diff --git a/public/images/tip20/virtual-addresses-dark.png b/public/images/tip20/virtual-addresses-dark.png
new file mode 100644
index 00000000..e07754c3
Binary files /dev/null and b/public/images/tip20/virtual-addresses-dark.png differ
diff --git a/public/images/tip20/virtual-addresses-light.png b/public/images/tip20/virtual-addresses-light.png
new file mode 100644
index 00000000..dbf3f21b
Binary files /dev/null and b/public/images/tip20/virtual-addresses-light.png differ
diff --git a/src/pages/guide/node/network-upgrades.mdx b/src/pages/guide/node/network-upgrades.mdx
index 0856818c..56c2f84c 100644
--- a/src/pages/guide/node/network-upgrades.mdx
+++ b/src/pages/guide/node/network-upgrades.mdx
@@ -36,17 +36,19 @@ For detailed release notes and binaries, see the [Changelog](/changelog).
| | |
|---|---|
-| **Scope** | Enhanced access keys with periodic limits, call scoping, and an authorization ABI update; signature verification precompile; virtual addresses for TIP-20 deposit forwarding; and security hardening and gas correctness fixes |
-| **TIPs** | [TIP-1011: Enhanced Access Key Permissions](/protocol/tips/tip-1011), [TIP-1020: Signature Verification Precompile](/protocol/tips/tip-1020), [TIP-1022: Virtual Addresses for TIP-20 Deposit Forwarding](/protocol/tips/tip-1022), TIP-1038: T3 security hardening and gas correctness fixes |
+| **Scope** | Enhanced access keys with periodic limits, call scoping, and an authorization ABI update; signature verification precompile; and virtual addresses for TIP-20 deposit forwarding |
+| **TIPs** | [TIP-1011: Enhanced Access Key Permissions](/protocol/tips/tip-1011), [TIP-1020: Signature Verification Precompile](/protocol/tips/tip-1020), [TIP-1022: Virtual Addresses for TIP-20 Deposit Forwarding](/protocol/tips/tip-1022) |
| **Details** | [T3 network upgrade](/protocol/upgrades/t3) |
| **Release** | T3-compatible release coming soon |
-| **Testnet** | Moderato: Apr 22, 2026 16:00 CEST (unix: TBD) |
+| **Testnet** | Moderato: Apr 21, 2026 16:00 CEST (unix: TBD) |
| **Mainnet** | Presto: Apr 27, 2026 16:00 CEST (unix: TBD) |
| **Priority** | Required |
-All node operators should upgrade before the Moderato activation date, even if they do not plan to use the new T3 feature set directly.
+### Who is affected?
-Partners that create or rotate access keys should also review the T3 upgrade page. Existing authorized access keys remain valid, but key authorization flows must move to the new TIP-1011 ABI after activation.
+Partners that directly call `AccountKeychain.authorizeKey(...)` or manually encode `key_authorization` to create or rotate access keys should also review the T3 upgrade page. Existing authorized access keys remain valid, but those low-level authorization flows must move to the new TIP-1011 format post-T3.
+
+Partners that index TIP-20 transfers should also review the T3 upgrade page. Virtual-address forwarding emits two-hop `Transfer` events, so raw transfer lists and counts will be misleading unless that pair is handled as one logical deposit.
---
diff --git a/src/pages/guide/tempo-transaction/index.mdx b/src/pages/guide/tempo-transaction/index.mdx
index 383b3ecf..20796385 100644
--- a/src/pages/guide/tempo-transaction/index.mdx
+++ b/src/pages/guide/tempo-transaction/index.mdx
@@ -83,4 +83,8 @@ If you are an EVM smart contract developer, see the [Foundry guide for Tempo](/s
## Properties
+:::info[T3 will change these examples]
+The examples below show the currently active Tempo Transaction shape. T3 changes the access-key examples and parts of the transaction envelope, and the affected lines are called out inline.
+:::
+
diff --git a/src/pages/protocol/tip20-rewards/spec.mdx b/src/pages/protocol/tip20-rewards/spec.mdx
index 6380b93d..47cb4b63 100644
--- a/src/pages/protocol/tip20-rewards/spec.mdx
+++ b/src/pages/protocol/tip20-rewards/spec.mdx
@@ -4,12 +4,22 @@ description: Technical specification for the TIP-20 reward distribution system u
# TIP-20 Rewards Distribution
+:::info[T3 will change this spec]
+The [T3 network upgrade](/protocol/upgrades/t3) will update this specification. The sections below describe the currently active behavior. See [Upcoming changes](#upcoming-changes) for the upcoming deltas.
+:::
+
## Abstract
An opt-in, scalable, pro-rata reward distribution mechanism built into TIP-20 tokens. The system uses a "reward-per-token" accumulator pattern to distribute rewards proportionally to opted-in holders without requiring staking or per-holder iteration. Rewards are distributed instantly; time-based streaming distributions are planned for a future upgrade.
## Motivation
Many applications require pro-rata distribution of tokens to existing holders (incentive programs, deterministic inflation, staking rewards). Building this into TIP-20 allows efficient distribution without forcing users to stake tokens elsewhere or requiring distributors to loop over all holders.
