Sui policies use two method names for raw signing requests. Use signRawMessageBytes for unparsed
raw signing requests. Use signTransactionBytes for parsed transaction bytes that evaluate
sui_transaction_command or sui_transfer_objects_command conditions. There is no separate
signTransactionBytes API endpoint.
A Sui transaction consists of one or multiple inputs and commands. Common Sui commands to transfer stablecoins include:
SplitCoins, which splits off one or more coins from a single coin.
MergeCoins, which merges one or more coins of the same type into a single coin.
TransferObjects is used to transfer objects to a specified destination address.
Allow raw signing after a certain start date
Use signRawMessageBytes for unparsed raw signing requests. signRawMessageBytes rules support
system conditions, but do not support decoded transaction field sources like sui_transaction_command or
sui_transfer_objects_command.
{
"version": "1.0",
"name": "Only allow raw signing after a certain start date",
"chain_type": "sui",
"rules": [
{
"name": "Only allow raw signing after a certain start date",
"method": "signRawMessageBytes",
"conditions": [
{
"field_source": "system",
"field": "current_unix_timestamp",
"operator": "gt",
"value": "1757304000" // 2025-09-08 00:00:00 UTC in seconds since epoch
}
],
"action": "ALLOW"
}
]
}
Allowlist specific Sui transaction commands
{
"version": "1.0",
"name": "Allow TransferObjects, SplitCoins and MergeCoins",
"chain_type": "sui",
"rules": [
{
"name": "Allow TransferObjects, SplitCoins and MergeCoins commands",
"method": "signTransactionBytes",
"conditions": [
{
"field_source": "sui_transaction_command",
"field": "commandName",
"operator": "in",
"value": ["TransferObjects", "SplitCoins", "MergeCoins"]
}
],
"action": "ALLOW"
}
]
}
{
"version": "1.0",
"name": "TransferObjects summed maximum amount",
"chain_type": "sui",
"rules": [
{
"name": "TransferObjects amount summed maximum",
"method": "signTransactionBytes",
"conditions": [
{
"field_source": "sui_transfer_objects_command",
"field": "amount",
"operator": "lt",
"value": "10000000"
}
],
"action": "ALLOW"
}
]
}
Allowlist a specific Sui transaction recipient
{
"version": "1.0",
"name": "Allow specific recipient",
"chain_type": "sui",
"rules": [
{
"name": "Allow specific recipient",
"method": "signTransactionBytes",
"conditions": [
{
"field_source": "sui_transfer_objects_command",
"field": "recipient",
"operator": "eq",
"value": "0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"
}
],
"action": "ALLOW"
}
]
}
Allowlist specific Sui transaction recipients with condition set
{
"version": "1.0",
"name": "Allow specific recipients with condition set",
"chain_type": "sui",
"rules": [
{
"name": "Allow specific recipients with condition set",
"method": "signTransactionBytes",
"conditions": [
{
"field_source": "sui_transfer_objects_command",
"field": "recipient",
"operator": "in_condition_set",
"value": "a2p4etpcbj2dltbjfigybi8j"
}
],
"action": "ALLOW"
}
]
}
Restrict message signing
Use the message field source on signRawMessageBytes rules to constrain what messages a Sui wallet can sign. The content field supports string operators (eq, contains, starts_with, ends_with, in, in_condition_set), and the byte_length field supports numeric operators.
Allow messages with a specific prefix
Restrict message byte length
Allow only specific messages
{
"version": "1.0",
"name": "Only allow ownership proof messages",
"chain_type": "sui",
"rules": [
{
"name": "Allow messages that start with an ownership proof prefix",
"method": "signRawMessageBytes",
"conditions": [
{
"field_source": "message",
"field": "content",
"operator": "starts_with",
"value": "Sign to prove ownership of"
}
],
"action": "ALLOW"
}
]
}
{
"version": "1.0",
"name": "Limit signed message size",
"chain_type": "sui",
"rules": [
{
"name": "Only allow messages up to 256 bytes",
"method": "signRawMessageBytes",
"conditions": [
{
"field_source": "message",
"field": "byte_length",
"operator": "lte",
"value": "256"
}
],
"action": "ALLOW"
}
]
}
{
"version": "1.0",
"name": "Allowlist specific messages",
"chain_type": "sui",
"rules": [
{
"name": "Only allow known message strings to be signed",
"method": "signRawMessageBytes",
"conditions": [
{
"field_source": "message",
"field": "content",
"operator": "in",
"value": ["I agree to the terms of service", "Confirm login"]
}
],
"action": "ALLOW"
}
]
}
Only allow transactions after a certain start date
{
"version": "1.0",
"name": "Only allow transactions after a certain start date",
"chain_type": "sui",
"rules": [
{
"name": "Only allow transactions after a certain start date",
"method": "signTransactionBytes",
"conditions": [
{
"field_source": "system",
"field": "current_unix_timestamp",
"operator": "gt",
"value": "1757304000" // 2025-09-08 00:00:00 UTC in seconds since epoch
}
],
"action": "ALLOW"
}
]
}
Allow transfers to a specific recipients after a certain timestamp
This is an example of mixing TransferObjects and System configurations.
{
"version": "1.0",
"name": "Allow specific recipients after a certain timestamp",
"chain_type": "sui",
"rules": [
{
"name": "Allow specific recipients after a certain timestamp",
"method": "signTransactionBytes",
"conditions": [
{
"field_source": "sui_transfer_objects_command",
"field": "recipient",
"operator": "in_condition_set",
"value": "a2p4etpcbj2dltbjfigybi8j",
},
{
"field_source": "system",
"field": "current_unix_timestamp",
"operator": "gt",
"value": "1757304000", // 2025-09-08 00:00:00 UTC in seconds since epoch
}
],
"action": "ALLOW"
}
]
}
Denylist recipients of a TransferObjects with condition sets
{
"version": "1.0",
"name": "Denylist TransferObjects recipients with condition set",
"chain_type": "sui",
"rules": [
{
"name": "Denylist TransferObjects recipients with condition set",
"method": "signTransactionBytes",
"conditions": [
{
"field_source": "sui_transfer_objects_command",
"field": "recipient",
"operator": "in_condition_set",
"value": "a2p4etpcbj2dltbjfigybi8j"
}
],
"action": "DENY", // Note: setting the action to 'ALLOW' makes this an allowlist
}
]
}