K Kite Agent Passport Kitepass CLI

Developer CLI

Delegated signing from the terminal.

Log in as the wallet owner, import keys into an attested TEE signer, provision Agent Passports with Passport Policies, and hand off a one-time Passport Token to the agent runtime — all from one CLI.

Passkey login TEE wallet import Agent Passport provisioning Policy-governed signing
Start the flow Open README
Owner plane Principal Account

Authenticate with passkey, import wallets, mint Agent Passports, manage policy.

Agent plane Passport Token

One-time runtime credential that unlocks the local encrypted signing key.

Trust boundary HPKE + Attestation

Wallet secrets are encrypted locally and verified against the signer's attested build.

What it covers

The full delegated-signing path in six capabilities

From passkey login to policy-governed signing, each capability maps directly to a CLI command group.

Authentication

Passkey-backed owner login

Start with kitepass login, complete browser approval, and keep the Principal Account session encrypted under ~/.kitepass/.

Wallet custody

Encrypted wallet import

Import EVM keys through an HPKE-based flow that verifies attestation metadata before ciphertext ever leaves the terminal.

Delegation

Agent Passport provisioning

Generate an agent key locally, register the public key remotely, and receive a one-time Passport Token for runtime use.

Control plane

Passport Policy lifecycle

Create, activate, inspect, and revoke policy boundaries that define what an Agent Passport can do.

Runtime

Validation, signing, and broadcast

Validate the route first, sign locally with the decrypted agent key, then optionally broadcast through the relayer.

Auditability

Operations and audit checks

Inspect operation status, enumerate audit events, and verify the audit chain from the same CLI surface.

Typical flow

Five steps from install to signed transaction

Each step on the left maps to the matching command block on the right.

01

Install and verify

Install Kitepass CLI from cli.kitepass.xyz and confirm the binary is available before touching owner credentials or wallets.

02

Log in as owner

Authenticate with passkey and store the Principal Account session locally as an encrypted envelope under ~/.kitepass/.

03

Import wallet and capture WALLET_ID

Verify signer attestation, HPKE-encrypt the wallet secret, and keep the returned wallet identifier for later policy and passport operations.

04

Create policy, create passport, export token

Create and activate the Passport Policy, mint the Agent Passport bound to that wallet, and hand off the one-time Passport Token through your runtime secret path.

05

Sign with Passport Token

Use the Passport Token plus the stored local encrypted profile to validate, sign, and optionally broadcast the delegated operation.

Quickstart

Complete delegated-signing path

This is the shortest end-to-end path that still includes owner login, wallet import, policy creation, Agent Passport provisioning, Passport Token export, and the final sign call.

1. Install and verify 
curl -fsSL https://cli.kitepass.xyz/install.sh | sh
kitepass --version
2. Log in as owner 
kitepass login
3. Import wallet and capture WALLET_ID 
WALLET_JSON="$(printf '\n' | kitepass --json wallet import --chain-family evm --name treasury)"
WALLET_ID="$(printf '%s' "$WALLET_JSON" | jq -r '.wallet_id')"
echo "wallet_id=${WALLET_ID}"
4. Create policy, create passport, export token 
POLICY_JSON="$(kitepass --json passport-policy create --wallet-id "$WALLET_ID" --allowed-chain eip155:8453 --allowed-action transaction --max-single-amount 100 --max-daily-amount 1000 --allowed-destination 0xabc --valid-for-hours 24)"
POLICY_ID="$(printf '%s' "$POLICY_JSON" | jq -r '.passport_policy_id')"
kitepass --json passport-policy activate --passport-policy-id "$POLICY_ID"

PASSPORT_JSON="$(kitepass --json passport create --name trading-bot --wallet-id "$WALLET_ID" --passport-policy-id "$POLICY_ID")"
PASSPORT_ID="$(printf '%s' "$PASSPORT_JSON" | jq -r '.passport_id')"
export KITE_PASSPORT_TOKEN="$(printf '%s' "$PASSPORT_JSON" | jq -r '.passport_token')"

echo "passport_id=${PASSPORT_ID}"
5. Sign with Passport Token 
KITE_PASSPORT_TOKEN="$KITE_PASSPORT_TOKEN" kitepass --json sign --passport-id "$PASSPORT_ID" --wallet-id "$WALLET_ID" --chain-id eip155:8453 --signing-type transaction --payload 0xdeadbeef --destination 0xabc --value 10

This quickstart uses jq to extract IDs and the one-time Passport Token. Wallet import currently supports the EVM chain family, and signing modes require KITE_PASSPORT_TOKEN.

Command surface

Six command groups, one signing flow

Grouped around owner workflows, runtime signing, and operational visibility.

Identity

kitepass login

Authenticate the owner via passkey device-code flow and bootstrap the local Principal Account session.

Wallets

wallet import / list / get / freeze / revoke

Import EVM keys into the attested TEE signer and manage wallet lifecycle.

Policies

passport-policy create / activate / deactivate / get

Define chain, amount, and destination boundaries that constrain the delegated signing authority.

Passports

passport create / list / get / freeze / revoke

Provision Agent Passports with bound wallet + policy, and rotate or revoke them.

Profiles

profile list / use / delete

Switch between local encrypted agent profiles without exposing plaintext keys.

Signing + Audit

sign / operations get / audit list / audit verify

Validate routing, sign with the agent key, broadcast via relayer, and verify the audit chain.

Security model

Separate the owner credential from the agent credential

The CLI keeps management-plane credentials and runtime credentials intentionally distinct so an autonomous agent does not inherit full owner authority.

Principal Account session

Used for wallet import, Agent Passport provisioning, and Passport Policy changes. Stored locally as an encrypted envelope plus a local decrypt secret.

Local encrypted agent profile

The agent private key stays on disk only as an inline CryptoEnvelope inside ~/.kitepass/agents.toml.

One-time Passport Token

Contains passport_id plus a secret used only to unlock the local encrypted profile. The token itself is not stored on disk by the CLI.

Attested wallet import

The CLI checks attestation metadata, measurement profile data, and expected PCRs before encrypting wallet material for the signer.

Local state

Know exactly what lands in ~/.kitepass/

config.toml

API endpoint settings and the encrypted owner access-token envelope.

access-token.secret

The local secret used to decrypt the stored Principal Account session.

agents.toml

Encrypted agent profiles with passport_id, public key metadata, and inline envelopes.

Operational guidance

Store the Passport Token in a secret manager immediately after creation. If the token is lost, revoke the Agent Passport and mint a new one.

Resources

Jump from the overview into the deeper docs

These are the manuals that back the website copy and the command examples above.

Start here

README

Install, end-to-end signing flow, local files, and troubleshooting.

 Manual

CLI manual

Production-facing commands for login, wallet import, policies, passports, and signing.

 Flow

Principal auth and Agent Passport flow

How the owner credential and runtime credential split across management and execution.

 Security

Agent security design

Passport Token format, encrypted profile model, and local signing behavior.

 Custody

Wallet import security

HPKE, attestation discovery, and why wallet plaintext avoids the control plane.

 Endpoint

Default API

The CLI defaults to https://api.kitepass.xyz unless configured otherwise.

Ready to ship

Browser for approval. Terminal for everything else.

From passkey login to policy-governed signing — one inspectable path that preserves the Agent Passport trust boundary.

Read the manual Back to top