Developer CLI
Delegated signing from the terminal.
Log in as the wallet owner, import keys into an attested TEE signer, provision Agent Passports with Passport Policies, and hand off a one-time Passport Token to the agent runtime — all from one CLI.
Authenticate with passkey, import wallets, mint Agent Passports, manage policy.
One-time runtime credential that unlocks the local encrypted signing key.
Wallet secrets are encrypted locally and verified against the signer's attested build.
What it covers
The full delegated-signing path in six capabilities
From passkey login to policy-governed signing, each capability maps directly to a CLI command group.
Passkey-backed owner login
Start with kitepass login, complete browser approval, and keep the
Principal Account session encrypted under ~/.kitepass/.
Encrypted wallet import
Import EVM keys through an attestation-bound encrypted flow that verifies attestation metadata before ciphertext ever leaves the terminal.
Agent Passport provisioning
Generate an agent key locally, register the public key remotely, and receive a one-time Passport Token for runtime use.
Passport Policy lifecycle
Create, activate, inspect, and revoke policy boundaries that define what an Agent Passport can do.
Validation, signing, and broadcast
Validate the route first, sign locally with the decrypted agent key, then optionally broadcast through the relayer.
Operations and audit checks
Inspect operation status, enumerate audit events, and verify the audit chain from the same CLI surface.
Typical flow
Five steps from install to signed transaction
Each step on the left maps to the matching command block on the right.
Install and verify
Install Kitepass CLI from cli.kitepass.xyz and confirm the binary is available before touching owner credentials or wallets.
Log in as owner
Authenticate with passkey and store the Principal Account session locally as an encrypted envelope under ~/.kitepass/.
Import wallet and capture WALLET_ID
Verify signer attestation, encrypt the wallet secret to the attested Capsule runtime, and keep the returned wallet identifier for later policy and passport operations.
Create policy, create passport, export token, log out owner
Create and activate the Passport Policy, mint the Agent Passport, export the one-time Passport Token, and clear the owner session before handing off runtime use.
Sign with Passport Token
Use the Passport Token plus the stored local encrypted passport record to validate, sign, and optionally broadcast the delegated operation.
Quickstart
Complete delegated-signing path
This is the shortest end-to-end path that still includes owner login, wallet import, policy creation, Agent Passport provisioning, Passport Token export, and the final sign call.
curl -fsSL https://cli.kitepass.xyz/install.sh | sh
kitepass --versionkitepass loginTEST_EVM_PRIVATE_KEY="4f3edf983ac636a65a842ce7c78d9aa706d3b113bce036f9b0b7fcb7e7f6b4c7"
TEST_DESTINATION="0xf17f52151EbEF6C7334FAD080c5704D77216b732"
WALLET_JSON="$(printf '%s' "$TEST_EVM_PRIVATE_KEY" | kitepass --json wallet import --chain-family evm --name treasury)"
WALLET_ID="$(printf '%s' "$WALLET_JSON" | jq -r '.wallet_id')"
echo "wallet_id=${WALLET_ID}"POLICY_JSON="$(kitepass --json passport-policy create --wallet-id "$WALLET_ID" --allowed-chain eip155:8453 --allowed-action transaction --max-single-amount 100 --max-daily-amount 1000 --allowed-destination "$TEST_DESTINATION" --valid-for-hours 24)"
POLICY_ID="$(printf '%s' "$POLICY_JSON" | jq -r '.passport_policy_id')"
kitepass --json passport-policy activate --passport-policy-id "$POLICY_ID"
PASSPORT_JSON="$(kitepass --json passport create --wallet-id "$WALLET_ID" --passport-policy-id "$POLICY_ID")"
PASSPORT_ID="$(printf '%s' "$PASSPORT_JSON" | jq -r '.passport_id')"
export KITE_PASSPORT_TOKEN="$(printf '%s' "$PASSPORT_JSON" | jq -r '.passport_token')"
echo "passport_id=${PASSPORT_ID}"
kitepass --json logoutKITE_PASSPORT_TOKEN="$KITE_PASSPORT_TOKEN" kitepass --json sign --passport-id "$PASSPORT_ID" --wallet-id "$WALLET_ID" --chain-id eip155:8453 --signing-type transaction --payload 0xdeadbeef --destination "$TEST_DESTINATION" --value 10
This quickstart uses jq to extract IDs and the one-time Passport Token.
Wallet import currently supports the EVM chain family, signing modes require
KITE_PASSPORT_TOKEN, and the owner can log out immediately after step 4.
The sample values use a public Ganache test key and destination address, so they are
safe for demo flows only and must never hold real funds.
Command surface
Six command groups, one signing flow
Grouped around owner workflows, runtime signing, and operational visibility.
Identity
kitepass login / logout
Authenticate the owner via passkey device-code flow, then clear the local Principal Account session once provisioning is complete.
Wallets
wallet import / list / get / freeze / revoke
Import EVM keys into the attested TEE signer and manage wallet lifecycle.
Policies
passport-policy create / activate / deactivate / get
Define chain, amount, and destination boundaries that constrain the delegated signing authority.
Passports
passport create / list / get / freeze / revoke
Provision Agent Passports with bound wallet + policy, and rotate or revoke them.
Local keys
passport local list / delete
Inspect or delete local encrypted passport-key records without exposing plaintext signing keys.
Signing + Audit
sign / operations get / audit list / audit verify
Validate routing, sign with the agent key, broadcast via relayer, and verify the audit chain.
Security model
Separate the owner credential from the agent credential
The CLI keeps management-plane credentials and runtime credentials intentionally distinct so an autonomous agent does not inherit full owner authority.
Principal Account session
Used for wallet import, Agent Passport provisioning, and Passport Policy changes. Stored locally as an encrypted envelope plus a local decrypt secret.
Local encrypted passport key
The agent private key stays on disk only as an inline CryptoEnvelope inside
~/.kitepass/passports.toml.
One-time Passport Token
Contains passport_id plus a secret used only to unlock the local encrypted
passport record. The token itself is not stored on disk by the CLI.
Attested wallet import
The CLI checks attestation metadata, measurement profile data, and expected PCRs before encrypting wallet material for the signer.
Local state
Know exactly what lands in ~/.kitepass/
config.toml
API endpoint settings and the encrypted owner access-token envelope.
access-token.secret
The local secret used to decrypt the stored Principal Account session.
passports.toml
Encrypted local passport records with passport_id, public key metadata, and inline envelopes.
Operational guidance
Store the Passport Token in a secret manager immediately after creation. If the token is lost, revoke the Agent Passport and mint a new one.
Resources
Jump from the overview into the deeper docs
These are the manuals that back the website copy and the command examples above.
README
Install, end-to-end signing flow, local files, and troubleshooting.
ManualCLI manual
Production-facing commands for login, wallet import, policies, passports, and signing.
FlowPrincipal auth and Agent Passport flow
How the owner credential and runtime credential split across management and execution.
SecurityAgent security design
Passport Token format, local passport-record model, and runtime signing behavior.
CustodyWallet import security
Attestation-bound encryption, attestation discovery, and why wallet plaintext avoids the control plane.
EndpointDefault API
The CLI defaults to https://api.kitepass.xyz unless configured otherwise.
Ready to ship
Browser for approval. Terminal for everything else.
From passkey login to policy-governed signing — one inspectable path that preserves the Agent Passport trust boundary.