Spend Permissions

Spend Permissions let you designate a trusted spender that can spend tokens on behalf of your Smart Account. After you sign the permission, the spender can initiate token spending within the limits you define. You can define limits based on token, time period, and amount.

Smart Accounts must have spend permissions enabled at the time of creation. You cannot create spend permissions on accounts that were created without spend permissions enabled.

Spend Permissions utilize the Spend Permission Manager contract deployed on Base and other networks. Some use cases this feature enables:

Subscription payments - Enable recurring payments for SaaS, content subscriptions, or membership fees
Agentic payments - Control your agent’s spending limits for autonomous operations
Algorithmic trading - Allow trading bots to execute trades within predefined limits
Automated payouts - Schedule regular distributions or reward payments
Allowance management - Give team members or family controlled access to funds
Dollar-cost averaging - Automate periodic investment purchases

How it works

There are two parties involved in a Spend Permission:

Account - The smart account that creates the Spend Permission and approves it onchain.
Spender - The entity that can spend tokens on behalf of the account within the limits defined by a Spend Permission. Can be a Smart Account or a regular account.

Anatomy of a spend permission

Spender - The entity that can spend tokens on behalf of the account.
Token - The token that the Spend Permission is for. Use "eth" or "usdc" as shortcuts (Base and Base Sepolia only), or provide an ERC-20 contract address for other tokens.
Allowance - The amount of the token the spender is allowed to spend, in the token’s smallest unit (e.g. wei for ETH, 6-decimal units for USDC).
Time period - Use periodInDays for simple daily/weekly limits, or period, start, and end for advanced rolling windows and fixed time ranges.
Salt - A random value to differentiate between permissions with the same parameters. Generated automatically by the SDK.
Extra Data - Arbitrary data for additional information about the permission.

Enable spend permissions

Spend permissions must be enabled when creating the smart account.

React
Node (TypeScript)
Python

Set enableSpendPermissions: true in your CDPHooksProvider config:

import { CDPHooksProvider } from "@coinbase/cdp-hooks";

function App() {
  return (
    <CDPHooksProvider
      config={{
        projectId: "your-project-id",
        ethereum: {
          createOnLogin: "smart",
          enableSpendPermissions: true,
        },
      }}
    >
      <YourApp />
    </CDPHooksProvider>
  );
}

const smartAccount = await cdp.evm.getOrCreateSmartAccount({
  name: "SmartAccount",
  owner: await cdp.evm.getOrCreateAccount({ name: "Owner" }),
  enableSpendPermissions: true,
});

smart_account = await cdp.evm.get_or_create_smart_account(
    name="SmartAccount",
    owner=await cdp.evm.get_or_create_account(name="Owner"),
    enable_spend_permissions=True,
)

Create a spend permission

React
Node (TypeScript)
Python

Use useCreateSpendPermission to create a permission. Creating a permission is a user operation that requires gas — use useCdpPaymaster: true on Base or provide a paymasterUrl.

import { useCreateSpendPermission } from "@coinbase/cdp-hooks";
import { parseUnits } from "viem";

function CreateSpendPermission() {
  const { createSpendPermission, status, data, error } = useCreateSpendPermission();

  const handleCreate = async () => {
    await createSpendPermission({
      network: "base-sepolia",
      spender: "0x1399BE2B2E4186C209617053822C67173E8DFe5c",
      token: "usdc",
      allowance: parseUnits("10", 6), // 10 USDC
      periodInDays: 7,
      useCdpPaymaster: true,
    });
  };

  return (
    <div>
      <button onClick={handleCreate} disabled={status === "pending"}>
        {status === "pending" ? "Creating..." : "Create Permission"}
      </button>
      {status === "success" && data && <p>Tx: {data.transactionHash}</p>}
      {error && <p>Error: {error.message}</p>}
    </div>
  );
}

import { parseUnits, type SpendPermissionInput } from "@coinbase/cdp-sdk";

