MetaMask is the world's leading self-custodial crypto wallet and gateway to decentralized finance, built by Consensys.
Read all articlesAI agents that only advise don't need wallets. Agents that execute do—they need to hold value, pay for what they use, and settle onchain inside limits the user set.

An agent can produce a recommendation without ever touching money. Execution is a different matter. Once an agent pays for data, buys compute, rebalances a position, or settles a trade onchain, it needs somewhere to hold value, authorize its movement, and enforce limits before funds move. That place is a wallet, and it's a key reason MetaMask Agent Wallet and Coinbase's AgentKit both launched in 2026 to empower agents and a new digital economy. Coinbase also helped popularize the x402 payments protocol many agents now use to pay for APIs, compute, and data.
Whether an executing agent needs a wallet is settled. What's still worth asking is where control sits while the agent uses it: does the user keep an exportable key and set the agent's limits directly, or does the agent's execution path stay tied to a provider's infrastructure for as long as it runs? MetaMask Agent Wallet takes the first approach: a self-custodial wallet with programmable guardrails, built specifically for agents that act.
For the basics, see What is an agentic wallet and then dive into some of the technical architecture with How AI agents transact without touching your keys. For a comparison, see Best agentic wallets in 2026. This article focuses on why the wallet layer is now unavoidable for any agent that acts and why custody decides how much of that agent's autonomy is real.
An agent that only produces text has no need to touch money. Its output is a suggestion a human still has to execute. That has been the default shape of most deployed agents to date, and it's also their ceiling: an agent that can only advise still requires a human in the loop for every financial step, which caps how much work it can actually do.
The agents being built now are different. They monitor a DeFi position and rebalance it directly. They shop for compute or data across multiple providers and pay whichever one is cheapest at that moment. They execute a trade instead of describing one. Each of those actions requires the same underlying capability: the ability to hold value and move it onchain, at whatever speed the agent operates, without waiting on a person to unlock the next step.
That capability doesn't come from a language model. It comes from a wallet. An agent's reasoning can be arbitrarily good, but without a way to hold and authorize the movement of funds, it stays a recommendation engine. The wallet is what turns a decision into an action, which is why the category has moved from a developer curiosity to a product line at MetaMask, Coinbase, Cobo, and OKX within months.
To act rather than advise, an agent needs three things: a balance it can draw from, a way to pay for what it consumes as it goes, and a way to execute onchain without a human confirming each individual step.
The second requirement is newer than it sounds. Software has always paid for infrastructure, but typically through a human-managed invoice, subscription, or stored card, not a payment the agent itself initiates mid-task. Agents that call paid APIs, buy inference from another model, or pull licensed data need to settle that cost inline. x402 closes that gap: an open protocol, built on the HTTP 402 "Payment Required" status code, that lets a server request payment and a client settle it in the same exchange, with no account setup or human approval mid-flow. MetaMask Agent Wallet currently supports x402 on the buyer side, so an agent can pay an x402-gated endpoint directly from its wallet. x402 sits apart from the wallet itself: it defines how a payment is priced and settled, not who holds the keys or what the agent is allowed to spend. The wallet still owns that question.
Put together, this is what people mean by agentic commerce or machine-to-machine payments: software paying software, at the pace code runs, for services that used to require a human with a credit card. None of it works without a wallet underneath it.
Once it's settled that an acting agent needs a wallet, the more useful question is who controls it. Three models are visible in the market today, at different stages of availability, and they answer that question differently.
Custody model | User's exit path | Representative products | The trade-off |
Self-custodial | User holds an exportable key at all times | MetaMask Agent Wallet | Secure infrastructure may still assist with signing, but the user can export the key and leave at any time |
Infra-custodial | No user-held export path; keys stay inside provider-operated infrastructure | Coinbase AgentKit, OKX OnchainOS Agentic Wallet | Provider infrastructure is a permanent part of every transaction the agent makes, for as long as the agent runs on it |
MPC-enterprise | Key split across multiple parties, typically the provider and the organization | Cobo Agentic Wallet | Strong institutional controls and audit trails, built around organizational custody workflows rather than individual key export |
Custody language varies across the category, and providers describe their own models fairly. Coinbase calls Agentic Wallets non-custodial wallets secured inside a trusted execution environment (TEE), paired with programmable spending limits and KYT screening. OKX describes its Agentic Wallet the same way: keys managed inside a TEE and never exposed to the model. Cobo positions its Agentic Wallet around MPC-based key splitting and a Pact-enforced policy engine built for "enterprise-grade automation with fine-grained policy control." Those are all legitimate security models, and MetaMask Agent Wallet also uses TEE-backed infrastructure to protect signing. The distinction that matters for this article is narrower than "TEE vs. no TEE": it's whether the user holds an exportable key and exit path, or whether the agent's execution stays tied to a provider-operated wallet for as long as the agent runs.
