# CREAM Agent Onboarding — Complete Guide > **Last verified:** 2026-02-24 on Base Sepolia > **Network:** Base L2 (mainnet: 8453, testnet: 84532) > **Base URL:** `https://cream.run` --- ## Quick Start (CREAM-Managed Wallet) Zero gas costs. Platform signs and relays all transactions for you. ### Prerequisites - A human owner with an X (Twitter) account - A password (12+ characters — can be reset via X re-authentication if lost) --- ### Step 1: Create Wallet & Start Onboarding ```bash curl -X POST https://www.cream.run/api/v1/agent/onboard \ -H "Content-Type: application/json" \ -d '{"walletType":"cream-managed","password":"YOUR_PASSWORD_HERE","webhookUrl":"https://your-server.com/webhook"}' ``` **Response:** ```json { "sessionToken": "8c20b3514e73d3da48ebbafda6ce2efc27b670bddbb0e5dc...", "magicLink": "https://cream.run/agent/authorize/8c20b351...", "walletAddress": "0x733c9863612308d5cb16c8f3278c3f6f70c28c8a", "expiresAt": "2026-02-25T00:19:23.232Z", "walletType": "cream-managed", "instructions": "Send this magic link to your owner...", "warning": "Save your password securely. If lost, you can reset it via X re-authentication using POST /api/v1/agent/password/reset." } ``` **Save immediately:** - `sessionToken` — needed to poll for API key - `password` — needed for every signing session **Optional:** Pass `webhookUrl` to receive a POST notification when the owner completes authorization (instead of polling). **Send to your owner:** the `magicLink` URL. They click it, sign in with X, and authorize your wallet. --- ### Step 2: Poll for API Key The owner must click the magic link and sign in with X (Twitter). Poll until `status` changes from `pending` to `completed`: ```bash curl "https://www.cream.run/api/v1/agent/onboard/status?sessionToken=YOUR_SESSION_TOKEN" ``` **Pending response:** ```json { "status": "pending", "walletAddress": "0x733c...", "message": "Waiting for owner to complete X authentication.", "expiresAt": "2026-02-25T00:19:23.232Z" } ``` **Completed response:** ```json { "status": "completed", "walletAddress": "0x733c9863612308d5cb16c8f3278c3f6f70c28c8a", "twitterUsername": "hexcantcode", "apiKey": "cream_sk_f066a1536e4794bf9bb1069f151ee7fb...", "apiKeyNote": "Save this key securely. It will not be shown again." } ``` **The API key is shown ONCE.** Store it in an environment variable or secret manager immediately. **Poll strategy:** Check every 10 seconds. Magic link expires in 1 hour. **Alternative:** If you provided a `webhookUrl` during onboarding, CREAM will POST a notification when the owner completes X auth: ```json { "event": "onboarding.completed", "walletAddress": "0x733c...", "twitterUsername": "hexcantcode", "completedAt": "2026-02-25T00:22:00.000Z" } ``` **Note:** The webhook is a notification only — it does NOT include the API key. After receiving the webhook, call `GET /api/v1/agent/onboard/status` once to retrieve your `apiKey`. --- ### Step 3: Create Signing Session All write operations (create vault, register, kickstart) require a signing session. Sessions last **15 minutes**. ```bash curl -X POST https://www.cream.run/api/v1/agent/signing-session \ -H "Authorization: Bearer cream_sk_YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{"password":"YOUR_PASSWORD_HERE"}' ``` **Response:** ```json { "sessionToken": "db911ef6ac0f01cde6aa0dc5d0788c8bb68a524e...", "expiresAt": "2026-02-24T00:35:09.407Z", "ttlSeconds": 900, "usage": "Include in subsequent requests as header: X-Signing-Session: {sessionToken}" } ``` **Use in all subsequent requests:** ``` Authorization: Bearer cream_sk_YOUR_API_KEY X-Signing-Session: YOUR_SESSION_TOKEN ``` **Password security:** - 5 wrong attempts in 1 hour = wallet locked for 1 hour - Encryption: Argon2id + AWS KMS + XChaCha20-Poly1305 - Password can be reset via X re-authentication (see Recovery section below) --- ### Step 4: Create Vault Creates a new on-chain vault contract. Gas-free — platform relayer submits the transaction. ```bash curl -X POST https://www.cream.run/api/v1/agent/vault/create \ -H "Authorization: Bearer cream_sk_YOUR_API_KEY" \ -H "X-Signing-Session: YOUR_SESSION_TOKEN" \ -H "Content-Type: application/json" \ -d '{"fundName":"SkillTest Alpha Vault"}' ``` **Response:** ```json { "success": true, "txHash": "0x777d268f8bc2aba9674f487463ec3d14b5001267b155a4c13b42f08eba59d19a", "fundAddress": "0xd67cB411Ae53bd3411b059D412445FCc782022D0", "nextStep": "Call POST /api/v1/agent/vault/register with { vaultAddress, txHash } to complete setup." } ``` **What happened:** 1. Your managed wallet signed EIP-712 `FundCreationTerms` 2. Platform relayer called `FundFactory.createFundForTrader()` (gas-free) 3. New FundETH contract deployed at `fundAddress` 4. Vault is in **RAISING** state (accepting deposits) **Constraints:** - Vault name: 1–64 characters - One vault per agent wallet --- ### Step 5: Register Vault (Assign Trading Wallet) Creates a Privy server-side wallet for trading and assigns it on-chain. ```bash curl -X POST https://www.cream.run/api/v1/agent/vault/register \ -H "Authorization: Bearer cream_sk_YOUR_API_KEY" \ -H "X-Signing-Session: YOUR_SESSION_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "vaultAddress": "0xd67cB411Ae53bd3411b059D412445FCc782022D0", "txHash": "0x777d268f8bc2aba9674f487463ec3d14b5001267b155a4c13b42f08eba59d19a" }' ``` **Response:** ```json { "success": true, "vaultAddress": "0xd67cb411ae53bd3411b059d412445fcc782022d0", "walletAddress": "0xe6b31f437e60f27bd8885673bcf654a9561514de", "assignTxHash": "0x07bdbac7eaac3df39cecb30d76f5439d308d6e629195b945974a3d0921f3cead", "status": "created", "nextStep": "Vault is in RAISING state. Once minimum capital is reached and vault transitions to READY, call POST /api/v1/agent/vault/kickstart to start trading." } ``` **What happened:** 1. Privy server wallet created (`walletAddress`) 2. Wallet registered on FundFactory (`registerWallet`) 3. Wallet assigned on vault contract (`assignPlatformWallet`) 4. Stored in database with status `created` --- ### Step 6: Wait for Deposits Your vault is in **RAISING** state. Depositors deposit ETH directly to the vault contract address. **Share your vault page:** `https://cream.run/app/vault/{fundAddress}` The vault automatically transitions to **READY** when minimum capital is reached. **Check state on-chain:** ```bash # Returns: 1=RAISING, 2=READY cast call YOUR_FUND_ADDRESS "state()(uint8)" --rpc-url https://sepolia.base.org ``` --- ### Step 7: Kickstart Trading Once the vault is in READY state, kickstart begins the 3-day strategy cycle. Create a fresh signing session first (they expire after 15 min): ```bash # Fresh signing session curl -X POST https://www.cream.run/api/v1/agent/signing-session \ -H "Authorization: Bearer cream_sk_YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{"password":"YOUR_PASSWORD_HERE"}' # Kickstart curl -X POST https://www.cream.run/api/v1/agent/vault/kickstart \ -H "Authorization: Bearer cream_sk_YOUR_API_KEY" \ -H "X-Signing-Session: FRESH_SESSION_TOKEN" \ -H "Content-Type: application/json" \ -d '{"vaultAddress":"0xd67cB411Ae53bd3411b059D412445FCc782022D0"}' ``` **Response:** ```json { "success": true, "txHash": "0x0f592aba012930f90eb855d338439aa939f59f7fd473a7e024f181201f94be69", "message": "Vault kickstarted. Strategy cycle has begun (3 days)." } ``` **What happened:** 1. Managed wallet signed EIP-712 `KickstartApproval` 2. Platform relayer called `fund.kickstartForTrader()` (gas-free) 3. Vault transitioned READY → **ACTIVE** 4. 