const spendPermission: SpendPermissionInput = {
  account: smartAccount.address,
  spender: spender.address,
  token: "usdc",
  allowance: parseUnits("0.01", 6), // 0.01 USDC per day
  periodInDays: 1,
};

const { userOpHash } = await cdp.evm.createSpendPermission({
  network: "base-sepolia",
  spendPermission,
});

const result = await smartAccount.waitForUserOperation({ userOpHash });
console.log("Spend permission created:", result);

from cdp import SpendPermission
from cdp.utils import parse_units

result = await cdp.evm.create_spend_permission(
    network="base-sepolia",
    spend_permission=SpendPermission(
        account=smart_account.address,
        spender=spender.address,
        token="usdc",
        allowance=parse_units("0.01", 6),  # 0.01 USDC per day
        period_in_days=1,
    ),
)

user_operation_result = await cdp.evm.wait_for_user_operation(
    smart_account_address=smart_account.address,
    user_op_hash=result.user_op_hash,
)
print(f"Spend permission created: {user_operation_result}")

Use a spend permission (spender side)

Once a permission is created, the designated spender lists the account’s permissions to find theirs, then calls useSpendPermission to spend within the defined limits.

Node (TypeScript)
Python

import { parseUnits } from "@coinbase/cdp-sdk";

const allPermissions = await cdp.evm.listSpendPermissions({
  address: smartAccount.address,
});

const permissions = allPermissions.spendPermissions.filter(
  (p) => p.permission.spender.toLowerCase() === spender.address.toLowerCase()
);

if (permissions.length === 0) {
  console.log("No spend permissions found for this spender");
  process.exit(1);
}

const spend = await spender.useSpendPermission({
  spendPermission: permissions[0].permission,
  value: parseUnits("0.005", 6),
  network: "base-sepolia",
});

const receipt = await spender.waitForUserOperation(spend);
console.log("Spend completed:", receipt);

all_permissions = await cdp.evm.list_spend_permissions(
    address=smart_account.address,
)

permissions = [
    p for p in all_permissions.spend_permissions
    if p.permission.spender.lower() == spender.address.lower()
]

if not permissions:
    print("No spend permissions found for this spender")
    exit(1)

spend = await spender.use_spend_permission(
    spend_permission=permissions[0].permission,
    value=parse_units("0.005", 6),
    network="base-sepolia",
)

receipt = await spender.wait_for_user_operation(spend)
print(f"Spend completed: {receipt}")

List spend permissions

React
Node (TypeScript)
Python

useListSpendPermissions automatically lists permissions for the authenticated user’s smart account.

import { useListSpendPermissions } from "@coinbase/cdp-hooks";

function ListPermissions() {
  const { refetch, data, status, error } = useListSpendPermissions();

  return (
    <div>
      <button onClick={refetch} disabled={status === "pending"}>
        Refresh
      </button>
      {data?.spendPermissions?.map((sp) => (
        <div key={sp.permissionHash}>
          <p>Spender: {sp.permission.spender}</p>
          <p>Token: {sp.permission.token}</p>
          <p>Allowance: {sp.permission.allowance}</p>
          <p>Revoked: {sp.revoked ? "Yes" : "No"}</p>
        </div>
      ))}
      {error && <p>Error: {error.message}</p>}
    </div>
  );
}

// As the account: see all permissions you've granted
const permissions = await cdp.evm.listSpendPermissions({
  address: smartAccount.address,
});
console.log("Permissions granted:", permissions);

// As the spender: query the account's permissions and filter by your address
const allPermissions = await cdp.evm.listSpendPermissions({
  address: "0xAccountAddress",
});
const myPermissions = allPermissions.spendPermissions.filter(
  (p) => p.permission.spender.toLowerCase() === spender.address.toLowerCase()
);

# As the account: see all permissions you've granted
permissions = await cdp.evm.list_spend_permissions(
    address=smart_account.address,
)
print("Permissions granted:", permissions)

