CAIP-375: Wallet Sign Message

Metadata
Status: ReviewStandardCreated: 2025-08-25
Authors
Pedro Gomes (@pedrouid)
Requires
EIP-10, EIP-171, EIP-217
Links
GitHub pageDiscussion on Ethereum Magicians

Simple Summary

Defines a JSON-RPC method, wallet_signMessage, to request cryptographic signatures on arbitrary messages from one or more wallet accounts, optionally tied to a session.

Abstract

The wallet_signMessage RPC method is a chain-agnostic interface for signing arbitrary messages. It supports multiple accounts and signature schemes within a single call, optionally referencing a CAIP-171 session. This unifies how apps and wallets perform message signing for authentication, typed data, and off-chain actions.

Motivation

Message signing today is fragmented: each wallet has its own API for personal message signing, typed data (e.g., EIP-712), or custom formats. There's no standard to support multiple accounts or signature types in one request. This proposal fixes that by:

  • Supporting optional sessions (CAIP-171) to link signing requests to an ongoing connection.
  • Allowing multiple messages and flexible signature schemes (e.g., EIP-191, EIP-1271).
  • Making message type and content explicit, improving wallet UX and security.

Specification

Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" written in uppercase in this document are to be interpreted as described in RFC-2119

Definition

Request:



Response:




Rules:


    

  • sessionId is OPTIONAL but MUST follow CAIP-171 if provided.
    • 

  • Each message MUST include messageType and content.
    • 

  • Wallets MAY choose any of the provided signatureTypes.
    • 

  • Response MUST include account and signatureType for each signature
    • 

  • capabilities is an OPTIONAL metadata object, placed outside signatures.
    • 



Security Considerations


    

  • Malicious apps can trick users into signing harmful messages; wallets MUST show clear prompts including content and account.
    • 

  • Including nonces or timestamps in content is RECOMMENDED to prevent replay attacks.
    • 

  • Sessions referenced by sessionId SHOULD be validated to ensure scope compliance.
    • 



Privacy Considerations


    

  • Signing may reveal account addresses; wallets SHOULD only return requested data.
    • 

  • capabilities could expose metadata; apps and wallets SHOULD handle them carefully.
    • 

  • Multi-message requests could link identities; wallets MAY warn users.
    • 



Links


    

  • CAIP-10 - Account ID Specification
    • 

  • CAIP-104 - Definition of Chain Agnostic Namespaces or CANs
    • 

  • CAIP-171 - Session Identifier, i.e. syntax and usage of sessionIds
    • 

  • CAIP-217 - Authorization Scopes, i.e. syntax for scopeObjects
    • 

  • RFC-2119 - Key Words for use in RFS to Indicate Requirement Levels
    • 



Copyright


Copyright and related rights waived via CC0.