Skip to main content
This guide covers the key implementation decisions for giving AI agents secure access to company wallets, then walks through provisioning an agent end-to-end: creating a scoped wallet, assigning a non-root agent user, and defining policies that constrain exactly what the agent can sign. For basic signing, start with the Quickstart.

Turnkey agent skills

Agent Skills let you operate on Turnkey directly through an AI assistant, no application code required. The agent provisioning workflow skill lets you quickly create a wallet scoped for agent usage through your AI assistant. You can then equip your agent with skills so it can autonomously operate within the boundaries you’ve configured.

Agent personas

Turnkey supports different agent roles through policy composition: These personas can be composed for multi-agent systems. For example, a worker agent proposes trades, an approver agent validates them against risk models, and a human admin retains override authority for high-value actions.

Key implementation decisions

Example: autonomous trading agent

An AI agent that analyzes market data and executes trades on a DEX needs scoped signing authority: it should only be able to call specific router functions on approved contracts, with spending limits and human oversight for large trades.

Implementation steps

The agent provisioning skill can run this entire workflow for you through an AI assistant. Use the steps below if you prefer to implement it manually.
This guide assumes you’ve completed the Quickstart and have a Turnkey client initialized with your root credentials. The agent will get its own separate credentials.
1

Create a wallet for the agent

Create a dedicated wallet scoped to the agent’s needs. Always check for existing wallets first to avoid creating duplicates.
2

Create a non-root agent user

The agent gets its own user with an API key pair. This user is non-root by default, meaning it has zero permissions until you explicitly create policies.Generate a key pair for the agent (the private key never touches Turnkey):
Then create a user tag and the agent user. userTags takes tag IDs (UUIDs), not string labels, so create the tag first:
Never create agents as root users. Root users bypass the policy engine entirely. Always use non-root users with explicit ALLOW policies.
3

Define scoped policies

With the agent user and wallet created, define policies that scope exactly what the agent can do. Turnkey is default-deny: without an ALLOW policy, the agent cannot sign anything.Base signing policy (scoped to the agent’s wallet):
Destination allowlist (restrict to a specific DEX router):
Spending cap (limit per-transaction value):
Multi-party consensus for large trades:
4

Verify and deploy

Test the agent’s credentials by initializing a client with the agent’s key pair and verifying access:
Store the agent’s credentials in your secrets manager:
Never output or log root credentials alongside agent credentials. The agent should only ever have its own key pair.

Next steps