Developers
May 2, 2023
Web3 UX today faces many challenges. High gas costs, long transaction times, and difficulties managing seed phrases are some of the most common issues that many projects, including ZeroDev, strive to fix.
However, there’s one problem that lies at the heart of why Web3 just “doesn’t feel right” to regular users, and yet is rarely discussed. The problem is that authorization is broken on Web3.
Authentication vs Authorization
Before we delve deeper, let's clarify the difference between authentication and authorization:
Authorization on Web2
In Web2, authorization is usually managed with JSON Web Tokens (JWTs), primarily in the context of OAuth.
Consider logging into Zoom using Google. An OAuth sequence prompts you to grant certain permissions, such as creating calendar events. Once approved, Google generates a JWT containing these specific authorizations. The JWT allows Zoom to request services from Google's API on your behalf (e.g., calendar event creation), but nothing else (e.g., accessing your emails).
This process is so commonplace that people seldom pause to think about it. However, when newcomers to Web3 start using DApps, they quickly realize a daunting issue — authorization in Web3 is fundamentally flawed.
Authorization is Broken on Web3
The central idea of the JWT experience is that on Web2, it's possible to authorize a third-party app (e.g., Zoom) to interact with a service (e.g., Google) on your behalf.
In Web3, however, there’s no common standard for authorization. As a result, each application (or ERC) has to implement its own method:
approve(spender, amount).setApprovalForAll(operator, approved).More importantly, handling authorization at the contract level is deeply limiting. If you want to authorize a third party to mint NFTs for you, the contract-level function setApprovalForAll (which only concerns transfers) is insufficient.
What we need is a Web3 equivalent of JWTs—a universal standard for authorizing third parties to perform actions on your behalf. Since expecting all contracts to conform is difficult, the solution is to implement authorization at the wallet level.
Use the Wallet, Duh
The most obvious way to authorize someone to do something for you is to give them your seed phrase, which gives them the ability to interact with any contract. But this is overkill and unsafe.
So what if there was a way to give someone access to your wallet, but in such a way that they could only send a limited set of transactions for you?
Session Keys are the JWTs of Web3
Enter session keys—a feature of ZeroDev AA wallets wherein you can create temporary keys that are scoped to only certain transactions, with an expiration time.
Session keys are the JWTs of Web3. Much like JWTs, session keys are:
While similar, session keys are fundamentally more powerful because they are programmable, allowing for far more granular and custom permissions than a fixed JWT standard.
JWTs vs. Session Keys Comparison (Webflow Friendly)
Granular Permissions
Expiration Time
User Experience
Security
Decentralization
Interoperability
Trust
Empowering DApps with Session Keys
It’s hard to overstate the impact of a flexible and interoperable means of authorization. By taking advantage of session keys, DApps can create experiences that are simply impossible to create otherwise.
Session keys allow transactions that seem "automatic" from the user's perspective, in two forms:
Use Session Keys with ZeroDev Today
ZeroDev offers what it believes to be the most advanced implementation of session keys:
Session keys are available with ZeroDev today. Get started here and build some groundbreaking DApps!
The Road Ahead
The quest to fix Web3 UX is a long one, but session keys are a significant step towards this goal, offering a practical and secure solution to a major issue—the lack of authorizations—that has been largely overlooked until now.
As more projects adopt session keys and AA in general, we will see the gap between Web2 and Web3 experiences begin to close. ZeroDev is proud to be a part of this journey!

This post announces the launch of the ZeroDev Go SDK and a dedicated User Operation Builder API, making ZeroDev the first smart account provider to offer native, high-performance support for sending UserOps directly from a Go backend.

This blog post, the second in a series, analyzes the impact of EIP-7702 (slated for Pectra, April 2025) on DApp developers. EIP-7702 allows an existing EOA (Externally Owned Account) to "upgrade" into a smart account while keeping its original address, bringing AA benefits like gas sponsorship and passkeys to existing users.

This blog post addresses two major challenges of the ERC-4337 standard after two years in production: high transaction costs (UserOps are $\sim$2x more expensive than regular transactions) and slow transaction latency (often adding 2–3 seconds to execution time).
If your team is blocked on account UX, gas, or chain complexity, ZeroDev gives you a practical place to start.
