Policy Engine - Coinbase Developer Documentation

Policies let you govern wallet behavior by defining rules that accept or reject operations based on transaction parameters like destination address, value, and network.

Policy fields

Field	Description	Valid values
`scope`	Level at which the policy applies	`project` or `account` (API key auth only)
`rules`	Ordered list of rules	Array of rules
`action`	What to do when criteria match	`accept` or `reject`
`operation`	The wallet operation being governed	See Supported operations
`criteria`	Logical expressions evaluated against the operation	Array of criteria

Evaluation

Rules are processed in order. The first matching rule’s action is applied. If no rule matches, the request is rejected (fail-secure default). For API key auth wallets, a project-level policy is evaluated first, followed by any account-level policy.

API key configuration

To manage policies via SDK or API, your API key must have the Non-custodial > Manage (modify policies) scope enabled under API restrictions > API-specific restrictions.

Create a policy

Policies can be created from the CDP Portal or via the SDK.

CDP Portal

In the Portal, navigate to Non-custodial Wallet > Security and click Create project policy to open the JSON editor.

SDK

User Authentication
API Key Authentication

User authentication wallets support project-scope policies only.

Node (TypeScript)
Python

const policy = await cdp.policies.createPolicy({
  policy: {
    scope: "project",
    description: "Accept EVM txs to allowlisted addresses",
    rules: [
      {
        action: "accept",
        operation: "signEndUserEvmTransaction",
        criteria: [
          {
            type: "evmAddress",
            addresses: ["0x000000000000000000000000000000000000dEaD"],
            operator: "in",
          },
        ],
      },
    ],
  },
});
console.log("Created policy:", policy.id);

policy = await cdp.policies.create_policy({
    "scope": "project",
    "description": "Accept EVM txs to allowlisted addresses",
    "rules": [
        {
            "action": "accept",
            "operation": "signEndUserEvmTransaction",
            "criteria": [
                {
                    "type": "evmAddress",
                    "addresses": ["0x000000000000000000000000000000000000dEaD"],
                    "operator": "in",
                },
            ],
        }
    ],
})
print(f"Created policy: {policy.id}")

API key auth wallets support both project-scope and account-scope policies.

Node (TypeScript)
Python

const account = await cdp.evm.getOrCreateAccount({ name: "PolicyAccount" });

// Create an account-level policy
const policy = await cdp.policies.createPolicy({
  policy: {
    scope: "account",
    description: "Account Allowlist Example",
    rules: [
      {
        action: "accept",
        operation: "signEvmTransaction",
        criteria: [
          {
            type: "ethValue",
            ethValue: "1000000000000000000", // 1 ETH in wei
            operator: "<=",
          },
          {
            type: "evmAddress",
            addresses: ["0x000000000000000000000000000000000000dEaD"],
            operator: "in",
          },
        ],
      },
    ],
  },
});

// Apply the policy to the account
await cdp.evm.updateAccount({
  address: account.address,
  update: { accountPolicy: policy.id },
});
console.log("Applied policy:", policy.id);

from cdp.policies.types import CreatePolicyOptions, EthValueCriterion, EvmAddressCriterion, SignEvmTransactionRule
from cdp.update_account_types import UpdateAccountOptions

account = await cdp.evm.get_or_create_account(name="PolicyAccount")

policy = await cdp.policies.create_policy(
    policy=CreatePolicyOptions(
        scope="account",
        description="Account Allowlist Example",
        rules=[
            SignEvmTransactionRule(
                action="accept",
                criteria=[
                    EthValueCriterion(ethValue="1000000000000000000", operator="<="),
                    EvmAddressCriterion(
                        addresses=["0x000000000000000000000000000000000000dEaD"],
                        operator="in",
                    ),
                ],
            )
        ],
    )
)

await cdp.evm.update_account(
    address=account.address,
    update=UpdateAccountOptions(account_policy=policy.id),
)
print(f"Applied policy: {policy.id}")

Supported operations

User authentication

Operation	Description
`signEndUserEvmTransaction`	End-user EVM transaction signing
`sendEndUserEvmTransaction`	End-user EVM transaction signing and sending
`signEndUserEvmMessage`	End-user EIP-191 message signing
`signEndUserEvmTypedData`	End-user EIP-712 typed data signing
`signEndUserEvmHash`	End-user EVM hash signing (no criteria)
`signEndUserSolTransaction`	End-user Solana transaction signing
`sendEndUserSolTransaction`	End-user Solana transaction signing and broadcast
`signEndUserSolMessage`	End-user Solana message signing
`sendEndUserOperation`	End-user smart wallet user operation sending
`sendEndUserEvmAsset`	End-user EVM asset send
`sendEndUserSolAsset`	End-user Solana asset send
`createEndUserEvmSwap`	End-user EVM swap creation

API key authentication

Operation	Description
`signEvmTransaction`	EVM transaction signing
`sendEvmTransaction`	EVM transaction signing and sending
`signEvmMessage`	EIP-191 message signing
`signEvmTypedData`	EIP-712 typed data signing
`signEvmHash`	Hash signing
`prepareUserOperation`	Smart account user operation preparation
`sendUserOperation`	Smart account user operation sending
`signSolTransaction`	Solana transaction signing
`sendSolTransaction`	Solana transaction signing and sending
`signSolMessage`	Solana message signing

​Policy fields

​Evaluation

​API key configuration

​Create a policy

​CDP Portal

​SDK

​Supported operations

​User authentication

​API key authentication