Tandem Wallet Docs
Human-owned vaults for agent spending.
Tandem Wallet is a Solana smart account for AI agents. A human wallet owns the vault, an agent wallet can act within policy, and larger or riskier actions route to human approval.
DLVHJQd8LUbypaoguREZ1sek4E7zeqPHYvw62KceFmQr
What Tandem Does
Fast under-limit payments
Give an agent a USDC spending limit. The agent can send within that per-transaction limit without waiting for a human signature.
Human approvals for higher risk
Above-limit payments to non-whitelisted recipients become proposals. The human reviews and signs approval or rejection.
Recovery controls stay human
The human owner can pause agent activity, change limits, manage whitelist entries, withdraw vault USDC, and review history.
Quickstart
Set up a vault
- Open the app and connect a Solana wallet. This is the human owner. It creates vaults, approves proposals, and controls recovery settings.
- Create a vault. Name the vault, set a per-transaction USDC spending limit, and generate a new Tandem agent keypair or paste an existing agent public key.
- Save the Tandem agent keypair JSON. If Tandem generated the agent wallet, download the JSON. Tandem does not store the private key after vault creation.
- Fund the vault and the agent wallet. Deposit USDC into the vault. Send a small amount of SOL to the agent wallet so it can pay network fees.
- Send the setup message to your agent. The app generates an agent-friendly setup message. The agent asks for the Tandem agent keypair JSON, runs setup, and confirms vault state.
- Start with a tiny test payment. Ask the agent to check vault state, then send or propose a small USDC payment before larger usage.
Core concepts
The Tandem model
Human owner
The connected wallet that creates and owns a vault. It can approve proposals, pause or unpause, update spending limits, manage whitelists, and withdraw funds.
Agent signer
A separate Solana keypair controlled by the AI agent. It can initiate sends and proposals but cannot change human controls.
Vault
A program-derived account linked to the human owner and agent signer. The vault owns the USDC token account and signs token transfers through on-chain rules.
Spending limit
The maximum USDC amount the agent can send in one direct transaction unless the recipient is whitelisted.
Whitelist
A human-managed list of recipient wallets that can receive above-limit direct sends from the agent.
Proposal
A human approval request for an above-limit payment to a non-whitelisted recipient. Proposals include amount, recipient, memo, status, and review link.
Pause
A safety switch that blocks agent sends, new proposals, and proposal approvals while preserving human recovery controls.
Agent SOL
SOL sent to the agent wallet, not the vault PDA. It pays Solana transaction fees for agent-signed sends and proposals.
Human app
Using vaults
Vault creation
Create a vault from the app with a human wallet, agent public key, and USDC spending limit. Tandem derives the vault from the human and agent addresses.
Deposits and withdrawals
Deposit USDC into the vault token account for agent spending. The human owner can withdraw vault USDC from the app.
Agent gas top-up
The agent wallet needs SOL for transaction fees and recipient token account creation. This SOL goes to the agent address.
History and explorer links
Tandem tracks deposits, withdrawals, direct sends, proposal approvals, cancellations, and relevant Solana explorer links.
Agent connector
Set up an agent
The agent connector is published as @tandemwallet/agent
and provides a CLI, SDK, and MCP stdio server. Most users should
copy the exact setup message generated by the app.
Typical setup command shape
npx -y @tandemwallet/agent@latest setup \
--vault <vault_pda> \
--rpc-url <mainnet_rpc_url> \
--program-id DLVHJQd8LUbypaoguREZ1sek4E7zeqPHYvw62KceFmQr \
--app-url https://app.tandemwallet.aiCheck state
npx -y @tandemwallet/agent@latest stateDirect send
npx -y @tandemwallet/agent@latest send \
--recipient <wallet> \
--amount 0.1Create proposal
npx -y @tandemwallet/agent@latest propose \
--recipient <wallet> \
--amount 4 \
--memo "Payment request"MCP server
npx -y @tandemwallet/agent@latest mcpMCP tools
get_agent_addressreturns the configured agent signer.get_vault_statechecks balance, limit, pause state, and policy.send_usdcattempts a direct policy-checked payment.create_proposalcreates a human approval request.get_proposalchecks one proposal.list_proposalslists recent proposals.
Payments
Direct sends, proposals, and approvals
Agent checks vault state
The agent should check balance, pause status, spending limit, and any relevant pending proposal before trying to pay.
Direct send if allowed
If the amount is inside the limit, or the recipient is whitelisted, the agent can execute a USDC transfer directly.
Proposal if approval is required
Above-limit payments to non-whitelisted recipients become proposals with a memo and human review link.
Human signs final approval
The human reviews amount, recipient, memo, and vault state, then approves or rejects in the app.
Security
Security model
- Human owner controls vault settings and proposal approvals.
- Agent signer can act only inside on-chain program policy.
- Whitelisted recipients can receive above-limit direct sends.
- Non-whitelisted above-limit sends require human approval.
- Pause blocks agent and proposal activity.
- Human withdrawal and settings controls remain available.
- Program upgrade authority is critical because it can change code.
- Protocol authority controls fees and treasury routing, not vault drains.
Reference
Program and network reference
| Mainnet program | DLVHJQd8LUbypaoguREZ1sek4E7zeqPHYvw62KceFmQr |
|---|---|
| Mainnet USDC mint | EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v |
| Devnet legacy program | 6L2hon3xSV9saeaGG7cgFG298JGW4vf9jDtF5xg8E6pZ |
| Devnet USDC mint | 4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU |
On-chain instructions
Tandem exposes instructions for vault initialization, USDC sends, proposal creation, proposal approval and cancellation, proposal account closure, spending limit updates, whitelist management, pause and unpause, protocol fee configuration, treasury updates, protocol authority transfer, and staking-related flows. Staking is not enabled in the public app today.
