CLI Ownership Management: master, owner, and session Commands for Self-Hosted Wallets WAIaaS has introduced a three-tier ownership model for self-hosted AI agent wallets, comprising master, owner, and session layers. The CLI tool enables developers to manage wallet infrastructure on their own hardware, ensuring autonomous agent operation without unrestricted signing authority. This approach provides sovereignty and security by avoiding third-party custody of private keys. Self-hosting your AI agent's wallet infrastructure means you never hand your private keys to a third party — and WAIaaS gives you a complete CLI to manage exactly who controls what, on your own machine. If you've ever asked yourself whether you'd trust a hosted service with the signing keys for an autonomous agent that moves real money, you already know why this matters. This post walks through the three-tier ownership model in WAIaaS and the CLI commands that make it practical to run on your own hardware. Running a self-hosted wallet for a human is already a well-understood pattern. Running one for an AI agent is a harder problem because the agent needs to operate autonomously — it can't stop and ask you for a password every time it wants to send a transaction. At the same time, you absolutely cannot give the agent unrestricted signing authority over everything. Hosted Wallet-as-a-Service products solve this by centralizing custody on their servers. That trades sovereignty for convenience. You get an API key, they hold the keys, and you trust their infrastructure, their security practices, and their uptime. For many use cases that's fine. But if you're building something where privacy matters, where regulatory exposure matters, or where you simply don't want a third party able to freeze your agent's funds, self-hosting is the answer — and it's the crypto equivalent of running your own email server, except WAIaaS makes it genuinely practical in a single Docker command. The architecture that makes autonomous-but-safe agent wallets work is a three-tier ownership model: a master layer for system administration, an owner layer for fund sovereignty, and a session layer for the agent itself. Each tier has different privileges, different auth methods, and different CLI commands. Before looking at CLI commands, it helps to understand what each tier is for. masterAuth is the system administrator role. It uses an Argon2id-hashed password and is used to create wallets, create sessions, set policies, and manage the daemon itself. Think of it as root access to the WAIaaS daemon — you use it at setup time and when you need to change configuration, not during normal agent operation. ownerAuth is the fund sovereignty layer. It uses SIWS Sign-In With Solana or SIWE Sign-In With Ethereum signatures — meaning it's tied to a wallet you control independently. The owner can approve pending transactions, connect via WalletConnect, and exercise a kill switch. Crucially, the owner can recover control even if the master password is compromised. sessionAuth is what the AI agent actually uses. It's a JWT HS256 with a configurable TTL, max renewals, and absolute lifetime. The agent never touches master or owner credentials — it only holds a session token that can be revoked at any time. This separation is the security foundation. The agent can't escalate its own privileges, and you can pull the session token without affecting the wallet itself. The CLI is the primary tool for managing a self-hosted WAIaaS installation: npm install -g @waiaas/cli Once installed, you have access to 20 commands covering everything from daemon lifecycle to backup and restore. init , start , and set-master The fastest path from zero to running daemon: waiaas init Create data directory + config.toml waiaas start Start daemon prompts for master password on first run If you want a fully unattended first boot — useful for a homelab server or a Docker environment where you can't type a password interactively — use auto-provision: waiaas init --auto-provision Generates a random master password → saved to recovery.key waiaas start No password prompt After auto-provision, retrieve your generated master password from recovery.key , store it somewhere safe, and then harden it: waiaas set-master Change the master password to something you chose After confirming the new password works: Delete recovery.key — it's no longer needed The set-master command is the point where you go from "auto-generated for convenience" to "deliberately chosen and controlled by me." Don't skip it on a production deployment. owner connect , owner disconnect , owner status The owner layer is where your personal sovereignty over the funds lives. Connecting an owner means linking a wallet address Solana or EVM to the WAIaaS daemon so that you can approve transactions and exercise the kill switch from a wallet you control. waiaas owner connect Link your wallet address as the fund owner waiaas owner status Check which address is connected as owner waiaas owner disconnect Remove the owner connection Once an owner is connected, high-value transactions that exceed policy thresholds will require an owner signature to proceed. You can approve these via WalletConnect from your phone, or via the Telegram signing channel, or via the push-relay signing channel — three signing channels are supported. The owner connection is also how you access the kill switch. If an agent session is behaving unexpectedly, the owner can revoke approvals without needing the master password. This is intentional: it means the two roles can be held by different people in a team, or it means that even if someone gets your master password, they can't spend funds without the owner signature on transactions above your policy thresholds. session prompt and the Session API Sessions are what you hand to the AI agent. They're scoped JWTs — the agent authenticates with the session token, and the token has a TTL, a maximum renewal count, and an absolute lifetime ceiling. The session prompt command is the CLI interface for managing session interactions: waiaas session prompt For creating sessions programmatically which is the common case when you're wiring up an agent , use the REST API: First, create a wallet masterAuth required curl -X POST http://127.0.0.1:3100/v1/wallets \ -H "Content-Type: application/json" \ -H "X-Master-Password: my-secret-password" \ -d '{"name": "trading-wallet", "chain": "solana", "environment": "mainnet"}' Then create a session for the agent masterAuth required curl -X POST http://127.0.0.1:3100/v1/sessions \ -H "Content-Type: application/json" \ -H "X-Master-Password: my-secret-password" \ -d '{"walletId": "