⚠ v1.14.0 is live Already on v1.7.0? This installs right over it — same vault, no restore needed. Coming from a version before v1.7.0? The app will ask you to restore your vault from your 24-word recovery phrase once — same address, same funds. Scan for wallets brings back personal and burner wallets created on v1.7.0 or later. Wallets made on older versions use independent keys the phrase cannot rebuild — sweep their funds back to your main vault before updating. Details in the dev log.
Join Waitlist ↓
Mobile App · Solana Mainnet · NFC · x402

Your card
is the key.

Tap your card, no passwords, no keys.

Tally is a mobile app that turns a contactless bank card into a hardware signing key for a Solana wallet. Live on Android today. iOS is in active development.

Every crypto wallet has the same problem. The private key lives somewhere, and wherever it lives is the attack surface. Hardware wallets solved custody but created friction. You need a device. You have to carry it. Lose it and you're locked out.

The card in your wallet already has an NFC chip. Tally reads it via full EMV APDU chain, runs it through Argon2id with your biometric, and derives a signing key in RAM. Under 500ms, then it wipes. Nothing persists on any server, ever. Any contactless card works, including expired ones.

We built this for AI agents, where the private key problem is worse. An agent gets a funded session wallet per task, authorized by a tap. The vault key never leaves the device. The session key has a budget cap, and when the task ends, funds sweep back automatically. x402 micropayments are live on Solana mainnet. The physical object you tap is the only thing that can authorize a spend.

TALLY
UPTIME
00:00:00
BIO_STREAM.SHRD
🫆
💳
CARD_STREAM.SHRD
RECONSTRUCTING SOLANA MASTER KEY...
PROTOCOL
ISO/IEC 14443-4
Detected
STATE
Entropy Extraction:
100%
TARGET ADDRESS
7xPq...9Wk2
ENCRYPTION
Argon2id · XOR · Ed25519
Security Warning
Volatile RAM Only. No Persistence. Any interruption will purge the cache.
Demo Video ↗
For developers Android APK ↓ Android debug build. Requires a real contactless bank card (Visa / Mastercard) to sign transactions. Android Mock ↓ Same app, no card required. Simulates a card tap automatically, for testing on devices without NFC. Integration x402 Endpoint
// Live x402 endpoint. Run it yourself.
$
curl https://tally.lll.mk/api/signal

You'll get a 402 with the payment wallet in the response. That's the x402 protocol in action. An agent sends 0.1 USDC to that address, retries with the tx signature, and gets the signal back. The whole flow is in tally_integration/.

How it works
01 / Key derivation
💳
Card tap = signing key

NFC reads the card via full EMV APDU chain. Combined with your biometric via Argon2id, it reconstructs the master seed in RAM. 500ms. Then it's gone. Nothing stored on any server. Nothing in plaintext on the device.

02 / Agent funding
🤖
Session wallets for agents

Agent requests funding. Telegram notification arrives with the amount and task visible before you approve. Card tap. Session wallet funded with exactly what you approved. The session key copies once to the agent's .env. Isolated, capped, swept back automatically when the task ends.

03 / x402 Payments
Pay paywalled APIs on-chain

Agent hits a 402. Payment wallet in headers. 0.1 USDC moves on-chain. Server verifies independently. Signal returned. No API key, no OAuth, no custody. Just a blockchain receipt.