Protocol fees
How fees route today
Tandem's current mainnet fee policy is 25 bps, equal to 0.25% of fulfilled USDC sends. Fees are enforced by the protocol config and route through the configured fee accounts.
Vault activity first
Fees apply to fulfilled vault transactions, including direct agent sends and approved proposals. Rejected or cancelled proposals do not move vault funds.
Treasury routing
While staking is not active, protocol fees route to the configured treasury path. Protocol authority can update fee settings and treasury routing, but cannot directly drain vaults.
$TANDEM
Tokenomics and protocol role
$TANDEM is the protocol token for Tandem Wallet. The live product is usable without holding $TANDEM: users can create vaults, fund USDC, configure agents, approve proposals, and recover funds with their human wallet.
8naeAc6qBpZmesBtJB34TwX55MhVR8bBUMs4JayUpump
Current utility
The vault-first release focuses on controlled USDC spending by agents. $TANDEM is not required for basic vault usage today.
Fee model
Tandem charges a 0.25% protocol fee on fulfilled USDC vault sends. With staking inactive, fees accrue to treasury.
Planned staking role
When staking is enabled, the intended model routes 50% of protocol fees to active $TANDEM stakers as USDC and 50% to treasury.
- Protocol treasury: funds operations, growth, integrations, infrastructure, and other protocol needs.
- Team allocation: reserved for market makers, exchange relationships, marketing, and ecosystem development.
- Fee currency: fees are currently generated from USDC vault activity because the first public release is USDC-native.
- No guaranteed outcome: token price, liquidity, staking rewards, and protocol usage can change and are not guaranteed.
Staking
Planned, not currently live
Staking is intentionally not enabled in the default vault-first mainnet build. The public app focuses on core vault, agent spending, approval, whitelist, pause, and recovery flows first.
Stake $TANDEM
When enabled, a staker deposits $TANDEM into the protocol staking account from their own wallet.
Protocol fees accrue
Fulfilled vault transactions generate USDC fees. The intended split is 50% to active stakers and 50% to treasury.
Claim USDC rewards
Rewards are designed to be claimed to the staker's own USDC associated token account after they accrue.
Unstake after lockup
The current planned staking logic includes a 7-day unstake lockup that resets when additional $TANDEM is staked.
Integrations
Where Tandem fits
Agent environments
Tandem is designed for coding agents, hosted autonomous workspaces, commerce agents, research assistants, and operations agents that can run CLI or MCP tools.
Payment protocols
Tandem can sit behind payment requests, invoices, API credit purchases, marketplace purchases, and recurring operational spend where policy limits matter.
AI applications
AI apps can use Tandem to let users fund controlled vaults instead of giving an app unrestricted wallet access.
Roadmap
Upcoming product areas
Mainnet USDC vaults
Human-owned vaults, generated or existing agent signers, spending limits, whitelists, proposals, pause controls, withdrawals, history, and agent connector setup.
SOL and SPL token support
Extend vault policies beyond USDC so agents can operate with SOL and selected SPL tokens under human-defined controls.
Swap functions for traders
Add controlled swap flows with quote review, slippage limits, token allowlists, daily spend caps, route checks, and human-approved proposals for larger trades.
Agent trading vaults
Support agent-managed positions where bought tokens remain in vault-owned accounts and the agent can later sell back to USDC under Tandem policy.
Multi-human cosigners
Add team and treasury vaults where multiple humans can share oversight, cosign approvals, and let agents operate as financial operators under group-defined policy.
Agent environment partnerships
Build setup paths and templates for popular agent runtimes, coding agents, autonomous browser environments, and hosted AI workspaces.
Payment protocol and AI app integrations
Integrate Tandem with payment protocols, marketplaces, commerce agents, AI apps, and API-credit workflows so agents can spend safely where work already happens.
FAQ
Frequently asked questions
Does Tandem ever need my human wallet private key?
No. The human wallet signs normal wallet transactions through your Solana wallet. Never paste or upload your human wallet seed phrase or private key.
What key does the agent receive?
The agent receives only the Tandem agent keypair for that vault. This is a hot key for constrained agent actions, not your human wallet key.
Can an agent drain the vault?
The agent can spend only according to vault policy. It can send within the spending limit, send above the limit to whitelisted recipients, or create proposals for human review. Human owners should set conservative limits and whitelists.
Why does the agent wallet need SOL?
The agent signer pays Solana transaction fees for sends and proposals. Agent SOL is separate from vault USDC.
What happens if a payment is above the limit?
If the recipient is not whitelisted, the agent creates a proposal. The human reviews and signs approval or rejection in the app.
Can I pause my agent?
Yes. Pausing blocks agent sends, new proposals, and proposal approvals while keeping human recovery paths available.
What if the agent setup command cannot find the keypair?
The agent should use the actual uploaded file path with
--agent-keypair <path>. Users should not need to
rename the downloaded keypair file.
Is staking live?
Staking is not enabled in the default vault-first public build. It remains a planned rollout area that requires its own testing and release process.
Is Tandem audited?
Security review work is documented on the site, and resolved findings are reflected in the current vault-first build. Users should still treat Tandem as experimental blockchain software.