That's the self-custody principle applied to a new kind of user. Provider-operated infrastructure can be genuinely secure, but it remains part of the trust path for every transaction the agent makes for as long as the agent runs on it: that infrastructure can freeze, throttle, or change terms, regardless of how well-intentioned the provider is. A self-custodial design allows the user to retain the export or recovery path and defines the agent's limits directly, rather than depending solely on a provider-held account. For an agent acting autonomously on someone's behalf, that's the distinction that determines whether its autonomy travels with the user or stays bounded by a provider's execution environment.
Self-custody alone isn't a complete answer. A self-custodial wallet with no limits would let an agent do anything the user's balance allows, which is its own kind of risk. The real answer pairs self-custody with programmable guardrails set in advance: spend caps, allowlisted protocols, session limits, per-transaction limits, and a log of every action the agent took and why.
Guardrails are what make it possible to grant an agent standing authority instead of approving each transaction by hand. A spend cap bounds a bad trade without risking the account. A protocol allowlist limits the agent to contracts the user already vetted. Session and per-transaction caps limit the damage a single compromised prompt or malicious response can do, and an auditable log lets every action be reconstructed afterward. None of that requires giving up autonomy, rather it defines the boundaries autonomy operates within.
In practice, this looks like two operating modes today: a default, conservative mode that enforces daily spend limits and protocol allowlists set at setup and pauses for two-factor approval on anything outside those rules or flagged by threat scanning, and a second, opt-in mode that gives the agent more latitude on policy edge cases while still blocking outright malicious transactions. In MetaMask Agent Wallet these modes by the names Guard Mode and Beast Mode, respectively. Either way, the guardrails are defined by the user before the agent starts, not negotiated by the agent in the moment.
MetaMask Agent Wallet is a self-custodial wallet built specifically for AI agents, and its core design choice is that the user, not MetaMask, holds the keys. The wallet lets an agent execute swaps, perpetual futures, prediction markets, staking, and liquidity provision across EVM chains and Hyperliquid, all from one self-custodial wallet.
Every supported EVM transaction runs through a security pipeline before it lands onchain: transaction simulation, Blockaid-powered threat scanning through Transaction Shield, and Smart Transactions MEV protection. That pipeline runs regardless of which operating mode the user picks: the default Guard Mode, which requires two-factor approval on anything outside the user's spend limits or protocol allowlist, or Beast Mode, which gives the agent more room on policy edge cases while still blocking malicious transactions and surfacing them for 2FA review. Keys are protected with a trusted execution environment while remaining exportable by the user at any time, and eligible transactions that clear the pipeline are backed by Transaction Protection coverage of up to $10,000 per month, subject to eligibility, limits, and terms.
MetaMask Agent Wallet is currently CLI-first and built to plug into agent frameworks including Claude Code, Codex, OpenClaw, Hermes, OpenCode, and Cursor. It's available today through an Early Access program, with general availability soon. For a full walk-through of how a transaction moves from instruction to execution inside that architecture, see How AI agents transact without touching your keys
The swarm case is where the custody question compounds. A single agent with a provider-held key is one point of trust. A swarm of a dozen agents, each transacting independently, multiplies that exposure—and if they share one provider-held wallet, a single compromised agent or infrastructure incident can affect the whole swarm at once.
A self-custodial architecture gives a developer two ways to contain that blast radius. Each agent can get its own dedicated wallet with its own spend limits, for the cleanest isolation and audit trail. Or a single user wallet can grant each agent a scoped, delegated permission—asset, amount, duration, and constraints defined upfront—so capital doesn't have to be split across separately funded wallets. Many production systems use both: one funded wallet for broad execution, and scoped delegations for narrower, recurring tasks like paying for data or compute through x402. Either pattern keeps the user, not a third party, as the source of truth for what any agent in the swarm can do—and keeps the cost of getting custody wrong bounded by the user's own policy rather than a provider's infrastructure.