+## Upcoming changes
+
+T3 updates the TIP-20 rewards spec through [TIP-1022](/protocol/tips/tip-1022) in one place:
+
+- `setRewardRecipient(...)` will reject [TIP-1022](/protocol/tips/tip-1022) virtual addresses. Reward recipients must remain canonical accounts rather than forwarding aliases, because reward assignment is not a TIP-20 forwarding path.
+
## Specification
The rewards mechanism allows anyone to distribute token rewards to opted-in holders proportionally based on holdings. Users must opt in to receiving rewards and may delegate rewards to a recipient address.
diff --git a/src/pages/protocol/tip20/overview.mdx b/src/pages/protocol/tip20/overview.mdx
index ddea9646..f4a0a151 100644
--- a/src/pages/protocol/tip20/overview.mdx
+++ b/src/pages/protocol/tip20/overview.mdx
@@ -180,6 +180,12 @@ By using TIP-20 tokens as quote tokens, the DEX benefits from the same payment-o
icon="lucide:send"
title="Guide: Make Payments"
/>
+
+
+
+This means:
+
+- you keep one deposit address per customer
+- the master wallet receives the balance directly
+- no sweep transaction is needed
+- no separate TIP-20 balance is created for each deposit address
+
+## The mental model
+
+A virtual address is not a second wallet. It is a deposit alias for one canonical wallet.
+
+The important idea is simple: the virtual address is for routing and attribution, while the master wallet is where the TIP-20 balance actually lives.
+
+## Address format
+
+A virtual address is still a normal 20-byte EVM address. [TIP-1022](/protocol/tips/tip-1022) gives those 20 bytes a specific layout:
+
+```text
+0x | masterId (4 bytes) | VIRTUAL_MAGIC (10 bytes) | userTag (6 bytes)
+```
+
+Example:
+
+```text
+0x2612766c fdfdfdfdfdfdfdfdfdfd 000000000001
+```
+
+Where:
+
+| Part | Size | Purpose |
+| --- | --- | --- |
+| `masterId` | 4 bytes | identifies which registered master wallet should receive the funds |
+| `VIRTUAL_MAGIC` | 10 bytes | marks the address as virtual so TIP-20 can recognize it |
+| `userTag` | 6 bytes | operator-chosen routing or attribution value |
+
+TIP-20 recognizes a virtual address by the fixed 10-byte middle marker. It then uses the leading `masterId` to resolve the registered wallet and leaves the trailing `userTag` available for operator-side attribution.
+
+## What happens when someone sends funds
+
+When a sender transfers a covered TIP-20 token to a virtual address, the TIP-20 precompile detects the virtual format, looks up the registered master, and credits that master wallet.
+
+>TIP20: transfer(virtualAddress, amount)
+ TIP20->>Registry: resolve(masterId)
+ Registry-->>TIP20: master wallet
+ TIP20->>Master: credit balance
+ Note over TIP20: emits Transfer(sender → virtual, amount)
+ Note over TIP20: emits Transfer(virtual → master, amount)
+`} />
+
+Two things matter here:
+
+1. The balance is credited only to the master wallet.
+2. The transaction still exposes the virtual address in events, so backends and indexers can attribute the deposit correctly.
+
+That is why `balanceOf(virtualAddress)` remains `0`. The virtual address is visible in the transfer path, but it does not end up holding the token balance.
+
+## What this changes for operators
+
+Virtual addresses are mainly an operations feature.
+
+For an exchange or payment processor, the normal flow becomes:
+
+1. register one master wallet
+2. derive deposit addresses offchain for each customer
+3. watch TIP-20 events and map the `userTag` back to the customer record on the backend
+4. credit the customer internally once the deposit is observed
+
+This gives you the accounting benefits of per-customer addresses without managing thousands or millions of real onchain balances.
+
+## What this changes for wallets, explorers, and indexers
+
+The main UI and indexing implication is that a virtual address should be treated as a forwarding alias, not as a normal balance-holding account.
+
+In practice:
+
+- explorers and indexers should understand the two-hop `Transfer` pattern
+- operational tooling should preserve enough of the address to distinguish the `masterId` and `userTag`
+- deposit attribution should key off the virtual address or decoded `userTag`, not off `balanceOf(virtualAddress)`
+
+## What this does not do
+
+TIP-1022 is deliberately narrow in scope.
+
+### It only changes TIP-20 deposit paths
+
+Virtual forwarding applies only to the TIP-20 transfer and mint paths defined by [TIP-1022](/protocol/tips/tip-1022). It is not a general EVM alias system.
+
+### It does not change ERC-20 contracts deployed on Tempo
+
+If a non-TIP-20 token contract receives a transfer to a virtual address, that contract treats it as a normal literal address. TIP-1022 does not help there.
+
+### It does not make every protocol virtual-address aware
+
+Some protocols record ownership against the literal address they are given. If they mint LP shares, receipts, or similar positions to a virtual address, those positions can become stranded unless that protocol explicitly supports resolution.
+
+### It does not bypass TIP-403 policy checks
+
+Policy checks run against the resolved master wallet. If the master is not allowed to receive a token, deposits to that master's virtual addresses fail too.