Confirmed on mainnet
Full hardware wallet Vault creation, SOL + USDC send/receive, Jupiter swap, QR scanner, emergency sweep
Three session wallet types Agent (SK shown once), Personal (SK stays on device), Burner (SK shown once)
Full agent lifecycle Fund, task, return. Confirmed with real USDC on mainnet.
x402 end-to-end Agent hits paywall. Card tap. USDC on-chain. Tx verified. Signal returned.
HMAC-signed deep links Every Telegram notification signed and verified on open, ±5 min timestamp window
ATA rent reclaim USDC account closed on sweep, ~$0.17 recovered per session automatically
Tech stack
Mobile
Ionic Capacitor · React · TypeScript · Android
Crypto
Argon2id (32 iter, 2MB) · XOR split · Ed25519/TweetNaCl · BIP39
NFC
Full EMV APDU chain · ISO 14443-4 · stale-tag flush
Chain
Solana mainnet · SPL token (USDC) · Jupiter VersionedTransaction
Agent
Python skill · Telegram bot · HMAC-SHA256 signed deep links
x402 Server
Next.js · Vercel · tally-signal ↗
Dev log
v1.14.0 Latest June 22, 2026
Agents, in one place
  • The app is down to two tabs. Your agents and what each one can spend now live on a single Agents tab, and each agent card shows its balance and budget together.
  • Your personal, burner, and recovered wallets moved to a Wallets view in Settings, so the agent view stays focused.
v1.13.0 June 22, 2026
A simpler Tally
  • Cleaner navigation: the bottom tabs are down to the three you actually use, and the developer and agent-operator settings now sit behind a "Show advanced settings" toggle, so a new wallet feels far less busy.
  • Setting up or recovering a vault moved into Settings, and putting idle SOL to work is now a prompt on the home screen.
v1.12.0 June 22, 2026
Recover funds, safely
  • A new welcome screen when you have no vault: create a new one, or recover funds from a 24-word phrase. The old screen that could leave you stuck with no way forward is gone.
  • Recover funds from any vault's phrase. Enter the 24 words and Tally finds every address that seed controls — including your private receipts — and imports them so you can move the money out.
  • Recovering moves your money into a fresh, secure vault instead of rebuilding the old one. Typing a phrase exposes its seed, so the safe step is to sweep into a vault whose key was never typed. The recovered wallets are clearly marked; you sweep, then discard. Your new vault has a new address.
v1.11.1 June 22, 2026
Hidden vault tag fixes
  • Tapping a tag for a hidden vault is smoother: the Android system tag screen no longer pops up over the app, a single tap registers as one read instead of two, and opening a hidden vault by tag no longer leaves the reader stuck for the next tap.
v1.11.0 June 22, 2026
Hidden vaults
  • Create hidden vaults that live nowhere. A hidden vault is built from your card or tag plus a passphrase you choose. Nothing about it is saved on the phone and it isn't listed anywhere, so someone who opens the app and unlocks it sees only your main vault.
  • Open one from the lock screen or from Settings: tap the same card or tag, enter the passphrase, confirm the address, and you're in. Every transaction still needs a tap.
  • Because nothing is stored, the same card or tag plus the same passphrase opens the same hidden vault on any phone running Tally. A 24-word phrase is shown once as a backup.
  • To keep one private, fund it from an outside wallet. The receive screen reminds you not to send to it straight from your main vault.
v1.10.0 June 19, 2026
Tap a tag, not just a card
  • Use an NFC tag as your signing key. At setup, hold a blank NFC tag to your phone instead of a bank card and it becomes the key that signs every transaction. The security model is identical: your vault key is split in two, half on the tag and half sealed behind your fingerprint, so your phone alone can never move funds.
  • What's written to the tag is encrypted, so a stranger who taps your tag reads only scrambled bytes — only your phone and your fingerprint can turn it back into your key. A tag costs about fifty cents.
  • Setup detects what you tap. Hold a card or a blank tag to your phone and Tally figures out which one you're using.
  • Your custom RPC is now remembered per network, so switching between mainnet and devnet keeps the endpoint you set instead of resetting to the public one.
v1.9.1 June 18, 2026
Receive polish
  • Reusing a private wallet to receive no longer shows a false "received" confirmation before any new funds arrive — it now confirms only when new funds actually land.
v1.9.0 June 18, 2026
Spend privately, end to end
  • Spend privately. Money you received to a private address can now be sent on without revealing your main wallet — the private wallet pays its own network fee, so nothing on-chain links the payment back to you. Send USDC or SOL.
  • Reuse your private wallets. Receiving privately lets you reuse a wallet you've used before or open a fresh one, and when you have more than one, Send lets you pick which to spend from — both its USDC and SOL come from that one.
  • Private balances refresh the moment you send, and very small balances are no longer rounded away to zero.
  • Smoother loading: your balance, holdings, and Earn positions show a placeholder while they load instead of popping in.
  • Earn · USDC reliably shows your real supplied balance again.
v1.8.0 June 17, 2026
Receive privately, and a steadier wallet
  • Receive privately. Tap Receive privately and Tally hands you a fresh, one-time address that can't be tied back to your main wallet or to your other private receipts. Money sent there lands in a separate Private balance on your Home screen, and you spend it from Send like any other funds.
  • A new Earn screen puts idle SOL to work: stake to JupSOL in one tap and unstake whenever you want, no epoch wait.
  • USDC savings: supply USDC to Kamino Lend from the Earn screen to earn lending yield, with your balance shown in real USDC and growing live on screen, and withdraw any time.
  • Transactions confirm reliably. Sends, swaps, staking, and wallet sweeps no longer hang on the tap screen, the app now follows each one on-chain until it lands. Sweeping a session wallet asks for your fingerprint just once.
  • The Home screen loads faster: your whole portfolio and its USD total now come from a single price lookup, so balances fill in quickly even on mainnet.
  • Share your receiving address through your phone's own share menu.
  • Agent and sweep fixes: revoking an agent now clears every approval it held, and sweeping a wallet brings back all of your tokens, not just USDC.
v1.7.0 June 12, 2026
Hardware-locked vault key
