CLASPApp-to-wallet session layer
Network Fiber testnet
DashboardTry the demo

Fiber NetworkCategory 1 — Wallet & Payment UX Infrastructure

CLASP

Connect apps to Fiber wallets. Never hand over the keys.

A secure session layer that lets apps and AI agents connect to Fiber wallets with limited, user-edited, time-boxed authority—without exposing private keys or permanent credentials.

Real Fiber testnet. Enforcement proven live.

No private keys. No permanent credentials. No unlimited access.

The whole integration<sdk> connect() then requestPayment() </sdk>

Two calls. Any app becomes a Fiber-paying client.

A stranger can pair a new app against the hosted wallet in five minutes. The app requests authority; the wallet has final control and can only ever hand back less than was asked.

AI agentsdAppsBotsLocal agents
How it works<flow> pair / review / approve / pay </flow>

From pairing code to a real, rule-checked payment.

The app requests authority, you reduce it, the wallet signs it, and every payment is enforced.

01

Pair

An app requests scoped authority with a short pairing code — no RPC URL, no credential.

02

Review & reduce

You see every permission in plain language and cut the spend caps and duration before approving.

03

Approve

The wallet signs a scoped session token carrying your reduced values — not the app's request.

04

Pay

A real Fiber testnet payment settles, checked against ten policy steps and the session budget.

Product surfaces<authority> visible, editable, revocable </authority>

Everything to see and control authority before it is used.

01

Permission review

Every operation translated into a plain-language consequence, with editable caps and duration.

02

10-step policy engine

Session, signature, permission, origin, nonce, freshness, amount, asset, and atomic spend — checked in order.

03

Real Fiber payments

Settled through an allow-listed gateway: new_invoice, get_invoice, send_payment, get_payment — nothing else.

04

Session dashboard

Live spend meters, activity log, and expiry across every active session.

05

Instant revocation

One tap moves the session to REVOKED — every later request fails, including innocent reads.

06

TypeScript SDK

connect() plus requestPayment() is the whole integration. Pair a new app in five minutes.

Security lab

Attack the wallet. Watch it win.

The same paired app turns malicious and runs four live attacks. Every one is blocked by the real policy engine with a machine-readable reason on a visible timeline. Nothing is simulated.

01

App turns malicious

Forbidden op, over-limit spend, replay, stolen token.

02

Policy engine blocks

Ten ordered checks reject the request before any spend.

03

Reason logged

permission_denied · limit_exceeded · replay · origin_mismatch.

Revocation<revoke/> authority ends when you say so

One tap and it is over.

Most projects demo connection and payment. Almost none demo the user taking authority back. Revoke a session and every later request — even an innocent read — fails with a single structured error.

BLOCKED

permission_denied

Requests channels:open, never granted.

BLOCKED

session_spending_limit_exceeded

Asks for 10 CKB with 1 CKB left.

BLOCKED

replay_detected

Replays a settled request — payment count stays 1.

BLOCKED

origin_mismatch

A copied token presented from evil.example.

Built with<stack> Fiber-first, agent-ready </stack>

Infrastructure you can inspect.

Fiber testnet payments, a 10-step policy engine, signed scoped tokens, and an allow-listed gateway.

01Fiber Network02TypeScript SDK03Policy engine04SQLite05Ed25519 / Biscuit06Allow-listed gateway
Judge Q&A<safety> clear boundaries, explicit approval </safety>