+
+## Adoption at a glance
+
+Adopting virtual addresses is straightforward conceptually:
+
+- one-time setup: register a master wallet and mine the required salt
+- ongoing operations: derive deposit addresses offchain
+- reconciliation: decode the `userTag` from events and credit the right customer internally
+
+If you want the exact transfer semantics, event shape, and validation rules, read [TIP-1022](/protocol/tips/tip-1022) alongside the [TIP-20 specification](/protocol/tip20/spec).
+
+## Learn more
+
+
+
+
+
+
diff --git a/src/pages/protocol/tip403/spec.mdx b/src/pages/protocol/tip403/spec.mdx
index d60e5b8b..b5df3c6c 100644
--- a/src/pages/protocol/tip403/spec.mdx
+++ b/src/pages/protocol/tip403/spec.mdx
@@ -4,6 +4,10 @@ description: Technical specification for TIP-403, the policy registry system ena
# Overview
+:::info[T3 will change this spec]
+The [T3 network upgrade](/protocol/upgrades/t3) will update this specification. The sections below describe the currently active behavior. See [Upcoming changes](#upcoming-changes) for the upcoming deltas.
+:::
+
## Abstract
TIP-403 provides a policy registry system that allows TIP-20 tokens to inherit access control and compliance policies. The registry supports two types of policies (whitelist and blacklist) and includes special built-in policies for common use cases. Policies can be shared across multiple tokens, enabling consistent compliance enforcement.
@@ -14,6 +18,13 @@ Token issuers often need to implement compliance policies such as KYC/AML requir
TIP-403 addresses this by providing a centralized registry that tokens can reference for authorization decisions. This enables consistent policy enforcement across multiple tokens and reduces implementation complexity for token issuers.
+## Upcoming changes
+
+T3 updates TIP-403 interactions with token recipients through [TIP-1022](/protocol/tips/tip-1022) as follows:
+
+- Policy-configuration functions that accept literal member addresses will reject [TIP-1022](/protocol/tips/tip-1022) virtual addresses.
+- TIP-20 policy checks for virtual-address transfers and mints will run against the resolved master wallet, not the forwarding alias, so policy membership must be configured on the master address.
+
---
# Specification
diff --git a/src/pages/protocol/transactions/AccountKeychain.mdx b/src/pages/protocol/transactions/AccountKeychain.mdx
index 71f0438b..2243b523 100644
--- a/src/pages/protocol/transactions/AccountKeychain.mdx
+++ b/src/pages/protocol/transactions/AccountKeychain.mdx
@@ -6,14 +6,30 @@ description: Technical specification for the Account Keychain precompile managin
**Address:** `0xAAAAAAAA00000000000000000000000000000000`
+:::info[T3 will change this spec]
+The [T3 network upgrade](/protocol/upgrades/t3) will update this specification. The sections below describe the currently active behavior. See [Upcoming changes](#upcoming-changes) for the upcoming deltas.
+:::
+
## Overview
-The Account Keychain precompile manages authorized Access Keys for accounts, enabling Root Keys (e.g., passkeys) to provision scoped "secondary" Access Keys with expiry timestamps and per-TIP20 token spending limits.
+The Account Keychain precompile manages authorized Access Keys for accounts, enabling Root Keys (e.g., passkeys) to provision scoped "secondary" Access Keys with expiry timestamps and per-TIP20 token spending limits.
## Motivation
The Tempo Transaction type unlocks a number of new signature schemes, including WebAuthn (Passkeys). However, for an Account using a Passkey as its Root Key, the sender will subsequently be prompted with passkey prompts for every signature request. This can be a poor user experience for highly interactive or multi-step flows. Additionally, users would also see "Sign In" copy in prompts for signing transactions which is confusing. This proposal introduces the concept of the Root Key being able to provision a (scoped) Access Key that can be used for subsequent transactions, without the need for repetitive end-user prompting.
+## Upcoming changes
+
+T3 updates the Account Keychain specification through [TIP-1011](/protocol/tips/tip-1011) in the following ways:
+
+- [TIP-1011](/protocol/tips/tip-1011) extends `TokenLimit` with an optional recurring `period`, so spending limits can be either one-time or periodic.
+- `authorizeKey(...)` moves to the new ABI with `allowAnyCalls` and `allowedCalls`, enabling explicit call scoping during key authorization.
+- New `SelectorRule` and `CallScope` structs define per-target and per-selector allowlists, including recipient-bound rules for supported TIP-20 selectors.
+- New root-key-only functions `setAllowedCalls(...)` and `removeAllowedCalls(...)`, plus a new `getAllowedCalls(...)` view, are added for managing and inspecting call scopes.
+- `getRemainingLimit(...)` changes to return both `remaining` and `periodEnd` so callers can observe periodic reset state.
+- `updateSpendingLimit(...)` resets the remaining amount to `newLimit` but does not change the configured `period` or current `periodEnd`.
+- Access-key-signed transactions cannot use the batch’s direct CREATE path. Direct contract deployment must use the root key. Factory/internal CREATE or CREATE2 flows are still allowed.
