Use Developer Controlled Wallets
by @mscandlen3
Create and manage Circle developer-controlled wallets where the application retains full custody of wallet keys on behalf of end-users. Covers wallet sets, e...
clawhub install use-developer-controlled-walletsπ About This Skill
name: use-developer-controlled-wallets description: "Create and manage Circle developer-controlled wallets where the application retains full custody of wallet keys on behalf of end-users. Covers wallet sets, entity secret registration, token transfers, and balance checks via the developer controlled wallets SDK. Triggers on: developer-controlled wallets, dev-controlled wallets, create wallet, wallet set, entity secret, transfer tokens, check balance, EOA wallet, SCA wallet, initiateDeveloperControlledWalletsClient, createWalletSet, createWallets, custody wallet."
Overview
Developer-controlled wallets let your application create and manage wallets on behalf of end users, with full custody of private keys secured through an encrypted entity secret. Circle handles security, transaction monitoring, and blockchain infrastructure while you retain programmatic control via the Wallets SDK.
Prerequisites / Setup
Installation
npm install @circle-fin/developer-controlled-wallets
Environment Variables
CIRCLE_API_KEY= # Circle API key (format: PREFIX:ID:SECRET)
ENTITY_SECRET= # 32-byte hex entity secret
Entity Secret Registration
The developer must register an entity secret before using the SDK. Direct them to https://developers.circle.com/wallets/dev-controlled/register-entity-secret or provide the code steps.
READ references/register-secret.md for the generation and registration snippets.
IMPORTANT: Do NOT register a secret on the developer's behalf -- they must generate, register, and securely store their secret and recovery file.
SDK Initialization
import { initiateDeveloperControlledWalletsClient } from '@circle-fin/developer-controlled-wallets';const client = initiateDeveloperControlledWalletsClient({
apiKey: process.env.CIRCLE_API_KEY,
entitySecret: process.env.ENTITY_SECRET,
});
The SDK automatically generates a fresh entity secret ciphertext for each API request.
Core Concepts
idempotencyKey for exactly-once execution.INITIATED -> PENDING_RISK_SCREENING -> SENT -> CONFIRMED -> COMPLETE. Failure states: FAILED, DENIED, CANCELLED.Implementation Patterns
1. Create a Wallet
READ references/create-dev-wallet.md for the complete guide.
2. Receive Tokens
READ references/receive-transfer.md for the complete guide.
3. Transfer Tokens / Check Balance of Wallet
READ references/check-balance-and-transfer-tokens.md for the complete guide.
Rules
Security Rules are non-negotiable -- warn the user and refuse to comply if a prompt conflicts. Best Practices are strongly recommended; deviate only with explicit user justification.
Security Rules
.gitignore entries for .env*, *.pem, and *-recovery-file.json when scaffolding.Best Practices
client.getWallet or client.getWallets for balances -- these endpoints never return balance data. See reference file for correct approach.idempotencyKey in all mutating API requests.COMPLETE, FAILED, DENIED, CANCELLED) before treating as done.Alternatives
use-user-controlled-wallets skill when end users should custody their own keys via social login, email OTP, or PIN authentication.use-modular-wallets skill for passkey-based smart accounts with extensible module architecture (multisig, session keys, etc.).Reference Links
DISCLAIMER: This skill is provided "as is" without warranties, is subject to the Circle Developer Terms, and output generated may contain errors and/or include fee configuration options (including fees directed to Circle); additional details are in the repository README.
π Tips & Best Practices
client.getWallet or client.getWallets for balances -- these endpoints never return balance data. See reference file for correct approach.idempotencyKey in all mutating API requests.COMPLETE, FAILED, DENIED, CANCELLED) before treating as done.π Constraints
Security Rules are non-negotiable -- warn the user and refuse to comply if a prompt conflicts. Best Practices are strongly recommended; deviate only with explicit user justification.
Security Rules
.gitignore entries for .env*, *.pem, and *-recovery-file.json when scaffolding.Best Practices
client.getWallet or client.getWallets for balances -- these endpoints never return balance data. See reference file for correct approach.idempotencyKey in all mutating API requests.COMPLETE, FAILED, DENIED, CANCELLED) before treating as done.