Getting Started: Set Up an Onchain Agent
End-to-end guide to launching an AI agent with an LLM, an onchain wallet, and tools from opensea.io/tools.
An onchain agent is an AI that can reason, hold a wallet, sign transactions, and call tools on your behalf. This guide walks you through getting one running from scratch: picking a platform, connecting an LLM, setting up a wallet, and loading tools from opensea.io/tools.
1. Pick an agent platform
Start by choosing where your agent will live.
| Platform | Type | What you need |
|---|---|---|
| Bankr | Hosted | Nothing. Cloud-managed agent with a built-in wallet. |
| Hermes Agent | Self-hosted | 4 GB+ RAM. Works with any cloud LLM provider, or run models locally if you have a GPU. |
| OpenClaw | Self-hosted | 4 GB+ RAM, Node.js 18+. No GPU needed. |
| Pinata Agents | Hosted | Nothing. Deploy and manage agents in Pinata's cloud. |
| Vercel Eve | Hosted | Nothing. Serverless TypeScript agents on Vercel. |
Hosted means you sign up and start building. Self-hosted means you run it on your own machine and get full control.
2. Decide how you'll store secrets
You'll be collecting API keys and credentials over the next few steps. Before you start, pick how you want to manage them.
Option A: Use a secret manager
A secret manager encrypts your credentials and injects them into your agent's environment at runtime, so nothing is written to disk in plaintext and nothing ends up in your shell history.
| Tool | How it works |
|---|---|
| onecli | Wraps 1Password. Stores secrets in a vault and injects them as environment variables when you run your agent. |
| 1Password CLI | Use op run to inject secrets from your 1Password vault into any command. |
| Doppler | Cloud-hosted secret manager with doppler run for local use and native CI/CD integrations. |
| Infisical | Open-source secret manager with a CLI, SDKs, and integrations for Docker, Kubernetes, and more. |
Here's what it looks like with onecli:
onecli run -- node agent.jsYour secrets get pulled from 1Password at startup and injected as environment variables. Nothing touches disk.
Option B: Use a .env file (local development only)
.env file (local development only)Warning:
.envfiles store secrets as plaintext on disk. In practice, these files have a track record of getting accidentally deployed to servers, served by misconfigured web servers, or read by malicious packages. If you go this route, treat it as a temporary setup for local development with test keys and no real funds. Do not deploy.envfiles to production, and switch to a secret manager before you put real money in your wallet.
If you just want to get something running locally:
touch .env
echo ".env" >> .gitignoreAdd secrets to this file as you go. It'll look something like:
# LLM provider (pick one)
OPENROUTER_API_KEY=sk-or-...
# Wallet provider (pick one)
BANKR_API_KEY=...Option C: Use your platform's dashboard (hosted agents)
If you're on a hosted platform, add secrets through their dashboard. They handle encryption and runtime injection for you:
- Vercel: Project Settings > Environment Variables. See Vercel Environment Variables.
- Pinata: Agent configuration dashboard.
- Bankr: Managed at bankr.bot/api with built-in scoping and IP restrictions.
3. Get an LLM gateway key
Your agent needs a large language model to think and make decisions. Pick a provider below and store the key using whichever approach you chose in step 2. The examples show the variable names you'll need.
Bankr LLM Gateway
If you picked Bankr as your agent platform, LLM access is included. No separate key needed. Your BANKR_API_KEY covers both the wallet and inference.
You can also use the Bankr LLM Gateway on its own with any agent platform. Generate an API key at bankr.bot and store it:
BANKR_API_KEY=your-bankr-api-keyOpenRouter
OpenRouter gives you access to 100+ models (Claude, GPT-4, Llama, Mistral, and more) through a single key.