+
## Concepts
### Access Keys
@@ -35,7 +51,7 @@ The protocol enforces a strict hierarchy at validation time:
1. **Root Key**: The account's main key (derived from the account address)
- Can call all precompile functions
- Has no spending limits
-
+
2. **Access Keys**: Secondary authorized keys
- Cannot call mutable precompile functions (only view functions are allowed)
- Subject to per-TIP20 token spending limits
diff --git a/src/pages/protocol/transactions/index.mdx b/src/pages/protocol/transactions/index.mdx
index a218f46b..c6012fbb 100644
--- a/src/pages/protocol/transactions/index.mdx
+++ b/src/pages/protocol/transactions/index.mdx
@@ -67,6 +67,10 @@ If you are an EVM smart contract developer, see the [Foundry guide for Tempo](/s
## Properties
+:::info[T3 will change these examples]
+The examples below show the currently active Tempo Transaction shape. T3 changes the access-key examples and parts of the transaction envelope, and the affected lines are called out inline.
+:::
+
diff --git a/src/pages/protocol/transactions/spec-tempo-transaction.mdx b/src/pages/protocol/transactions/spec-tempo-transaction.mdx
index 1645e480..1d6e3476 100644
--- a/src/pages/protocol/transactions/spec-tempo-transaction.mdx
+++ b/src/pages/protocol/transactions/spec-tempo-transaction.mdx
@@ -4,6 +4,10 @@ description: Technical specification for the Tempo transaction type (EIP-2718) w
# Tempo Transaction
+:::info[T3 will change this spec]
+The [T3 network upgrade](/protocol/upgrades/t3) will update this specification. The sections below describe the currently active behavior. See [Upcoming changes](#upcoming-changes) for the upcoming deltas.
+:::
+
## Abstract
This spec introduces native protocol support for the following features, using a new Tempo transaction type:
@@ -20,6 +24,18 @@ Current accounts are limited to secp256k1 signatures and sequential nonces, crea
Users cannot leverage modern authentication methods like passkeys, applications face throughput limitations due to sequential nonces.
+## Upcoming changes
+
+T3 updates the Tempo Transaction spec through [TIP-1011](/protocol/tips/tip-1011) in the following ways:
+
+- `KeyAuthorization` expands with the [TIP-1011](/protocol/tips/tip-1011) fields `allowed_calls` and periodic `TokenLimit.period`, adding call scoping and recurring spending limits to access keys.
+- The signed post-T3 key-authorization payload remains `SignedKeyAuthorization { authorization, signature }`, but `authorization` now uses the expanded `KeyAuthorization` shape and new RLP encoding.
+- Low-level integrators that manually encode `key_authorization` must branch pre-T3 vs post-T3. The post-T3 digest and signed payload include `allowed_calls?` in addition to `expiry?` and `limits?`.
+- Access-key validation gains two new execution checks: call scopes must pass before execution begins, and access-key-signed transactions may no longer perform contract creation anywhere in the batch.
+- The Account Keychain precompile ABI changes in lockstep with T3 to support periodic limits, call-scoped authorizations, and new scope-management functions.
+- Intrinsic gas for `key_authorization` changes to account for periodic-limit state and call-scope storage. See [TIP-1011](/protocol/tips/tip-1011#intrinsic-gas-for-key-authorization) for the post-T3 slot-counting rules.
+
+
## Specification
### Transaction Type
@@ -688,16 +704,17 @@ The protocol tracks and enforces spending limits for TIP20 token transfers:
```typescript
// Define key parameters
const keyAuth = {
+ chain_id: 1,
key_type: SignatureType.P256, // 1
key_id: keyId, // address derived from public key
expiry: timestamp + 86400, // 24 hours from now (or 0 for never)
limits: [
- { token: USDG_ADDRESS, amount: 1000000000 }, // 1000 USDG (6 decimals)
- { token: DAI_ADDRESS, amount: 500000000000000000000 } // 500 DAI (18 decimals)
+ { token: USDG_ADDRESS, limit: 1000000000 }, // 1000 USDG (6 decimals)
+ { token: DAI_ADDRESS, limit: 500000000000000000000 } // 500 DAI (18 decimals)
]
};
- // Compute digest: keccak256(rlp([key_type, key_id, expiry, limits]))
+ // Compute digest: keccak256(rlp([chain_id, key_type, key_id, expiry, limits]))
const authDigest = computeAuthorizationDigest(keyAuth);
```
@@ -718,10 +735,7 @@ The protocol tracks and enforces spending limits for TIP20 token transfers:
max_fee_per_gas: 1000000000,
max_priority_fee_per_gas: 1000000000,
key_authorization: {
- key_type: keyAuth.key_type,
- expiry: keyAuth.expiry,
- limits: keyAuth.limits,
- key_id: keyAuth.key_id,
+ authorization: keyAuth,
signature: rootSignature // Root Key's signature on authDigest
},
// ... other fields
diff --git a/src/pages/protocol/upgrades/t3.mdx b/src/pages/protocol/upgrades/t3.mdx
index a23585e5..66318794 100644
--- a/src/pages/protocol/upgrades/t3.mdx
+++ b/src/pages/protocol/upgrades/t3.mdx
@@ -1,11 +1,11 @@
---
title: T3 Network Upgrade
-description: Details and timeline for the T3 network upgrade, including enhanced access keys, signature verification, virtual addresses, and security hardening and gas correctness fixes.