# As the spender: query the account's permissions and filter by your address
all_permissions = await cdp.evm.list_spend_permissions(
    address="0xAccountAddress",
)
my_permissions = [
    p for p in all_permissions.spend_permissions
    if p.permission.spender.lower() == spender.address.lower()
]

Revoke a spend permission

React
Node (TypeScript)
Python

import { useRevokeSpendPermission } from "@coinbase/cdp-hooks";

function RevokePermission({ permissionHash }: { permissionHash: string }) {
  const { revokeSpendPermission, status, data, error } = useRevokeSpendPermission();

  const handleRevoke = async () => {
    await revokeSpendPermission({
      network: "base-sepolia",
      permissionHash,
      useCdpPaymaster: true,
    });
  };

  return (
    <div>
      <button onClick={handleRevoke} disabled={status === "pending"}>
        {status === "pending" ? "Revoking..." : "Revoke"}
      </button>
      {status === "success" && data && <p>Revoked. Tx: {data.transactionHash}</p>}
      {error && <p>Error: {error.message}</p>}
    </div>
  );
}

const permissions = await cdp.evm.listSpendPermissions({
  address: smartAccount.address,
});
const permissionHash = permissions.spendPermissions[0].permissionHash;

const { userOpHash } = await cdp.evm.revokeSpendPermission({
  address: smartAccount.address,
  permissionHash,
  network: "base-sepolia",
});

const result = await cdp.evm.waitForUserOperation({
  smartAccountAddress: smartAccount.address,
  userOpHash,
});
console.log("Revoke result:", result);

all_permissions = await cdp.evm.list_spend_permissions(
    address=smart_account.address,
)
permission_hash = all_permissions.spend_permissions[0].permission_hash

revoke_result = await cdp.evm.revoke_spend_permission(
    address=smart_account.address,
    permission_hash=permission_hash,
    network="base-sepolia",
)

result = await cdp.evm.wait_for_user_operation(
    smart_account_address=smart_account.address,
    user_op_hash=revoke_result.user_op_hash,
)
print(f"Revoke result: {result}")

Check remaining allowance

Query the getCurrentPeriod function on the Spend Permission Manager contract to see how much of an allowance remains in the current period.

Node (TypeScript)

import { createPublicClient, http, type Address } from "viem";
import { baseSepolia } from "viem/chains";

const SPEND_PERMISSION_MANAGER_ADDRESS = "0xf85210B21cC50302F477BA56686d2019dC9b67Ad";

const SPEND_PERMISSION_MANAGER_ABI = [
  {
    inputs: [
      {
        components: [
          { name: "account", type: "address" },
          { name: "spender", type: "address" },
          { name: "token", type: "address" },
          { name: "allowance", type: "uint160" },
          { name: "period", type: "uint48" },
          { name: "start", type: "uint48" },
          { name: "end", type: "uint48" },
          { name: "salt", type: "uint256" },
          { name: "extraData", type: "bytes" },
        ],
        name: "spendPermission",
        type: "tuple",
      },
    ],
    name: "getCurrentPeriod",
    outputs: [
      { name: "start", type: "uint48" },
      { name: "end", type: "uint48" },
      { name: "spend", type: "uint160" },
    ],
    stateMutability: "view",
    type: "function",
  },
] as const;

const client = createPublicClient({ chain: baseSepolia, transport: http() });

const permissions = await cdp.evm.listSpendPermissions({ address: smartAccount.address });
const permission = permissions.spendPermissions[0].permission;

const [, , amountSpent] = await client.readContract({
  address: SPEND_PERMISSION_MANAGER_ADDRESS,
  abi: SPEND_PERMISSION_MANAGER_ABI,
  functionName: "getCurrentPeriod",
  args: [permission],
});

const remaining = BigInt(permission.allowance) - amountSpent;
console.log(`Spent: ${amountSpent}, Remaining: ${remaining}`);