Skip to content

feat: add --ows flag to login for headless wallet creation#382

Open
kevarifin14 wants to merge 1 commit intotempoxyz:mainfrom
kevarifin14:feat/ows-login
Open

feat: add --ows flag to login for headless wallet creation#382
kevarifin14 wants to merge 1 commit intotempoxyz:mainfrom
kevarifin14:feat/ows-login

Conversation

@kevarifin14
Copy link

@kevarifin14 kevarifin14 commented Mar 24, 2026
edited
Loading

Summary

Adds tempo wallet login --ows — headless alternative to passkey login. Same on-chain result, no browser needed.

tempo wallet login --ows

Why

The current login flow requires a browser for WebAuthn passkey authentication. This doesn't work for:

  • AI agents running autonomously on servers
  • CI/CD pipelines that need to interact with Tempo
  • Docker containers and headless VMs
  • SSH sessions without display forwarding
  • Automated infrastructure that needs to create and manage wallets programmatically

--ows gives these environments a way to create wallets with the same on-chain security model (scoped access keys, $100 spending limit, 30-day expiry) without requiring human interaction in a browser.

What it does

  1. Creates a root wallet key in the OWS encrypted vault (AES-256-GCM, scrypt KDF)
  2. Generates a scoped access key (same $100 USDC limit, 30-day expiry as passkey login)
  3. Root key signs a KeyAuthorization for the access key
  4. Calls the same save_keys() as passkey login — keys.toml entry is structurally identical
  5. Re-login reuses the same root wallet (same address, fresh access key)
  6. Reauth checks (key revoked/expired) same as passkey flow
  7. Analytics tracked with wallet_type: "ows" via PostHog

No changes to the signing path, keystore, or data model. Exported key material is Zeroizing-wrapped and wiped from memory after use.

Changes

File What
Cargo.toml Added ows-lib = "1.0.0" and ows-core = "1.0.0"
keys/ows.rs New — create wallet, find existing, decrypt signing key. 5 tests.
keys/mod.rs Register ows module
args.rs Added --ows flag to Login
app.rs Pass flag to login
commands/login.rs Added run_ows() — mirrors passkey flow without browser

Test plan

  • cargo check --workspace passes
  • cargo test --package tempo-common --lib — 279/279 tests pass (274 original + 5 OWS)
  • OWS create + export round-trip verified
  • find_wallet by prefix works correctly
  • Same wallet produces same key on re-export
  • Different wallets produce different keys
  • Key material is Zeroizing-wrapped
  • Re-login reuses same wallet address
  • Reauth checks (revoked/expired) same as passkey flow
  • Existing login flow unchanged
  • Tested on mainnet with real USDC:

@kevarifin14 kevarifin14 force-pushed the feat/ows-login branch 5 times, most recently from 4dfbdc4 to 0885b0c Compare March 25, 2026 17:38
@kevarifin14
Copy link
Author

kevarifin14 commented Mar 25, 2026

Blog post: https://x.com/kevarifin/status/2036869355884208446

@kevarifin14
feat: add --ows flag to login for headless wallet creation
36431af 
Adds `tempo wallet login --ows` as a headless alternative to passkey
login. Creates a root key in the OWS vault, then generates a scoped
access key with the same defaults ($100 USDC, 30 days). Identical
on-chain result — no changes to signing, keystore, or model.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kevarifin14