+description: Details and timeline for the T3 network upgrade, including enhanced access keys, signature verification, and virtual addresses.
---
# T3 Network Upgrade
-This page summarizes the features, partner impact, and breaking changes included in the T3 network upgrade.
+This page summarizes T3 scope, partner impact, and breaking changes.
:::info[T3 is not live yet]
The features described on this page are scheduled for T3 and are not active on Moderato or Presto yet. They only become live once the T3 activation timestamps are reached.
@@ -15,7 +15,7 @@ The features described on this page are scheduled for T3 and are not active on M
| Network | Date | Timestamp |
|---------|------|-----------|
-| Moderato (testnet) | April 22, 2026 4pm CEST | `TBD` |
+| Moderato (testnet) | April 21, 2026 4pm CEST | `TBD` |
| Presto (mainnet) | April 27, 2026 4pm CEST | `TBD` |
Partners should upgrade nodes to the T3-compatible release before the Moderato activation timestamp.
@@ -27,7 +27,13 @@ T3 is Tempo's next network upgrade. It introduces the following changes:
- A signature verification precompile for secp256k1, P256, and WebAuthn signatures ([TIP-1020](/protocol/tips/tip-1020))
- Virtual addresses for TIP-20 deposit forwarding ([TIP-1022](/protocol/tips/tip-1022))
-**Action required for integrators:** Partners that create or update access keys should upgrade to a T3-compatible SDK release before activation.
+**Action required for integrators:** Review T3 before activation if you create or update access keys or index TIP-20 transfers.
+
+## Who is affected?
+
+- Access-key integrations that directly call `AccountKeychain.authorizeKey(...)` onchain or manually encode `key_authorization` payloads must migrate to the new TIP-1011 format after activation.
+- Explorers and indexers that surface TIP-20 transfer history or counts must handle TIP-1022 virtual-address forwarding as one logical deposit, not two independent transfers.
+- Most other integrators only need to upgrade to T3-compatible tooling. Existing authorized access keys keep working, and teams that do not adopt virtual addresses do not need code changes for TIP-1022.
## Partner impact
@@ -39,28 +45,37 @@ T3 is Tempo's next network upgrade. It introduces the following changes:
## Breaking changes
-Partners that create or update access keys should upgrade to a T3-compatible SDK release before activation.
+Breaking changes only affect two groups: access-key integrations that either manually encode `key_authorization` or directly call `AccountKeychain.authorizeKey(...)` onchain, and explorers/indexers that surface TIP-20 transfer history or counts.
-For most integrators, no action is needed beyond upgrading to T3-compatible tooling. Existing authorized access keys keep working, and Tempo Transactions that use `key_authorization` keep working.
+For most other integrators, no action is needed beyond upgrading to T3-compatible tooling. Existing authorized access keys keep working, and Tempo Transactions that use `key_authorization` continue to work through T3-compatible tooling.
### Breaking change for access-key integrations
-The only integrations that need code changes are ones that call `AccountKeychain.authorizeKey(...)` directly onchain. Before T3, those flows used the legacy authorization ABI. After T3, they must use the TIP-1011 authorization format with the updated `authorizeKey(...)` arguments. Legacy calls fail with `LegacyAuthorizeKeySelectorChanged`, sometimes surfaced as `LegacyAuthorizeKeySelectorChanged(newSelector: 0x980a6025)`.
+Only integrations that directly call `AccountKeychain.authorizeKey(...)` or manually construct `key_authorization` payloads need code changes. Before T3, those flows use the legacy authorization ABI and legacy key-authorization encoding. Post-T3, they must use the TIP-1011 authorization format with the updated `authorizeKey(...)` arguments and post-T3 `key_authorization` payload shape. Legacy calls fail with `LegacyAuthorizeKeySelectorChanged`, sometimes surfaced as `LegacyAuthorizeKeySelectorChanged(newSelector: 0x980a6025)`.
**Before activation:** Integrations must continue using the legacy `AccountKeychain.authorizeKey(...)` ABI. The TIP-1011 authorization format is not yet valid onchain.
-**After activation:** Integrations must use the TIP-1011 authorization format.
+**Post-T3:** Integrations must use the TIP-1011 authorization format.
+
+T3 also adds one new execution restriction: access-key-signed transactions can no longer create contracts. If your product used access keys for deployments, factory calls, or module-install flows that create contracts, move those transactions to a Root Key path.
+
+If you support both pre-T3 and post-T3 networks at the same time, branch on network version or activation timestamp. The old authorization ABI only works before T3. The new authorization ABI only works post-T3.
+
+### Breaking changes for explorers and indexers
-T3 also adds one new execution restriction: access-key-signed transactions can no longer create contracts. If your product used access keys for deployments, factory calls, or module-install flows that create contracts, those transactions must move to a Root Key path.
+TIP-20 virtual-address forwarding does not introduce a new transfer event. Forwarded deposits show up as two standard `Transfer` events in the same transaction: one hop into the virtual address and one hop from the virtual address to the registered master wallet.
-If you support both pre-T3 and post-T3 networks at the same time, branch on network version or activation timestamp. The old authorization ABI only works before T3. The new authorization ABI only works after T3.