- Create an account at openrouter.ai
- Go to Keys and generate a new API key
- Store it:
OPENROUTER_API_KEY=sk-or-...Most agent frameworks accept OpenRouter as an OpenAI-compatible endpoint. If yours does, also set:
OPENAI_API_BASE=https://openrouter.ai/api/v1
OPENAI_API_KEY=sk-or-... # same keyAnthropic (Claude)
- Sign up at console.anthropic.com
- Go to API Keys and create a key
- Store it:
ANTHROPIC_API_KEY=sk-ant-...OpenAI
- Sign up at platform.openai.com
- Go to API Keys and create a key
- Store it:
OPENAI_API_KEY=sk-...Venice (private inference)
Venice runs open-source models with a focus on privacy. Your prompts and outputs are never stored or used for training, which makes it a good fit for agents handling sensitive data.
- Create an account at venice.ai
- Generate an API key in your account settings
- Store it:
VENICE_API_KEY=your-venice-api-keyVenice exposes an OpenAI-compatible API, so most agent frameworks work with it out of the box:
OPENAI_API_BASE=https://api.venice.ai/api/v1
OPENAI_API_KEY=your-venice-api-keyLocal inference
Self-hosted platforms like Hermes Agent and OpenClaw can also run models locally. For Hermes Agent, download a model (like Hermes 3 70B) and point the agent at it. No API key needed, but you'll need a GPU with enough VRAM.
4. Set up an onchain wallet
Your agent needs a wallet to sign transactions, prove its identity, and pay for tools. The wallet providers below are all managed services: your agent's private key lives on their infrastructure, not on your machine. Your agent only holds an API key that authorizes signing requests through the provider.
The @opensea/wallet-adapters package gives you a unified interface across all of these providers.
Before you start: set limits first, fund later
Think of your LLM as the brain and your wallet as the hands. The brain can be tricked (prompt injection), make mistakes (hallucinated parameters), or behave unexpectedly. So before you send any funds to the wallet, configure spending caps, address allowlists, and approval workflows on your wallet provider. That way, even if the LLM makes a bad call, the wallet will refuse to execute anything outside your pre-approved boundaries.
As a rule of thumb, only fund your wallet with the amount your agent actually needs for its current task. Keep the rest in a separate wallet the agent can't touch.
Option A: Bankr
Bankr gives you a managed agent wallet with a simple API key.
- Create an account at bankr.bot
- Generate an API key at bankr.bot/api
- Set
allowedRecipients,allowedIps, and daily limits on the key - Store it:
BANKR_API_KEY=your-bankr-api-keyOption B: Privy (server-side managed wallets)
Privy gives you server-side wallets with policy controls and multi-signer support.
- Create an app at privy.io
- Create a server wallet in the dashboard
- Store the credentials:
PRIVY_APP_ID=your-app-id
PRIVY_APP_SECRET=your-app-secret
PRIVY_WALLET_ID=your-wallet-idOption C: Turnkey (HSM-backed signing)
Turnkey offers hardware security module (HSM) backed wallets with fine-grained policy controls.
- Create an organization at turnkey.com
- Create an API user and wallet
- Store the credentials:
TURNKEY_API_PUBLIC_KEY=your-public-key
TURNKEY_API_PRIVATE_KEY=your-private-key
TURNKEY_ORGANIZATION_ID=your-org-id
TURNKEY_WALLET_ADDRESS=0x...
TURNKEY_RPC_URL=https://...Option D: Fireblocks (enterprise MPC custody)
Fireblocks is an enterprise-grade MPC custody solution for institutional agents.
