Metadata-Based Access Control

thirdweb Vault uses metadata patterns to map organizational structures directly into access control policies, eliminating the need to duplicate organizational hierarchies within the key management system.

Entity Tagging

Each EOA can be tagged with arbitrary metadata key-value pairs representing organizational attributes:


{
  "team": "trading",
  "region": "apac",
  "purpose": "treasury",
  "riskLevel": "high"
}

Pattern Matching with Rules

Access tokens can be scoped using metadata rules that define precise access patterns:


{
  "metadataPatterns": [
    {
      "key": "team",
      "rule": {
        "pattern": "^trading$"
      }
    },
    {
      "key": "riskLevel",
      "rule": {
        "op": "lessThan",
        "value": 3
      }
    }
  ]
}

Practical Implementation Examples

Departmental Segregation

An organization can create EOAs tagged with departmental metadata and issue access tokens that respect organizational boundaries:


// Policy component for trading department
{
  "type": "eoa:signTransaction",
  "allowlist": [],
  "metadataPatterns": [
    {
      "key": "department",
      "rule": {
          "pattern": "^trading$"
      }
    },
    {
      "key": "region",
      "rule": {
          "pattern": "apac"
      }
    }
  ],
  "payloadPatterns": {
    "chainId": [
      {
          "pattern": "^(1|137)$"
      }
    ],
    "value": [
      {
            "op": "lessThan",
            "value": "1000000000000000000"
      }
    ]
  }
}

Multi-Team Collaboration

For entities requiring shared access across teams:


// EOA metadata
{
  "teams": "finance,trading,compliance",
  "purpose": "treasury"
}
 
// Policy for finance team access
{
  "type": "eoa:signMessage",
  "allowlist": [],
  "metadataPatterns": [
    {
      "key": "teams",
      "rule": {
          "pattern": "finance"
      }
    }
  ],
  "chainId": 1,
  "messagePattern": "^Confirm treasury operation:"
}