MetaMask is the world's leading self-custodial crypto wallet and gateway to decentralized finance, built by Consensys.
Read all articlesAn agentic wallet lets AI agents execute onchain actions inside defined limits. The category depends on custody, permissions, and its own security stack.

An agentic wallet is a wallet architecture that lets an AI agent or automation system prepare and, in some cases, execute onchain actions inside defined limits. In practice, it is a wallet for AI agents: not just a place to hold keys, but a control layer for what software can do with real assets, when it can do it, and what checks happen before anything is signed. Unlike a standard crypto wallet, an AI agent wallet is built for software that may act repeatedly, across apps, and at machine speed.
Key takeaways:
An agentic wallet is not just a key store—it is a control layer that defines what an AI agent can do with real assets, when it can do it, and what checks run before anything is signed.
The category exists because AI agents can expand a single instruction into a chain of financial actions, creating a risk surface that standard wallets were not built to handle.
The most important question for any agentic wallet in 2026 is not whether it can connect to a model. It is whether the wallet enforces security checks, spending limits, and human escalation paths before every transaction is signed.
MetaMask Agent Wallet runs a mandatory three-step security pipeline—simulation, threat scanning, and MEV protection—on every supported EVM transaction, with user-defined policy controls and self-custodial key management throughout.
When evaluating an agentic wallet, focus on five layers: custody model, permission model, pre-execution security checks, human approval logic, and funding and execution surface.
The category is expanding quickly. In June 2026, MetaMask launched MetaMask Agent Wallet via an Early Access program. Coinbase, Cobo, OKX, and Trust Wallet are among the other names that have brought agentic wallet products to market, and institutional custodians such as BitGo and Ledger have published their own frameworks for the category. The various agentic wallets available today do not all use the same design, but they are solving the same core problem: how to let software interact with real assets without giving it unlimited authority.
That authority problem is what makes the category distinct. An agent may need to check balances, request quotes, sign a token approval, bridge assets, open a perps position, or route a swap. The wallet is no longer just storing keys. It is defining what the agent is allowed to do, when it can do it, and what happens when a transaction looks unsafe.
Most wallets are still designed around a human operator. An agentic wallet changes the operating model.
Standard wallet | Agentic wallet |
Assumes a human reviews each action | Assumes software may initiate many actions |
Focuses on key storage and signing | Focuses on controlled execution and signing |
Usually asks for approval one transaction at a time | May use rules, spending limits, or scoped permissions |
Security often centers on the signing moment | Security may include simulation, threat scanning, and exception handling before signing |
Best for direct user control | Best for automation, delegated flows, and AI-assisted execution |
For a refresher on standard wallet categories, What is a Bitcoin wallet? covers hot vs cold storage, custodial vs self-custodial design, and the basic wallet concepts that agentic wallets build on.
AI systems can expand a single instruction into a chain of financial actions. A prompt to rebalance a portfolio may involve checking balances, comparing routes, approving a token, bridging to another chain, and sending the final transaction. That is a different risk surface than a person clicking "confirm" once in a wallet.
As a result, agentic wallets need controls that normal wallets were not built to provide. Common examples include spending caps, time bounds, allowlists, recipient restrictions, human approval on exceptions, and pre-execution transaction checks.
Teams evaluating wallets for AI agents are often comparing different answers to the same question: where should the wallet boundary sit between the user, the agent, and the underlying execution system? By mid-2026, agentic wallet products from Coinbase, Cobo, MetaMask, and others each offer a different answer to the same set of design questions.
An agentic wallet usually combines several layers rather than one feature. Those layers also form a useful checklist when evaluating any AI agent wallet product.
Some agentic wallets give the agent its own wallet. Others let the agent act through the user's existing wallet within a delegated scope. The custody model determines whether capital sits in a dedicated agent address or remains in the user's primary wallet. Products differ on the underlying architecture—TEE-backed wallets, MPC key splitting, and smart contract-based delegation each carry different trust assumptions, recovery paths, and key export options.
The wallet needs a way to define what the agent can do. That may take the form of spend limits, asset-specific permissions, contract allowlists, network boundaries, or time-limited session rules. Products in the category handle this differently—some use task-level agreements, others use session-scoped caps, and others use policy controls set during wallet initialization.
An agentic wallet becomes more useful when it can inspect a transaction before signing. Depending on the design, that may include simulation, threat scanning, human-readable previews, or automated rejection when a transaction falls outside policy. The key difference across products in 2026 is whether the security pipeline is mandatory or opt-in.
