Understanding Session Scopes

To enable automation without requiring you to manually sign every transaction, PolyOrbit utilizes Session Keys. It is vital to understand the technical limitations of these keys to appreciate the security model.

What is a Session Key?

A Session Key is a temporary cryptographic key pair generated locally on your device. When you "Login" or "Enable Automation," you are signing a transaction that delegates specific, limited authorities to this temporary key for a fixed duration.

The Scope of Permissions

The Session Key operates under a strictly defined scope known as the "Policy." It determines exactly what the automation engine can and cannot do.

✅ ALLOWED Actions

The Session Key CAN:

• Read Balances: View your USDC and token balances to calculate trade sizes.

• Place Orders: Submit Buy or Sell orders to the Polymarket CLOB (Central Limit Order Book).

• Redeem Shares: Call the redeem function to convert winning positions back to USDC.

• Cancel Orders: Remove active limit orders from the book.

❌ DENIED Actions

The Session Key CANNOT:

• Transfer Funds: It cannot send USDC, MATIC, or any other token to an external wallet address.

• Change Ownership: It cannot alter the owner of the proxy wallet.

• Export Keys: It cannot reveal your main private key (which it never touches).

• Withdraw to Bank: It has no access to off-ramp banking features.

Expiry and Revocation

• Time-Bound: Every session has a hard expiration (e.g., 7 days). Once the time elapses, the key becomes invalid, and the PolyOrbit engine loses all access until you re-authorize.

• Immediate Revocation: You can manually revoke a session at any time via the PolyOrbit dashboard or by interacting directly with the blockchain contract, immediately locking out the automation engine.