+If your explorer or indexer treats each `Transfer` log as an independent user-facing transfer, forwarded deposits will appear twice: once to the virtual address and once to the master wallet. That inflates transfer counts, shows the wrong effective recipient in transfer/history views, and can mis-credit deposits to the literal virtual address instead of the registered master wallet.
+
+Handle these flows as one logical deposit to the master wallet, using the virtual address only as an attribution alias. Virtual addresses themselves always have a TIP-20 balance of zero.
### Migration checklist
-- upgrade to a T3-compatible SDK mentioned below
+- upgrade to a T3-compatible SDK release listed below
- regenerate contract bindings or replace handcrafted encoders for `authorizeKey(...)`
- move any access-key contract-creation flows to a Root Key path
-- test key creation, key rotation, and recovery flows on Moderato after T3 activates
+- if you adopt virtual addresses, collapse the two-hop `Transfer` pair into one logical deposit to the registered master wallet rather than treating the virtual address hop as a separate transfer
+- test key creation, key rotation, and recovery flows on Moderato post-T3 activation
## Compatible SDK releases
@@ -74,21 +89,29 @@ Tempo's broader tooling ecosystem is available in [Developer tools](/quickstart/
| [Python](https://github.com/tempoxyz/pytempo) | [`0.5.0`](https://github.com/tempoxyz/pytempo/releases/tag/pytempo%400.5.0) |
| [Foundry](https://github.com/foundry-rs/foundry) | [`nightly`](https://github.com/foundry-rs/foundry/releases/tag/nightly) |
+:::note[Current SDK caveat]
+The Accounts SDK and `wallet_authorizeAccessKey` docs still describe the legacy pre-T3 access-key shape. Until their T3 support lands, use the protocol specs and the T3-compatible SDK releases above for the post-T3 `authorizeKey(...)` ABI.
+:::
+
## Related docs
-Guides about TIPs coming soon.
+- [Virtual addresses for TIP-20 deposits](/protocol/tip20/virtual-addresses)
+- [TIP-1022](/protocol/tips/tip-1022)
+- For the coordinating meta TIP, see [tempoxyz/tempo#3273](https://github.com/tempoxyz/tempo/pull/3273).
## Feature TIPs
### TIP-1011: Enhanced Access Key Permissions
-[TIP-1011](/protocol/tips/tip-1011) adds periodic spending limits and call scoping to access keys, including restrictions on which contracts a key can call and, for common token flows, which recipient it can target. This gives wallets, account SDKs, and apps a safer way to offer delegated permissions for recurring billing, subscription renewals, payroll, connected-app approvals, or agent budgets without asking the user to approve every transaction manually. For existing partners, previously authorized access keys continue to work after activation, but any flow that creates, rotates, or re-authorizes a key must move to the new TIP-1011 ABI, and access-key transactions can no longer be used for contract creation.
+[TIP-1011](/protocol/tips/tip-1011) adds periodic spending limits and call scoping to access keys, including restrictions on which contracts a key can call and, for common token flows, which recipient it can target. Previously authorized access keys continue to work, but any flow that creates, rotates, or re-authorizes a key must move to the new TIP-1011 ABI, and access-key transactions can no longer be used for contract creation.
### TIP-1020: Signature Verification Precompile
-[TIP-1020](/protocol/tips/tip-1020) adds a single precompile for verifying secp256k1, P256, and WebAuthn signatures onchain. This gives smart contract teams, wallet builders, and account integrators a standard verification surface for passkey wallets, multisigs, governance approvals, subscription authorization, and other signature-driven flows without deploying and maintaining custom verifier contracts for each signature type. This change is additive for existing partners: nothing breaks if you keep your current verifier setup, but teams that want simpler integrations or forward-compatible support for Tempo signature types can adopt the precompile. Keychain signatures still need `AccountKeychain` for key resolution, so this precompile covers the underlying signature schemes rather than the full keychain authorization flow.
+[TIP-1020](/protocol/tips/tip-1020) adds a single precompile for verifying secp256k1, P256, and WebAuthn signatures onchain. This is additive: existing verifier setups keep working, but teams that want a standard verification surface for passkey wallets, multisigs, governance approvals, and other signature-driven flows can adopt the precompile instead of maintaining custom verifier contracts.
The Foundry project template for Tempo includes a working example that uses the `SignatureVerifier` precompile to verify P256 signatures inside a smart contract. See the [Signature Verification with Foundry](/sdk/foundry/signature-verifier) guide to get started.
### TIP-1022: Virtual Addresses for TIP-20 Deposit Forwarding
-[TIP-1022](/protocol/tips/tip-1022) lets partners issue per-user deposit addresses that forward TIP-20 deposits to a registered master wallet at the protocol level. This is useful for exchanges, ramps, custodians, and payment processors that want one deposit address per customer for reconciliation, attribution, or account crediting, but do not want to maintain sweep jobs or fund separate onchain wallets for every user. For existing partners, nothing changes unless you adopt virtual addresses, but any explorer, indexer, or backend system that surfaces TIP-20 deposit activity should handle forwarded deposits correctly. Teams that adopt virtual addresses should treat those forwarded deposits as deposits to the registered master wallet. Forwarding applies only to TIP-20 transfer paths.
