Privacy & security
Picnic agents is built on three guarantees: passkey-bound sessions, scoped access, and read-only-by-default capabilities.
Authentication: OAuth 2.0 + passkey
Picnic agents follows RFC 9728 (opens in a new tab) (OAuth 2.0 Protected Resource Metadata). When your AI client connects:
- The client discovers the OAuth metadata at
/.well-known/oauth-authorization-server. - You're redirected to Picnic's consent page.
- You sign in with your passkey — the same one you use in the Picnic app. There are no shared API keys, no static tokens to copy and paste, no passwords.
- You pick which scopes to grant. The token issued back to your AI client is bound to that specific passkey: every tool call validates that the requested data belongs to a smart account that passkey controls.
If you delete the passkey, the token stops working.
Scopes
Each capability is its own scope. You approve scopes individually on the consent screen, and your AI client can never use a scope you haven't granted.
| Scope | Description | Status |
|---|---|---|
read:profile | View your name, email, and account status | Coming soon |
read:balances | View your token balances across all accounts and chains | Available |
read:transactions | View your transaction history | Available |
read:card | View your card details, status, and spending limits | Coming soon |
read:card:transactions | View your card transaction history | Coming soon |
read:actions | View the status of pending and past transaction proposals | Available |
propose:swap + execute:swap | Initiate a token swap; you authorize each one via passkey before it settles | Available |
propose:transfer + execute:transfer | Initiate a crypto transfer; you authorize each one via passkey before it settles | Available |
propose:pix + execute:pix | Initiate a PIX payment | Coming soon |
manage:card | Freeze, unfreeze, or change the daily limit on your card | Available |
What Picnic agents cannot do (today)
- It cannot move funds without your passkey signature. Every transfer, swap, or card change opens a sign URL that requires WebAuthn authentication against your registered passkey.
- It cannot export keys or any signing material. Signing always happens on your device, with your passkey.
- It cannot see anything outside the smart accounts the authenticated passkey controls.
Revoking access
Open the Picnic app and revoke the AI client's connection. The token stops working immediately on the next request.