers.

Best practices

Scope delegation. Use time-limited, action-scoped mandates.
Preflight before writes. Run validation-only checks in CI and before production cron cycles.
Review allowlists. Ensure agent actions match your risk tolerance.
Monitor activity. Check execution history, credit usage, and delegation status.

Claude Managed Agents

Connect Thirdfy MCP to Anthropic Claude Managed Agents. Create the agent in Claude Console, then discover and execute via MCP tools.

Help and glossary

Short FAQ and terms for integrating with Thirdfy via Agent CLI or MCP.