OWS

April 17, 2026 · View on GitHub

Local, policy-gated signing and wallet management for every chain.

CI npm PyPI License: MIT

Why OWS

  • Local key custody. Private keys stay encrypted at rest and are decrypted only inside the OWS signing path after the relevant checks pass. Current implementations harden in-process memory handling and wipe key material after use.
  • Every chain, one interface. EVM, Solana, XRPL, Sui, Bitcoin, Cosmos, Tron, TON, Spark, Filecoin — all first-class. CAIP-2/CAIP-10 addressing abstracts away chain-specific details.
  • Policy before signing. A pre-signing policy engine gates agent (API key) operations before decryption — chain allowlists, expiry, and optional custom executables.
  • Built for agents. Native SDK and CLI today. A wallet created by one tool works in every other.

Install

# Everything (CLI + Node + Python bindings)
curl -fsSL https://docs.openwallet.sh/install.sh | bash

Or install only what you need:

npm install @open-wallet-standard/core     # Node.js SDK
npm install -g @open-wallet-standard/core  # Node.js SDK + CLI (provides `ows` command)
npm install @open-wallet-standard/adapters # Framework adapters (viem, Solana, WDK)
pip install open-wallet-standard           # Python
cd ows && cargo build --workspace --release # From source

The language bindings are fully self-contained — they embed the Rust core via native FFI. Installing globally with -g also provides the ows CLI. The @open-wallet-standard/adapters package plugs an OWS wallet into viem, @solana/web3.js, and the Tether WDK.

Quick Start

# Create a wallet (derives addresses for the current auto-derived chain set)
ows wallet create --name "agent-treasury"

# Sign a message (EVM)
ows sign message --wallet agent-treasury --chain ethereum --message "hello"

# Sign on Solana
ows sign message --wallet agent-treasury --chain solana --message "hello"

# Sign a Bitcoin transaction
ows sign tx --wallet agent-treasury --chain bitcoin --tx "0200000001..."

# Use a bare EVM chain ID for Base
ows sign tx --wallet agent-treasury --chain 8453 --tx "02f8..."
import { createWallet, signMessage } from "@open-wallet-standard/core";

const wallet = createWallet("agent-treasury");
// => accounts for EVM, Solana, Bitcoin, Cosmos, Tron, TON, Filecoin, Sui, and XRPL

const sig = signMessage("agent-treasury", "evm", "hello");
console.log(sig.signature);
from ows import create_wallet, sign_message

wallet = create_wallet("agent-treasury")
# => accounts for EVM, Solana, Bitcoin, Cosmos, Tron, TON, Filecoin, Sui, and XRPL

sig = sign_message("agent-treasury", "evm", "hello")
print(sig["signature"])

Architecture

Agent / CLI / App

       │  OWS Interface (SDK / CLI)

┌─────────────────────┐
│    Access Layer      │     1. Caller invokes sign()
│  ┌────────────────┐  │     2. Policy engine evaluates for API tokens
│  │ Policy Engine   │  │     3. Key decrypted in hardened memory
│  │ (pre-signing)   │  │     4. Transaction signed
│  └───────┬────────┘  │     5. Key wiped from memory
│  ┌───────▼────────┐  │     6. Signature returned
│  │  Signing Core   │  │
│  │   (in-process)  │  │     The OWS API never returns
│  └───────┬────────┘  │     raw private keys.
│  ┌───────▼────────┐  │
│  │  Wallet Vault   │  │
│  │ ~/.ows/wallets/ │  │
│  └────────────────┘  │
└─────────────────────┘

Supported Chains

ChainCurveAddress FormatDerivation Path
EVM (Ethereum, Polygon, etc.)secp256k1EIP-55 checksummedm/44'/60'/0'/0/0
SolanaEd25519base58m/44'/501'/0'/0'
Bitcoinsecp256k1BIP-84 bech32m/84'/0'/0'/0/0
Cosmossecp256k1bech32m/44'/118'/0'/0/0
Tronsecp256k1base58checkm/44'/195'/0'/0/0
TONEd25519raw/bounceablem/44'/607'/0'
SuiEd255190x + BLAKE2b-256 hexm/44'/784'/0'/0'/0'
Spark (Bitcoin L2)secp256k1spark: prefixedm/84'/0'/0'/0/0
Filecoinsecp256k1f1 base32m/44'/461'/0'/0/0
XRPLsecp256k1base58checkm/44'/144'/0'/0/0

CLI Reference

CommandDescription
ows wallet createCreate a new wallet with addresses for all chains
ows wallet listList all wallets in the vault
ows wallet infoShow vault path and supported chains
ows sign messageSign a message with chain-specific formatting
ows sign txSign a raw transaction
ows pay requestMake a paid request to an x402-enabled API endpoint
ows pay discoverDiscover x402-enabled services
ows fund depositCreate a MoonPay deposit to fund a wallet with USDC
ows fund balanceCheck token balances for a wallet
ows mnemonic generateGenerate a BIP-39 mnemonic phrase
ows mnemonic deriveDerive an address from a mnemonic
ows policy createRegister a policy from a JSON file
ows policy listList all registered policies
ows key createCreate an API key for agent access
ows key listList all API keys
ows key revokeRevoke an API key
ows updateUpdate ows and bindings
ows uninstallRemove ows from the system

Specification

The full spec lives in docs/ and at openwallet.sh:

  1. Specification — Scope, document classes, conformance, and extensions
  2. Storage Format — Vault layout, keystore schema, filesystem permissions
  3. Signing Interface — Sign, signAndSend, signMessage operations
  4. Policy Engine — Pre-signing transaction policies
  5. Agent Access Layer — Optional access profiles above the core spec
  6. Key Isolation — Optional deployment guidance for key isolation
  7. Wallet Lifecycle — Creation, recovery, deletion, and rotation
  8. Supported Chains — Chain families, canonical identifiers, and derivation rules
  9. Conformance and Security — Interop testing and security requirements

Reference implementation documentation:

License

MIT