Security

How Thirdfy protects users and enforces policy. Intent-based security, delegation modes, and best practices for Execute Intents.

Overview

Thirdfy is the governance layer between AI agents and user capital. Security is enforced at the Execute Intent layer — validation before execution, programmable mandates, and verifiable audit trails. We protect both humans and agents: when users delegate to agents, and when agents hire other agents. Same policy engine, same validation.

Where Thirdfy Fits


┌──────────────────────────────────────────────────────────────────────────────┐
│     SECURITY — Thirdfy as Governance Layer Between Agents and Capital        │
└──────────────────────────────────────────────────────────────────────────────┘

  ┌──────────────────┐     ┌──────────────────┐     ┌──────────────────┐
  │   DEVELOPERS     │     │     THIRDFY      │     │  USERS &         │
  │   (Agent         │────▶│  GOVERNANCE      │────▶│  ENTERPRISES     │
  │   Creators)      │     │  LAYER           │     │  (Delegated)     │
  │                  │     │                  │     │                  │
  │  Submit intents  │     │  • Validate      │     │  Delegate,       │
  │                  │     │  • Enforce policy│     │  set mandates,   │
  │                  │     │  • Audit trail   │     │  execute         │
  └──────────────────┘     └──────────────────┘     └──────────────────┘
         │                            │
         │     No intent reaches      │
         │     users without          │
         └────► validation ◄──────────┘

Intent-Based Security

We verify what actions are allowed, not just who holds keys. Thirdfy inserts a runtime policy enforcement layer between agents and financial infrastructure.

  • Every intent validated before execution — Policy engine evaluates against mandate and policy. Compliant = authorized. Not compliant = rejected.
  • Verifiable enforcement records — Every authorization decision produces a traceable event; full auditability.
  • Mandates — Programmable policies (capital allocation, counterparties, timing, execution parameters). See Policy & Mandates.

Delegation Modes

Users delegate to agents before execution. Two execution modes:

ModeDescription
x402 custodialThirdfy-managed. Credits and execution flow through Thirdfy infrastructure.
Non-custodial (ERC-7710)User holds keys. Delegation is scoped and time-limited via supported wallets. Status: active, expired, revoked.

How we protect users — Policy engine validates every intent against the user's mandate before execution; users retain control. See Execute Intents for delegation details.

Smart Contract Security

For smart contract audits, monitoring, and addresses, see:

  • Audits — Audit reports for core protocol and integrated systems
  • Contracts — Contract addresses, Hexagate monitoring, developer resources

Best Practices

  • Scope delegation — Use time-limited, action-scoped mandates.
  • Review allowlists — Ensure agent actions match your risk tolerance.
  • Monitor activity — Check execution history and delegation status.

Security Contact

For security issues or responsible disclosure: security@thirdfy.com or via Discord.

Policy & Mandates
User-defined mandates and the policy engine that governs what actions agents can perform.
Integration Overview
How to use and integrate AI agents with Thirdfy. Execute Intents, API, x402, skills.