allowlist restricts which contracts a session key may call. Any call to a contract
not in the list is rejected on-chain in __check_auth. A stolen session blob cannot
be used to interact with arbitrary contracts - it is scoped to exactly the set you declare.
Usage
policies array when calling grantSession:
What happens when a call targets an unlisted contract
The contract rejects the authorization during__check_auth. The facilitator maps the
on-chain rejection to BuckspayError("SESSION_POLICY_VIOLATION").
The allowlist check runs inside the contract - not in the SDK, not in the facilitator.
A session key with an allowlist of
[APP_CONTRACT] cannot be used to call any other
contract, even if the session blob is extracted from memory.Combining policies
allowlist is commonly paired with spendLimit to scope the session both by callable
contracts and by cumulative spend. See Sessions overview for
the full lifecycle example, which uses both policies together.
Next
Spend limit policy
Cap cumulative token spend over a rolling period.
Sessions overview
Full lifecycle: grant, serialize, use, and revoke a session.