+[TIP-1022](/protocol/tips/tip-1022) lets partners issue per-user deposit addresses that forward TIP-20 deposits to a registered master wallet at the protocol level. Nothing changes unless you adopt virtual addresses, but explorers, indexers, and backends that surface TIP-20 deposit activity should collapse the two-hop forwarding path into one logical deposit to the master wallet. Forwarding applies to recipient-bearing TIP-20 paths, including transfers and mints.
+
+See [Virtual addresses for TIP-20 deposits](/protocol/tip20/virtual-addresses) for the routing model, address layout, and indexing implications.
diff --git a/src/pages/quickstart/integrate-tempo.mdx b/src/pages/quickstart/integrate-tempo.mdx
index 9db9ca8b..4cba2811 100644
--- a/src/pages/quickstart/integrate-tempo.mdx
+++ b/src/pages/quickstart/integrate-tempo.mdx
@@ -5,7 +5,6 @@ interactive: true
import * as Demo from '../../components/guides/Demo.tsx'
import { ConnectWallet } from '../../components/ConnectWallet.tsx'
-import TempoTxProperties from '../../snippets/tempo-tx-properties.mdx'
import { Cards, Card } from 'vocs'
# Integrate Tempo
diff --git a/src/pages/quickstart/predeployed-contracts.mdx b/src/pages/quickstart/predeployed-contracts.mdx
index f16094ea..15a2e34b 100644
--- a/src/pages/quickstart/predeployed-contracts.mdx
+++ b/src/pages/quickstart/predeployed-contracts.mdx
@@ -14,6 +14,8 @@ Core protocol contracts that power Tempo's features.
| [**Fee Manager**](/protocol/fees/spec-fee-amm#2-feemanager-contract) | [`0xfeec000000000000000000000000000000000000`](https://explore.tempo.xyz/address/0xfeec000000000000000000000000000000000000) | Handle fee payments and conversions |
| [**Stablecoin DEX**](/protocol/exchange) | [`0xdec0000000000000000000000000000000000000`](https://explore.tempo.xyz/address/0xdec0000000000000000000000000000000000000) | Enshrined DEX for stablecoin swaps |
| [**TIP-403 Registry**](/protocol/tip403/spec) | [`0x403c000000000000000000000000000000000000`](https://explore.tempo.xyz/address/0x403c000000000000000000000000000000000000) | Transfer policy registry |
+| [**Signature Verifier**](/protocol/tips/tip-1020) | [`0x5165300000000000000000000000000000000000`](https://explore.tempo.xyz/address/0x5165300000000000000000000000000000000000) | Verify secp256k1, P256, and WebAuthn signatures onchain |
+| [**Address Registry**](/protocol/tips/tip-1022) | [`0xFDC0000000000000000000000000000000000000`](https://explore.tempo.xyz/address/0xFDC0000000000000000000000000000000000000) | Resolve virtual TIP-20 deposit addresses to registered master wallets |
| [**pathUSD**](/protocol/exchange/quote-tokens#pathusd) | [`0x20c0000000000000000000000000000000000000`](https://explore.tempo.xyz/address/0x20c0000000000000000000000000000000000000) | First stablecoin deployed |
## Standard Utilities
diff --git a/src/pages/sdk/foundry/index.mdx b/src/pages/sdk/foundry/index.mdx
index c4cf1308..6737e8ad 100644
--- a/src/pages/sdk/foundry/index.mdx
+++ b/src/pages/sdk/foundry/index.mdx
@@ -129,7 +129,7 @@ forge script script/Mail.s.sol
```bash
# Set environment variables
-export TEMPO_RPC_URL=https://rpc.tempo.xyz
+export TEMPO_RPC_URL=https://rpc.moderato.tempo.xyz
export VERIFIER_URL=https://contracts.tempo.xyz
# Optional: create a new keypair and request some testnet tokens from the faucet.
@@ -156,15 +156,6 @@ forge create src/Mail.sol:Mail \
--verify \
--constructor-args 0x20c0000000000000000000000000000000000001
-# Deploy using an access key (delegated signing)
-forge create src/Mail.sol:Mail \
- --tempo.access-key $ACCESS_KEY_PRIVATE_KEY \
- --tempo.root-account $ROOT_ADDRESS \
- --rpc-url $TEMPO_RPC_URL \
- --broadcast \
- --verify \
- --constructor-args 0x20c0000000000000000000000000000000000001
-
# Set a salt for deterministic contract address derivation
# The salt is passed to TIP20_FACTORY.createToken() which uses it with the sender
# address to compute a deterministic deployment address via getTokenAddress(sender, salt)
@@ -196,6 +187,8 @@ forge script script/Deploy.s.sol \
--private-key $PRIVATE_KEY
```
+Use a root key for `forge create`. Post-T3, access keys can sign calls but not deployments.
+
For more verification options including verifying existing contracts and API verification, see [Contract Verification](/quickstart/verify-contracts).
