Skip to main content
API Preview
Developers

Wallet

Registering a wallet gives ~Alter a destination you control to settle your Identity Income: the earnings that accrue when someone reads your identity with your consent. It is optional, and you add it whenever you choose to draw your earnings down. Until then your earnings are held for you. One limit applies now: without a registered payout address you cannot complete the paid step yet, so adding one is what enables earning. ~Alter never holds your money, and never reads what is at the address: not balances, not holdings, not activity. The wallet is a destination you control, not a data source.

What pairing does not authorise

Pairing this connector is a read commitment, not delegation. Specifically, ~Alter cannot use this pairing to:

  • Move, spend, or manage anything at the address. ~Alter holds no signing power and gains no account access. The proof you sign is a one-time confirmation that the address is yours, nothing more.
  • Sign or authorise anything on your behalf at any later moment. Registering a destination grants no ongoing access of any kind.
  • Read what is held at the address: balances, holdings, or any asset view. ~Alter does not query the address for anything beyond confirming you control it.
  • Infer your contacts or your activity from the address.
  • Settle to an address you have not registered. Changing your destination takes a fresh signed confirmation from the new address.

The OAuth or attestation scope we request is the minimum required to recognise the pattern described in What we read. Anything beyond that is structurally refused at the connector boundary, not promised by trust. How pairing works.

What we read

  • The address you provide, and a confirmation that you control it.
  • A one-time signature proving control of the address, verified and then discarded.

What we don't read

~Alter explicitly refuses these fields even when the OAuth scope or API permits them. Every refusal is enforced at the connector boundary, not by trust.

  • Balances, holdings, or any asset snapshot at the address.
  • Activity or transaction history at the address, beyond the settlements ~Alter itself sends you.
  • Your contacts, or any inference drawn from the address.
  • Any account elsewhere that happens to be linked to the same address.
  • Recovery phrases, private keys, or any signing material. These never reach ~Alter under any path.

Where it lives

The registered address and the date you added it sit in ~alter's pairing ledger, keyed to your ~handle. You can register more than one and choose which is your primary settlement destination. Removing a destination takes effect immediately, and any earnings held for you stay yours.

How to revoke

Revocation is immediate. Ask the AI client you paired through to revoke this connector, or revoke it from your consent surface over the same connection. Either path revokes the provider token, stops all further reads, and purges the derived signals this connector fed into your identity vector. An audit row records the revocation.

One thing is kept on purpose. The connector retains a record that this account was paired and when it was disconnected, so the same account cannot be unpaired and re-paired in quick succession to churn your identity vector. That cooldown record holds the raw profile snapshot until the window passes. It is never read into a new signal while disconnected, and it is not shared with anyone.

Prefer the command line? The CLI is the optional deeper path and revokes the same connector:

CLI (optional)

alter wallet clear

Pairing this connector does not enrol you in any matching, ranking, or matching surface. Every downstream use requires its own consent row. See the consent model.

Wallet connector · Docs