Every dapp interaction on Ethereum follows the same ritual. The app asks permission, the wallet pops up, you click approve, the transaction goes through. Repeat for the next action, and the one after that. MetaMask just changed that loop with a feature called Advanced Permissions, built on a new standard called ERC-7715.
What Advanced Permissions Actually Do
Advanced Permissions let a user grant a dapp specific, limited authority to act on their behalf. Instead of signing every transaction individually, you approve a permission once. That permission defines exactly what the dapp can do: which tokens it can move, how much per period, and when the access expires.
The practical example MetaMask uses: you could authorize a dapp to spend 10 USDC per day to buy ETH over the course of a month. The dapp executes those daily purchases from your account without you opening your wallet 30 times.
The feature shipped on April 6 as part of the MetaMask Smart Accounts Kit. It requires upgrading from a standard EOA (externally owned account) to a smart account, which MetaMask handles through its existing interface.
The Permission Architecture
ERC-7715 defines the permission specification itself: what the dapp is asking for, the constraints, and the duration. A companion standard, ERC-7710, handles the delegation framework that lets a separate "session account" execute transactions on your behalf.
That session account never holds your funds. It operates within the boundaries you set, and the constraints are enforced onchain through smart contracts called caveat enforcers. If an execution request falls outside the approved scope, the contract rejects it.
MetaMask's implementation includes four permission types:
Periodic allowances reset on a schedule. A subscription service could draw 5 USDC monthly, and the permission resets each period without requiring re-approval.
Streaming allowances unlock linearly over time. These support vesting schedules, gradual token unlocks, or any scenario where access should increase at a constant rate.
Token revocation lets a dapp clean up stale ERC-20 approvals on your behalf, the kind of infinite approvals that have drained wallets in dozens of exploits over the past three years.
Native token permissions work the same as the ERC-20 versions but for ETH itself.
Why This Is Not the Same as Infinite Approvals
The crypto industry has a long history of unlimited token approvals gone wrong. When you approve a dapp to spend "unlimited" tokens, that approval sits onchain indefinitely. If the dapp's contract gets exploited months later, the attacker can drain every token you approved.
Advanced Permissions are structurally different. The permission is an ERC-712 signature, not an onchain approval. The scope is defined at grant time: maximum amount, time window, specific token. When the window closes, the permission dies. No leftover approval sitting in a contract waiting to be exploited.
MetaMask also shows a plain-language approval screen that spells out what the dapp is requesting. Users can adjust parameters before approving and revoke permissions at any time through MetaMask's connection settings.
The distinction matters. Operation Atlantic froze $12 million in crypto stolen through approval phishing. Scoped permissions with automatic expiry would have limited the damage window for many of those victims.
The AI Agent Use Case
The timing is not accidental. MetaMask explicitly positions Advanced Permissions as infrastructure for AI agents operating onchain.
An AI agent managing a DCA strategy, rebalancing a portfolio, or executing trades based on predefined rules needs the ability to send transactions without a human clicking "approve" every time. But giving an AI agent full wallet access is a security disaster waiting to happen.
Advanced Permissions create a middle ground: the agent can operate autonomously within a budget you define. If it tries to exceed the budget or act outside scope, the onchain enforcer blocks the transaction.
Visa's recent Intelligent Commerce Connect is building similar plumbing on the payments rail side. MetaMask is doing it at the wallet level. Both point to a future where automated agents need bounded spending authority, not binary access.
What Crypto Card Users Should Know
For anyone spending crypto through a MetaMask card, the immediate impact is indirect. The Metal and Virtual cards use a top-up model where you load funds before spending. Advanced Permissions do not change how those cards work today.
The longer-term implication is more interesting. If dapps can execute recurring payments from a smart account, the top-up step could eventually become unnecessary. A merchant or subscription service could draw directly from your wallet balance within pre-approved limits, more like how a traditional debit card works against a bank account.
That is speculative. Right now, the feature is aimed at developers building dapps, DeFi protocols, and agent-based systems. Consumer-facing payment flows would require both merchant adoption and regulatory clarity around direct wallet debits.
The Smart Account Migration Question
Advanced Permissions require smart accounts, not traditional EOAs. MetaMask has been pushing smart account adoption for over a year, and this feature is the strongest incentive yet.
The migration is not without friction. Smart accounts have different gas dynamics, and not every dapp supports them yet. For users whose primary MetaMask activity is holding and occasionally swapping tokens, the upgrade may not be worth it today.
For power users running DeFi strategies, managing multiple positions, or experimenting with AI agents, the value proposition is clearer. Signing 15 transactions to execute a multi-step DeFi strategy is a genuine pain point, and scoped permissions solve it without surrendering custody.
Overview
MetaMask Advanced Permissions, built on ERC-7715, let dapps execute transactions from your wallet within limits you define: specific tokens, capped amounts, and automatic expiry. Permissions are enforced onchain through smart contracts, not through trust. The feature launched April 6 as part of the Smart Accounts Kit and requires upgrading to a smart account. Primary use cases include DCA automation, subscription payments, AI agent execution, and cleaning up stale token approvals. The security model is a structural improvement over infinite approvals: permissions expire, and the session account that executes transactions never holds user funds.