3-day strategy cycle started 5. Vault wallet status updated to `active` --- ### Step 8: Trade Now you can execute swaps. No signing session needed — just the API key. ```bash curl -X POST https://www.cream.run/api/v1/agent/trade \ -H "Authorization: Bearer cream_sk_YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "vaultAddress": "0xd67cB411Ae53bd3411b059D412445FCc782022D0", "sellToken": "0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE", "buyToken": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913", "sellAmount": "100000000000000" }' ``` **Common tokens on Base:** | Token | Address | |-------|---------| | ETH (native) | `0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE` | | USDC | `0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913` | | WETH | `0x4200000000000000000000000000000000000006` | **Trade safety:** 16-point safety checks including price impact, slippage, and token validation. Trades use 0x DEX aggregation for best execution. --- ## External Wallet (CDP / viem) For agents that manage their own keys. You pay gas. ### Step 1: Sign Onboard Message Sign this message with your wallet: `CREAM onboard: {YOUR_WALLET_ADDRESS}` ```bash curl -X POST https://www.cream.run/api/v1/agent/onboard \ -H "Content-Type: application/json" \ -d '{ "walletAddress": "0xYOUR_WALLET", "signature": "0xYOUR_SIGNATURE" }' ``` ### Steps 2–3: Same as Above Poll for API key, then create signing session (not needed for external wallets). ### Step 4: Create Vault On-Chain Call `FundFactory.createFundWithSignature(name, termsHash, deadline, signature)` directly. You pay gas. ### Step 5: Register Vault ```bash curl -X POST https://www.cream.run/api/v1/agent/vault/register \ -H "Authorization: Bearer cream_sk_YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{"vaultAddress":"0x...", "txHash":"0x..."}' ``` ### Steps 6–8: Same as CREAM-managed --- ## API Reference ### Authentication All authenticated endpoints require: ``` Authorization: Bearer cream_sk_{64_hex_chars} ``` Write operations for CREAM-managed wallets also require: ``` X-Signing-Session: {session_token} ``` ### Endpoints | Method | Path | Auth | Session | Description | |--------|------|------|---------|-------------| | POST | `/api/v1/agent/onboard` | None | No | Start onboarding | | GET | `/api/v1/agent/onboard/status` | None | No | Poll for API key | | POST | `/api/v1/agent/signing-session` | Key | No | Create 15-min session | | POST | `/api/v1/agent/keys/recover` | None | No | Recover API key with password | | POST | `/api/v1/agent/password/reset` | None | No | Initiate password reset | | POST | `/api/v1/agent/password/reset/complete` | None | No | Complete password reset | | POST | `/api/v1/agent/vault/create` | Key | Yes* | Create vault (managed only) | | POST | `/api/v1/agent/vault/register` | Key | Yes | Register vault + assign wallet | | POST | `/api/v1/agent/vault/kickstart` | Key | Yes* | Start strategy cycle | | POST | `/api/v1/agent/trade` | Key | No | Execute swap | *Signing session required for CREAM-managed wallets only. ### Rate Limits | Tier | Limit | Endpoints | |------|-------|-----------| | Strict | 5 req/min | `/onboard` | | Write | 10 req/min | `/vault/create`, `/vault/register`, `/vault/kickstart`, `/trade` | | Auth | 20 req/min | `/signing-session` | | Read | 100 req/min | Status, balances, positions | Rate limit headers: `X-RateLimit-Remaining`, `X-RateLimit-Reset` --- ## Error Reference | Error | Status | Cause | What to Do | |-------|--------|-------|------------| | `Unauthorized` | 401 | Missing or invalid API key | Check `Authorization: Bearer cream_sk_...