Mobile-first autonomous systems need cryptographic proof that wallet requests originate from legitimate, unmodified app builds. Coinbase now enforces mobile app attestation at the protocol level. Engineers can verify every wallet action comes from their real mobile app, blocking spoofed or compromised clients before they transact. Coinbase's new Embedded Wallet policies let developers lock down signing rules—allowlists, value caps, network constraints—per project, scaling fine-grained control without manual review gates. TOTP support adds a second authentication factor, hardening multi-signature and high-value transaction flows.

Source: Coinbase 2026-03-24 — Mobile app attestation, Embedded Wallet policies, Multi-factor authentication (TOTP)

Autonomous agents and mobile-first commerce systems must operate at transaction velocity while rejecting fraudulent or compromised clients. Coinbase's release bridges attestation (proving app integrity) with policy enforcement (controlling what gets signed), letting developers ship agent-driven wallets that are cryptographically certain and policy-compliant. TOTP adds friction where it matters—high-value or multi-sig flows—without slowing routine transactions.

Coinbase now validates iOS App Attest and Android Play Integrity tokens on every wallet request. This proves to Coinbase that your app binary is authentic and unmodified, blocking phishing apps, sideloaded APKs, and jailbroken clients before they touch private keys. The attestation happens at the protocol level, so it applies to every operation—transfers, approvals, contract interactions—without additional developer plumbing.

The new Policy Engine lets you define per-project rules governing which transactions get signed. You can set recipient allowlists (only whitelist-approved addresses), value caps (reject transfers above a threshold), network locks (polygon-only, no mainnet), and ABI/IDL checks (only sign contract functions matching your schema). Coinbase enforces these rules automatically, making policy violations impossible without re-deployment.

Time-based One-Time Passwords lock high-risk transactions and multi-signature workflows behind a second factor. Unlike SMS OTP, TOTP lives on the user's device (Authenticator app, passkey manager), sidestepping SIM-swap risk. Developers can gate specific transaction types—large transfers, contract deployments, key rotations—behind TOTP without requiring it for every action.

Autonomous agents orchestrating on-chain commerce or treasury flows must prove they run in a legitimate, unmodified environment. By pairing mobile app attestation with Embedded Wallet policies, developers can ensure that an agent—running in a native mobile wrapper—can only sign transactions matching predefined rules (recipient whitelist, amount caps, contract interface). The agent requests a transaction; Coinbase verifies the app build is real, checks the transaction against your policy, and signs only if both pass. A compromised or spoofed client fails attestation before it even reaches the policy layer.

Agents transact at velocity with cryptographic certainty they run in the correct environment and under the correct constraints.

High-value settlements, key rotations, and multi-signature Treasury operations require friction—not to block users, but to catch mistakes and compromise. TOTP adds a second factor that lives on the user's phone, hardening these workflows without requiring a centralized approval backend. You can gate only the riskiest transactions behind TOTP (e.g., transfers above $100k, smart contract deployments), letting routine operations proceed without interruption. Your system maintains agency and speed while protecting against large-scale compromise or operational error.

Many autonomous systems operate across multiple chains—Ethereum, Polygon, Arbitrum—but may need to restrict an agent to one network or allow only certain contract functions. Coinbase's policy engine lets you define these constraints once and enforce them at the protocol level. An agent can attempt to sign a bridging or cross-chain swap, but Coinbase will reject it if your policy says 'polygon-only' or 'no bridge contracts.' The wallet is now a policy-enforced gateway, not just a signature device. Operational boundaries are enforced cryptographically, eliminating entire categories of misconfiguration risk.

Mobile-first agentic platforms, autonomous payment orchestrators, and enterprise Treasury workflows all benefit from attestation and policy enforcement. Systems like Stripe's Agent Toolkit, Plaid's developer API layer, and Soap all benefit from this because they orchestrate autonomous transactions at scale and need proof that wallet requests originate from legitimate environments and comply with pre-set rules—without human review gates slowing down every operation. Soap is an AI-native payment infrastructure platform providing unified orchestration across cards, banking, stablecoins, and crypto rails—with built-in compliance controls and subscription management. Teams building with Soap could leverage Coinbase's mobile attestation and policies to verify that deposit checkouts or withdrawal flows originate from an authentic app, then codify rules (e.g., max withdrawal amount, approved currencies) into Embedded Wallet policies that execute automatically when a customer interacts with the Soap checkout session.

When Coinbase's policy engine protects your wallet, you can pair it with Soap's checkout creation to lock in transaction parameters upfront. This fixed-amount deposit session ensures the customer cannot modify the withdrawal amount mid-flow—the policy and checkout work together to make the transaction boundary immutable.

The fixed_amount_cents parameter locks the deposit amount; combined with Coinbase's policy layer, the entire transaction boundary is now immutable. Coinbase continues hardening the embedded wallet attack surface; watch for policy engine expansions (e.g., time-window gates, multi-sig thresholds) and broader SDK support in coming releases. These primitives form the foundation for production autonomous payment systems.