:::warning[Batch Transaction Rules]
@@ -285,8 +278,8 @@ cast send 'increment()' \
# Send with access key (delegated signing):
# First authorize the key via Account Keychain precompile
cast send 0xAAAAAAAA00000000000000000000000000000000 \
- 'authorizeKey(address,uint8,uint64,bool,(address,uint256)[])' \
- $ACCESS_KEY_ADDR 0 1893456000 false "[]" \
+ 'authorizeKey(address,uint8,uint64,bool,(address,uint256,uint64)[],bool,(address,(bytes4,address[])[])[])' \
+ $ACCESS_KEY_ADDR 0 1893456000 false "[]" true "[]" \
--rpc-url $TEMPO_RPC_URL \
--private-key $ROOT_PRIVATE_KEY
# Then send using the access key
@@ -296,6 +289,10 @@ cast send 'increment()' \
--tempo.root-account $ROOT_ADDRESS
```
+Post-T3, direct `authorizeKey(...)` calls must use the enhanced TIP-1011 ABI shown above. If you need periodic limits or call scopes, fill those arrays instead of passing `[]`.
+
+Post-T3, access-key transactions also cannot create contracts, so use a root key for deployments or other flows that perform `CREATE`.
+
### Local Development with Anvil
Anvil supports Tempo mode for local testing and forking Tempo networks:
diff --git a/src/pages/sdk/typescript/index.mdx b/src/pages/sdk/typescript/index.mdx
index 8fdf9a16..9a16325a 100644
--- a/src/pages/sdk/typescript/index.mdx
+++ b/src/pages/sdk/typescript/index.mdx
@@ -6,13 +6,11 @@ import { Cards, Card } from 'vocs'
# TypeScript SDKs
-
Tempo distributes TypeScript SDKs for:
- [Viem](https://viem.sh): TypeScript interface for EVM blockchains
- [Wagmi](https://wagmi.sh): React Hooks (and reactive primitives) for EVM blockchains
-The Tempo extensions can be used to perform common operations with the chain, such as:
- querying the chain, sending Tempo transactions, managing tokens & their AMM pools, and more.
+The Tempo extensions cover common chain operations such as querying state, sending Tempo transactions, and managing tokens and AMM pools.
@@ -938,6 +942,7 @@ transactions thereafter can be signed by the access key.
key_id: access_key.address(), // [!code hl]
expiry: None, // [!code hl]
limits: None, // [!code hl]
+ // T3: add `allowed_calls: None` here; `limits` entries can also include a period // [!code hl]
}; // [!code hl]
let sig = root.sign_hash_sync(&authorization.signature_hash())?; // [!code hl]
let key_authorization = SignedKeyAuthorization { // [!code hl]
@@ -1017,6 +1022,7 @@ transactions thereafter can be signed by the access key.
key_id=access_key.address, # [!code hl]
expiry=int(time.time()) + 3600, # [!code hl]
limits=None, # [!code hl]
+ # T3: add `allowed_calls=None` here; `limits` entries can also include a period # [!code hl]
) # [!code hl]
signed_auth = auth.sign(account.key.hex()) # [!code hl]
@@ -1092,8 +1098,9 @@ transactions thereafter can be signed by the access key.
gasPrice := big.NewInt(25_000_000_000)
keychainAddr := common.HexToAddress(keychain.AccountKeychainAddress)
- // Authorize the access key via Account Keychain precompile // [!code hl]
- parsed, _ := abi.JSON(strings.NewReader(`[{
+ // Authorize the access key via Account Keychain precompile // [!code hl]
+ // T3: this ABI expands to add `period`, `allowAnyCalls`, and `allowedCalls` // [!code hl]
+ parsed, _ := abi.JSON(strings.NewReader(`[{
"name": "authorizeKey",
"type": "function",
"inputs": [
@@ -1171,6 +1178,7 @@ transactions thereafter can be signed by the access key.
```bash
# 1. Authorize the access key via Account Keychain precompile
+ # T3: this legacy ABI changes to add `period`, `allowAnyCalls`, and `allowedCalls`
$ cast send 0xAAAAAAAA00000000000000000000000000000000 \
'authorizeKey(address,uint8,uint64,bool,(address,uint256)[])' \
$ACCESS_KEY_ADDR 0 1893456000 false "[]" \
@@ -1203,8 +1211,8 @@ transactions thereafter can be signed by the access key.
valid_after,
fee_token,
fee_payer_signature,
- authorization_list,
- key_authorization, // [!code focus]
+ authorization_list, // T3: renamed to aa_authorization_list
+ key_authorization, // T3: expands with call scoping and periodic limits // [!code focus]
signature,
])
```
diff --git a/vocs.config.ts b/vocs.config.ts
index c65bb9b5..7ef1f317 100644
--- a/vocs.config.ts
+++ b/vocs.config.ts
@@ -454,6 +454,10 @@ export default defineConfig({
text: 'Specification',
link: '/protocol/tip20/spec',
},
+ {
+ text: 'Virtual addresses',
+ link: '/protocol/tip20/virtual-addresses',
+ },
{
text: 'Reference Implementation',
link: 'https://github.com/tempoxyz/tempo/blob/main/tips/ref-impls/src/TIP20.sol',
@@ -670,7 +674,7 @@ export default defineConfig({
link: '/protocol/upgrades/t3',
},
{
- text: 'T2',
+ text: 'T2 (Active)',
link: '/protocol/upgrades/t2',
},
],