The critical question when evaluating any agentic wallet is when and where human review comes into play. Some systems require approval for every action. Others allow routine actions to continue and only pause when the agent crosses a boundary or a transaction appears suspicious. Approaches range from front-loading full plan approval before the agent starts to triggering human review only when a specific transaction violates policy.
Some agents need their own balance. Others work better when they can execute from the user's existing wallet inside narrow limits. The right answer depends on whether the product is closer to a trading bot, an app workflow, or an embedded user experience. Most agentic wallets in 2026 use a dedicated agent wallet that the user funds before the agent starts transacting, but products diverge on execution breadth and how tightly funding is scoped to a specific task.
The most important agentic-wallet question in 2026 is not whether a product can connect to a model. Many of them can. The harder question is whether the wallet can preserve useful autonomy without turning every prompt into an unrestricted signing surface.
The strongest designs therefore combine several controls at once: clear separation between the user and the agent runtime, explicit permission scopes or spending limits, pre-execution checks such as simulation or threat scanning, escalation paths for suspicious or out-of-policy actions, and an audit trail showing what the agent attempted and what the wallet allowed. This is where the category is starting to split. Some products treat the wallet mainly as a toolkit or execution wrapper. Others treat it as a policy and security layer first. The second approach is more likely to define how the category matures, because agentic finance fails when authority expands faster than safeguards.
MetaMask Agent Wallet applies the security-first approach described above through a mandatory pipeline and user-defined policy controls.
Every supported EVM transaction passes through a three-step security pipeline before it lands onchain. First, transaction simulation surfaces balance changes, approvals, and gas estimates so the agent and the user can see what a transaction will actually do before it is signed. Second, threat scanning powered by Blockaid, production-tested across millions of MetaMask transactions, evaluates the transaction against known attack patterns. Malicious transactions are auto-rejected. Third, Smart Transactions MEV protection shields execution from front-running and sandwich attacks. The pipeline is mandatory. It runs on every transaction, not as an opt-in feature.
On top of that pipeline, MetaMask Agent Wallet gives users two operating modes that define how much autonomy the agent has within the security boundary. Guard Mode is the default. The user sets daily spend limits, protocol allowlists, and risk parameters during setup. Any transaction that falls outside those rules, or that threat scanning flags, requires human approval via two-factor authentication before the agent can proceed. Beast Mode is the opt-in alternative for users who want fewer interruptions. The security pipeline still runs on every transaction and malicious actions are still blocked, but the agent has more latitude around policy edge cases.
Keys are secured using a trusted execution environment (TEE) while remaining exportable by the user at any time. The wallet is fully self-custodial. Transactions that pass the security pipeline and are deemed safe are backed by Transaction Protection coverage of up to $10,000 per month.
The result is a design where the agent operates autonomously inside rules the user defined, the security stack runs whether or not the user is watching, and the user retains self-custody throughout.
An agentic wallet is not just a chatbot connected to wallet APIs.
It is also not the same thing as an agent framework. A framework may help a model reason, route tools, or maintain memory. The wallet layer decides how real funds, signatures, approvals, and onchain authority are handled.
And it is not defined by a CLI alone. A terminal interface can be a useful way to expose agent tooling, but the core category question is still architectural: who controls the keys, how permissions are enforced, and what safety checks stand between the model and the transaction.
In 2026, the phrase "agentic wallet" is becoming a category term, not a single product label. That matters because developers and teams searching for Coinbase Agentic Wallet, Cobo Agentic Wallet, MetaMask Agent Wallet, or Trust Wallet Agent Kit are often trying to solve a broader design problem before they realize it.
A useful definition helps separate three questions that otherwise get blended together:
Does the agent need its own wallet, or should it operate from the user's existing wallet?
Where are the rules enforced: offchain, onchain, or both?
What safety checks sit between model output and transaction execution?
When those questions are answered clearly, product differences become easier to understand. Those same questions also become the checklist for any product-by-product comparison.
They also help separate adjacent topics that are easy to blur together. An agentic wallet governs custody, permissions, and transaction execution. Agentic payments topics such as stablecoin settlement or x402 focus on how agents pay, settle, or move value between systems. The two topics overlap in practice, but they are not the same layer of the stack.
For a closer look at how x402 works, see the x402 payments overview in MetaMask developer documentation.
Disclaimer