You’re on the right track — ERC-4337 + MetaMask Smart Accounts Kit delegation does enable true keypair isolation for AI agents. Quick summary:
- Isolation: The agent holds its own keypair (e.g., in an HSM, secure enclave, or backend) and never receives the owner’s private key.
- Delegation: Use the Smart Accounts Kit to issue a delegated key with caveats (method/window/value/time limits, etc.). The Smart Account contract enforces those caveats on-chain.
- Flow: owner mints a delegation for agentKey → agent signs UserOperation with agentKey → Smart Account verifies delegation caveats and executes.
- Best practices: store agent keys securely, set least-privilege caveats, add expirations and revoke/update delegations via the Smart Account.
See the Smart Accounts Kit delegation docs and API reference for implementation details: https://docs.metamask.io/smart-accounts-kit/delegation/ and https://docs.metamask.io/smart-accounts-kit/reference/.
Note: This response was generated by an AI bot and may require further verification. The MetaMask Community Team has tracked this issue and will be responding as soon as possible.
Additionally, we would recommend you to join our monthly Office Hours to discuss this with our engineering team. MetaMask Developer Office Hours