FIREBLOCKS_API_KEY=your-api-key
FIREBLOCKS_API_SECRET=your-api-secret
FIREBLOCKS_VAULT_ID=your-vault-idAuto-detection
If you're using the Tool SDK or CLI, you don't need to pick a provider in code. Set the right environment variables and the SDK figures it out:
import { createWalletFromEnv } from "@opensea/wallet-adapters";
const wallet = createWalletFromEnv();
// Detects: Privy > Fireblocks > Turnkey > BankrTightening controls for production
Once your agent is working, go back and lock things down. These controls create a hard boundary between what the LLM decides and what the wallet can actually execute:
- Bankr:
allowedRecipients(address allowlist),allowedIps(CIDR allowlist),readOnlymode, and daily limits at bankr.bot/api - Privy:
owner_idkey quorum with spending policies that cap per-transaction amounts and allowlist destinations - Turnkey: Non-root API users with policy engine rules that restrict signing to specific contracts and value limits
- Fireblocks: Transaction Authorization Policy (TAP) rules to enforce approval workflows and spending caps
5. Browse tools on opensea.io/tools
Head over to opensea.io/tools to see what's available. You'll find tools for NFT data, DeFi operations, analytics, and more. Each listing shows what the tool does, what it costs, and how access works (open, NFT-gated, or paid via x402 micropayments).
OpenSea indexes registered tools and filters out known-bad entries on a best-effort basis, but the underlying registry is permissionless, so the filter is not a guarantee. Before you connect a new tool to your agent, take a quick look at a few things:
- Who published it? Tools on opensea.io/tools show the registrant's address. Look for publishers you recognize.
- What does the manifest say? Every tool has a
.well-knownmanifest that describes its inputs, outputs, and pricing. Skim it before your agent calls it. - Is the manifest hash valid? The onchain registry stores a keccak256 hash of each manifest. The Tool SDK checks this automatically, so you'll know if a manifest has been tampered with.
- What's the access predicate? The predicate is a read-only onchain check that tells your agent what's needed to call the tool (e.g. NFT ownership, a subscription, or a token balance). Standard predicates (NFT gate, subscription, etc.) are auditable.
For the full story on how verification works, see the Agent Tool Registry (ERC-8257) guide.
6. Connect your agent to tools
Using the Tool SDK
Install the @opensea/tool-sdk and call tools directly:
import { paidFetch } from "@opensea/tool-sdk";
import { createWalletFromEnv } from "@opensea/wallet-adapters";
const wallet = createWalletFromEnv();
const res = await paidFetch("https://example-tool.com/api", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ query: "pudgy penguins floor price" }),
signer: wallet,
maxAmount: "100000", // cap at 0.10 USDC
});
const data = await res.json();Using the CLI
You can also call tools from your agent's shell:
npx @opensea/tool-sdk pay https://example-tool.com/api \
--body '{"query": "trending NFTs"}'Using MCP
Connect the OpenSea MCP Server for automatic tool discovery. Your agent can search, browse, and invoke tools through the search_tools, get_tool, and get_wallet_tools MCP tools:
{
"mcpServers": {
"OpenSea": {
"url": "https://mcp.opensea.io/mcp",
"headers": {
"X-API-KEY": "YOUR_API_KEY"
}
}
}
}Don't have an API key yet? Grab one instantly:
curl -s -X POST https://api.opensea.io/api/v2/auth/keys | jq -r '.api_key'Discover tools programmatically
Your agent can also search the registry at runtime:
curl "https://api.opensea.io/api/v2/tools/search?query=nft" \
-H "x-api-key: YOUR_API_KEY"7. Keep discovering new tools
New tools show up on the Tool Registry regularly. You can check back at opensea.io/tools to see what's new, or have your agent call the search_tools MCP tool or REST endpoint periodically.
One thing to watch out for: don't let your agent blindly start using every new tool it finds. Since the registry is open, a malicious tool could try to exfiltrate data or trick your agent into signing something you didn't intend. A good pattern is to have your agent surface newly discovered tools (their manifest, publisher, and access predicate) for you to review before adding them to the active toolset.
Next steps
- Agent Tool Registry (ERC-8257): learn how to build and register your own tools
- Build with AI Agents: full integration guide covering MCP, Skills, CLI, and SDK
- @opensea/wallet-adapters on GitHub: detailed wallet setup and bridge documentation
- Tool SDK on GitHub: scaffold, deploy, and call tools