Skip to content
Product Updates

A wallet for humans and AI agents — the 369wallet Agent layer enters beta

369wallet is rolling out an Agent layer that treats AI agents as full participants on the same self-custodial infrastructure as human users — signing primitives, on-chain identity, and scoped, revocable session grants. Now in beta.

369wallet team4 min read
369wallet Agent layer — a wallet for humans and AI agents, in beta

The 369wallet team is opening early access to the Agent Wallet, the part of the product that lets AI agents act on-chain the same way a human user does. It is not a side feature. The agent layer sits on the same self-custodial foundation as the rest of the wallet, exposing the same primitives — signing, identity, and balance — to a second class of caller.

You can read the full product brief on the Agent page on 369wallet.xyz. This post is the news-side companion: what it is, why we designed it the way we did, and where it sits in the broader 369wallet thesis.

Why this isn't an "AI feature"

It would have been easy to bolt an AI assistant onto the wallet UI — a chat bubble that proposes a swap, a button that summarizes your portfolio. That is not what we built. The Agent layer is something different: infrastructure for autonomous agents to be wallet users in their own right.

If you think of the wallet as the seat from which on-chain actions originate — the framing we laid out in our last Perspectives piece — then the question becomes natural. Why should that seat be reserved for a human? An AI agent has the same need: a key, an identity, a permission boundary, the ability to settle transactions across chains. 369wallet's design treats humans and agents as parallel users of the same surface.

What the Agent layer is

  • A signing layer. Agents can request signatures across the same multi-chain footprint the wallet already supports — 30+ networks including Ethereum, Solana, Bitcoin, and Aptos. The key stays on the user's device. The agent never holds it.
  • On-chain identity. Each agent gets a DID — a decentralized identifier registered on supported chains — so the agent's actions are attributable and its declared capabilities are public.
  • Scoped session grants. Permissions are explicit and narrow by design: an agent receives a session that defines which actions it can take, up to what amount, and for how long. Examples: swap only, max 50 USDC, 1-hour expiry. Sessions are revocable at any moment from the user side.
  • Programmable payments. Native support for the HTTP 402 (x402) "payment required" pattern, with automated USDC settlement, so agent-to-agent or agent-to-API payment flows do not need a separate billing rail.
  • SDK + standards. A typed TypeScript SDK, MCP-compatible surface, and a community-extendable skills registry so the agent's capabilities can grow without forking the core.

How safety actually works here

The hardest part of any agent system is permissions. The default temptation is to give the agent full custody — a service-side key, a server-side API. We refused that path. The Agent layer is designed so the safety boundary is the same self-custodial boundary the human user already lives behind:

  • Keys never leave the device. Signing happens locally for both human and agent calls.
  • Every agent session is a finite-scoped grant. No catch-all permissions; no implicit access.
  • Every action carries an ECDSA-signed identity attestation, so the chain of authorization is auditable.
  • Revocation is instant. A bad session ends the moment the user kills it.

The result: an agent that's powerful enough to be useful, narrow enough to be safe, and constructed so the user never has to trust a custodial intermediary to make either property hold.

What an agent built on this can actually do

The same wallet primitives we've been shipping for human users now compose into agent workflows:

  • Swap and route. Across the multi-chain footprint, via the same DEX-aggregator paths.
  • Stake and unstake. Where supported.
  • Transfer. Send and receive on behalf of the user, within the session's value cap.
  • Pay. Settle payments via x402 without a separate processor.
  • Query. Read balances, transaction history, portfolio state — the same view the user has.

Anything the wallet can do, a properly-scoped agent can do — within the limits the user set.

Where this lives in the 369wallet picture

Pieces are starting to click into place. 1inch routing gave us the swap layer. Transak gave us fiat in/out. Ondo Global Markets opened tokenized stocks and ETFs. predict.fun opened prediction-market exposure. All of those were built for humans first — and all of them are now reachable, from inside a single self-custodial wallet, by any caller who satisfies the permission boundary.

That "any caller" is what changes with the Agent layer. The wallet becomes a true two-sided surface: humans on one side, agents on the other, the same actions available to both, the same self-custody guarantee covering both.

Status

The Agent Wallet is in active beta. Early access is gated through the signup on the /en/agent page on 369wallet.xyz. APIs, package names, and supported chains may shift before general availability — beta semantics, plainly stated.

If you are building autonomous on-chain agents and want to wire 369wallet as your signing-and-identity layer, that page is the entry point. If you would rather wait for GA, we will publish each milestone here as it lands.

"The wallet was never going to belong only to humans. The same key, the same identity, the same scoped boundary — both sides of the surface, equal." — 369wallet team

— The 369wallet team