Recovery
AGENSAI's recovery story has two layers: your main account and your orchestrators. They have different recovery mechanisms because they have different security profiles.
Your main account
Your main account is a JAW smart account rooted in your passkey. Recovery is built into JAW.
- Passkey synced via Apple Keychain or Google Password Manager. Sign in to a new device that has your passkey synced. JAW restores main-account access through
keys.jaw.id. - No AGENSAI involvement. AGENSAI runs zero infrastructure for credentials. The recovery path is between you, your OS-level passkey provider, and JAW.
- Lost passkey? Standard passkey recovery via your Apple ID or Google account flow. Same surface that recovers any other passkey-protected app.
The main account is the most secure tier. As long as you have your passkey, you have your main account.
Your orchestrators
Each orchestrator is a JAW smart account with its own ENS name and local signing key. The local key lives at ~/.agensai/orchestrator.key on the device that paired it. The key never leaves the device, never gets backed up, and we never see it.
So how do you reach an orchestrator from a different device?
The answer is the recovery co-owner. Every JAW smart account supports multiple owners. When you spawn your first agent under an orchestrator, AGENSAI quietly installs your main JAW account as a second owner on the orchestrator's smart wallet. After that point, any device that can authenticate as your main account can sign UserOps for the orchestrator: top up, retire, drain, manage agents.
The orchestrator's local key continues to sign agent-spawn UserOps from chat on the original device for speed. Main is the durable owner that survives device loss.
What's recoverable
| Asset | How |
|---|---|
| Fleet identity (orchestrator + agent names, parent/child relationships, permission snapshots) | Lives on ENS as text records under your main subname (agensai.orch.N) and each orchestrator's subname (children, parent, permission). Anyone can read these via CCIP-Read. No AGENSAI backend involved. |
| Funds | Your main passkey can sign drain UserOps from any orchestrator it co-owns. Sign in from a new device, the Retire orchestrator action in the dashboard drains the orch SA back to main in one passkey ceremony. |
| Authority over agents | Each agent's permission references its parent orchestrator. The orchestrator address never changes. From a new device, main signs as the orchestrator (via the recovery co-owner path) to revoke, top up, or manage agents. |
What's not recoverable
- The lost device's orchestrator local key. Gone with the device. We don't store it server-side. The key was a fast-path signer for chat-spawned agent UserOps on that specific device.
- The lost device's agent local keys. Same story.
From a new device, you can operate the orchestrator via your main passkey (slower, one passkey per action) without losing anything. For high-frequency chat-spawning under a recovered orch, pair the same orch as the device's local signer using its pair command. This restores fast-path operation.
The flow
- Lose device. Sign in to app.agensai.xyz from a new device with your passkey. JAW restores main-account access via
keys.jaw.id. - The dashboard reads
agensai.orch.Nfrom your main subname. Every orchestrator you have shows up as a card. - For each orchestrator, you can:
- Top up (send funds to its address from any wallet).
- Retire (one passkey, drains balances back to main, revokes all child agents).
- Inspect agents under it.
- Pair as the device's local signer (paste the pair command in chat on the new device).
The recovery co-owner is what makes step 3 work without needing the old device's local key. Main was installed as a co-owner the first time you spawned an agent under that orchestrator. JAW's resolveSmartAccount verifies your main is in the owner list, then signs the UserOp.
When you don't need to recover
Some scenarios don't need the full recovery flow.
| Scenario | Right move |
|---|---|
| One agent compromised | Tell Claude to revoke it. One on-chain transaction. Zero biometric. The replacement agent is one prompt away. |
| Suspicion the orchestrator's local key is exposed but the device is fine | Run Retire orchestrator from the dashboard. One passkey. Funds sweep to main, agents revoked. Pair a new orchestrator and rebuild. |
| Device is lost | Sign in from a new device. See above. |
| Main passkey lost | Standard passkey recovery via Apple or Google. Your fleet is fine and waits for you. |
Why this works
| Anchor | What it protects |
|---|---|
| Passkey at OS level | Your main account survives any device loss. |
| Multi-owner JustanAccount | Main is co-owner of every orch you've used. Authority survives any local-key loss. |
| ENS records | The list of orchestrators and the structure of your fleet survives anywhere AGENSAI's dashboard might go. Any ENS-aware tool can rebuild the view. |
| ERC-7715 permissions on chain | Agent grants are enforced by the validator, not by AGENSAI. Existing agents keep working through any recovery event. |
The boundary line is your passkey. As long as you have it, you have everything underneath.