Skip to main content
The Swig program is role-based. Each role has:
  • one authority
  • one stable role_id
  • one or more permission actions
If an operation succeeds or fails, these are the fields that decide it.

Authority types

Swig currently supports these authority families:
Authority typeTypical use
Ed25519standard Solana-key authorization
Ed25519Sessiontemporary delegated Ed25519 execution
Secp256k1external EVM-style signer integration
Secp256k1Sessiontemporary delegated Secp256k1 execution
Secp256r1passkey-style authorization
Secp256r1Sessiontemporary delegated Secp256r1 execution
ProgramExecinstruction-based authorization driven by another program
ProgramExecSessiontemporary delegated program-driven execution
Session-based authorities keep the same role and permission model, but switch authentication to a time-bounded session key or session rule.

What ProgramExec means

ProgramExec is the least familiar authority type, but it matters for recovery and other protocol-controlled flows. Instead of authenticating a user signature directly, it authenticates against another instruction in the same transaction. The configured authority stores:
  • the expected program ID
  • an instruction-prefix match
  • optional instruction-index targeting through the authority payload
This makes it useful when a separate program is allowed to trigger a narrow wallet behavior without becoming a general-purpose signer.

Permission families

Actions are typed permission records attached to roles.
FamilyPermissionsWhat they control
Broad accessAll, AllButManageAuthority, ManageAuthorityroot-like access, broad execution, and authority management
SOL limitsSolLimit, SolRecurringLimit, destination variantslamport spending ceilings
Token limitsTokenLimit, TokenRecurringLimit, destination variantsSPL token spending ceilings
Program accessProgram, ProgramAll, ProgramCurated, ProgramScopeCPI access from the wallet
StakingStakeLimit, StakeRecurringLimit, StakeAllstake-related execution
Sub-accountsSubAccountsub-account creation, signing, and control
Lifecycle and recoveryCloseSwigAuthority, RecoveryAuthorityclosing wallets and constrained recovery

Permission distinctions that matter

  • All is the broadest role marker.
  • AllButManageAuthority still allows broad execution, but excludes authority and sub-account management.
  • ManageAuthority is for adding, removing, or updating authorities.
  • RecoveryAuthority is narrower than ManageAuthority. It only grants access to the dedicated recovery path.
  • ProgramAll grants effectively unrestricted CPI access and should be treated as highly privileged.
  • ProgramCurated is looser than per-program rules, but still not fully open.
  • ProgramScope is the narrowest program control. It binds a program, a target account, and numeric field offsets so the program can enforce scoped limits.

Common role shapes

Most real integrations end up with some mix of:
  • an admin role that can manage authorities
  • an execution role that carries spend and program permissions
  • one or more session-capable roles for short-lived delegated access
  • an optional recovery role with RecoveryAuthority

How this maps to higher-level SDKs

Higher-level SDKs may hide the byte layout, but they still depend on the same rules:
  • a wallet operation eventually targets one role
  • that role authenticates through one authority type
  • that role’s actions decide whether execution is allowed
If you need the full instruction-builder surface, use TypeScript Actions.