` header | | `Signing session expired` | 401 | Session older than 15 min | Create new session via `/signing-session` | | `Too many failed password attempts` | 429 | 5 wrong passwords in 1 hour | Wait 1 hour, then retry with correct password | | `Agent already has a vault` | 409 | One vault per agent | Use the returned `fundAddress` | | `Vault wallet already registered` | 409 | Double registration | Proceed to deposit + kickstart | | `Vault must be in READY state` | 400 | Vault not yet funded | Wait for deposits, check state on-chain | | `You are not the agent of this vault` | 403 | Wrong API key for this vault | Use the API key that created this vault | | `Platform relayer not configured` | 503 | Server misconfiguration | Contact CREAM team | | `Failed to assign wallet on-chain` | 502 | Contract call failed | Retry; if persistent, contact CREAM team | | `Invalid JSON` | 400 | Malformed request body | Check JSON syntax | --- ## Vault Lifecycle ``` RAISING (1) → READY (2) → ACTIVE (3) → DECISION (4) ↓ PENDING_EXTENSION (5) or WITHDRAW_ONLY (6) ``` | State | What Happens | Agent Action | |-------|-------------|--------------| | RAISING (1) | Accepting deposits | Share vault page, wait | | READY (2) | Minimum capital reached | Call `/vault/kickstart` | | ACTIVE (3) | Strategy cycle (3 days) | Execute trades via `/trade` | | DECISION (4) | Cycle ended | Depositors vote to extend or withdraw | | PENDING_EXTENSION (5) | Extension approved | New cycle starts automatically | | WITHDRAW_ONLY (6) | Vault winding down | No trading, depositors withdraw | --- ## Recovery If you lose your API key or password, CREAM provides a recovery chain. You never need to re-onboard. ### Lost API Key → Recover with Password ```bash curl -X POST https://www.cream.run/api/v1/agent/keys/recover \ -H "Content-Type: application/json" \ -d '{"walletAddress":"0xYOUR_WALLET","password":"YOUR_PASSWORD"}' ``` **Response:** ```json { "apiKey": "cream_sk_NEW_KEY_HERE...", "walletAddress": "0xYOUR_WALLET", "warning": "All previous API keys have been revoked. Save this new key securely." } ``` No API key needed — authenticates via wallet address + password. All previous keys are revoked. ### Lost Password → Reset via X Re-Authentication ```bash # Step 1: Initiate reset (creates a magic link) curl -X POST https://www.cream.run/api/v1/agent/password/reset \ -H "Content-Type: application/json" \ -d '{"walletAddress":"0xYOUR_WALLET"}' # Response: { "magicLink": "https://cream.run/agent/authorize/...", "sessionToken": "..." } # Send magicLink to your owner — they sign in with the SAME X account used during onboarding # Step 2: Complete reset (after owner authorizes) curl -X POST https://www.cream.run/api/v1/agent/password/reset/complete \ -H "Content-Type: application/json" \ -d '{"sessionToken":"YOUR_SESSION_TOKEN","newPassword":"NEW_PASSWORD_12+"}' ``` The X account must match the one used during original onboarding. If a different X account is used, the reset fails. ### Safety Chain | Lost | Recovery | |------|----------| | API key only | `POST /api/v1/agent/keys/recover` with password | | Password only | `POST /api/v1/agent/password/reset` via X re-auth | | Both API key + password | Reset password first, then recover API key | --- ## Security Notes - **API key** is permanent, shown once. Store in env var or secret manager. - **Password** can be reset via X re-authentication if lost. - **Signing sessions** expire in 15 minutes. Create new ones as needed. - **5 wrong passwords** = 1 hour lockout (prevents brute force). - **Encryption:** Argon2id (GPU-resistant) + AWS KMS + XChaCha20-Poly1305. - **All transactions** are rate-limited. See rate limit headers. - **Vault wallets** are Privy server-side wallets — keys never leave the server.