Skip to main content
Validators are ERC-7579 modules installed on the smart account. They verify that a transaction was signed by an authorized key - by reading from the KeyStore.

WebAuthnValidator

The primary validator. Verifies signatures from WebAuthn authenticators - passkeys, hardware security keys, and device secure enclaves (Apple Secure Enclave, Android Keystore, FIDO2). These devices use the P-256 (secp256r1) elliptic curve, which is different from Ethereum’s native secp256k1.

How it works

  1. The smart account receives a UserOp
  2. The account calls validateUserOp() on the WebAuthnValidator
  3. The validator extracts the signature components: authenticator data, client data JSON, and the WebAuthn signature
  4. For the first transaction: validates against the initial key stored in the contract
  5. After the first transaction: validates against keys in the KeyStore
  6. Verifies the challenge in the client data matches the UserOp hash
  7. Checks the sign count for replay protection
  8. Returns valid or invalid

Key migration

On installation, the validator stores the initial public key internally. After the first successful transaction, it migrates the key to the KeyStore via initialRegisterKey(). This two-phase approach ensures the KeyStore entry is only created for accounts that actually transact.

EIP-7951 support

The validator supports the P256VERIFY precompile (EIP-7951) via a configurable flag. On chains that have adopted this precompile, signature verification costs 6,900 gas instead of 200,000+ gas for Solidity-based P-256 math. The usePrecompiled flag can be set per account, allowing the validator to work on chains with and without precompile support.

Verification options

Each account can configure:
OptionDefaultDescription
usePrecompiledChain-dependentUse the P-256 precompile for faster verification
allowMalleabilitytrueAccept signature malleability (standard WebAuthn behavior)
requireUserPresencetrueRequire the UP flag in authenticator data
requireUserVerificationfalseRequire the UV flag (biometric confirmation)

Future validators

The KeyStore is signature-scheme agnostic. It stores raw public key bytes. Different validators can read from the same KeyStore to support different signing methods:
ValidatorCurveUse case
WebAuthnValidatorP-256 (secp256r1)Passkeys, hardware keys, secure enclaves
ECDSAValidatorsecp256k1Traditional Ethereum wallets, agent-held keys
Ed25519ValidatorCurve25519Solana-style signatures, cross-chain agents
All validators implement the same ERC-7579 interface and read from the same KeyStore. Adding a new signature scheme means deploying a new validator contract - no changes to the KeyStore or the policy hook.