  • Your vault key is never stored, anywhere. Every signature rebuilds it for under a second from two halves: one sealed in your phone's secure hardware behind a fingerprint, the other read from your physical card the moment you tap. A lost, stolen, or compromised phone cannot reconstruct it, it is missing the card. A copied card cannot either, it is missing your biometric.
  • Updating from an older version: the app asks you to restore your vault from your 24-word recovery phrase once. Same address, same funds.
  • New personal and session wallets are derived from your recovery phrase. Scan for wallets finds the ones holding funds and brings them back, even on a brand-new phone. Note: this only covers wallets created on v1.7.0 or later, wallets made on older versions use independent keys, so sweep their funds to your main vault first.
  • Stake your SOL: convert to JupSOL and back instantly from the Convert page, no epoch wait.
  • Every holding on one screen: the Home page shows your full portfolio with a combined USD total, and each token can be sent or converted with a tap.
  • Swaps and staking include a small Tally fee (0.75% and 0.50%) that funds ongoing maintenance. Sends, receives, and agent payments stay free.
  • Found a credential-storage bug in a widely used plugin, patched it in this release, and reported it to the maintainers. The two-part key design meant nothing was exposed, and the recovery phrase rebuilds everything.
v1.6.2 June 10, 2026
Read this before the next update
  • The next update adds a stronger hardware lock on your vault key. Because of how Android protects keys, it will ask you to restore your main vault from your 24-word recovery phrase the first time you open it.
  • Before you update: make sure your 24-word recovery phrase is saved somewhere safe. Your main vault returns with the same address and the same funds after you restore it.
  • Also before you update: move any money out of your session, personal, and burner wallets back into your main vault. Those wallet keys cannot be restored from the recovery phrase, so sweep them first or those funds will be stranded.
  • More hardening landed too: your vault key and saved tokens now live in the device secure store, the key-reveal screen blocks screenshots, and the whole app stays locked behind your fingerprint.
v1.6.1 June 8, 2026
Fixes and a fuller history
  • Your transaction list now shows agent budget approvals and revokes, plus agent spends, not just plain sends and receives.
  • Fixed the What's new screen being unreachable behind the Android navigation bar.
v1.6.0 June 5, 2026
Agents that ask, then spend
  • Agents can now propose a budget. You get a notification, open one screen, and approve or edit the amount with a single card tap.
  • Unknown-agent warning: if a request comes from a wallet you have not connected before, Tally flags it.
  • A unified card-tap screen across every approval, clearer and consistent.
  • Recovery guidance added to the 24-word backup screen.
v1.5.0 June 3, 2026
Standing agent budgets
  • Pre-authorize a capped, time-boxed budget for an agent with one card tap. The agent then pays directly within that budget, no further taps.
  • Money stays in your vault until the moment of each payment. Nothing sits in a hot wallet.
  • When the window closes, the next payment is rejected on-chain and the unused cap stays put.
  • Revoke any agent, or revoke all, from the Connections tab.
v1.4.0 May 27, 2026
Safer setup
  • Tally now checks your device can do everything a vault needs before you create one, so setup never half-completes on unsupported hardware.
v1.3.0 May 24, 2026
Solana Pay and reliability
  • Solana Pay support: pay any Solana Pay link or QR, with memo passthrough.
  • Fixed a cold-start issue that briefly showed a zero balance.
  • Sending USDC to a brand-new address now tops up the tiny amount of SOL it needs automatically.
  • Fresh app icon.
v1.2.0 May 20, 2026
Spending windows
  • Time-bounded approvals: authorize spending for a set window, end to end across the wallet and the agent skill.
v1.1.0 May 14, 2026
Privacy and proof
  • PCI mode: derive your key from the card chip ID alone. The card number is never read or stored.
  • Proof-of-Presence: a card tap signs a portable receipt that anyone can verify, no account needed.
v1.0.0 May 11, 2026
Tally launch
  • A Solana wallet where your contactless card is the signing key. Tap to sign, no passwords, no seed phrase to type.
  • x402 payments live on mainnet.
  • Built so AI agents can spend real money without your vault key ever touching a server.
Roadmap
Shipped
Hidden vaults
A second vault that lives nowhere. It's derived from your card or tag plus a passphrase you choose, and nothing about it is stored or listed — so someone who opens your phone and unlocks it sees only your main vault. The same card or tag plus the same passphrase reopens it here or on any phone running Tally, with no biometric and no per-device backup. Every transaction still needs a tap.
Shipped
NFC tag as a signing key
No contactless card? A blank ~$0.50 NTAG215 works as your signing key instead. At setup it's written once with a random secret, encrypted to your phone, then permanently locked — so a stranger who taps it reads only noise. Same 2-of-2 model as the card: half on the tag, half sealed behind your fingerprint. Setup auto-detects whether you tap a card or a tag.
Shipped
UID-only card derivation
PCI mode: the Card_Shard is derived from the card's hardware UID and a salt only. No card number ever read, no PAN in RAM. Selectable at vault creation for regulated and enterprise deployments where PAN exposure is a compliance blocker.
Shipped
Proof of human presence
Every card tap signs a portable, hardware-bound receipt: vault, session, amount, task hash, tx, timestamp. Travels with the task across any number of agents. Verifiable offline by anyone with the vault address, or as one HTTP call to tally.lll.mk/api/attest/verify.
Shipped
Time-bounded policy taps
One tap authorizes a budget and a window, not a single transaction. The agent runs autonomously within both until either runs out. End to end: deep link carries the TTL, wallet persists the expiry, agent skill reuses the session across calls without re-tapping.
In progress
iOS app
Bringing the Tally vault to iPhone. In active development. We'll share how it works once the approach is proven.
Shipped
On-chain agent budgets
One card tap grants an agent a spend cap and an expiry enforced on-chain, built on Solana's allowances program. The agent spends within the budget on its own while the funds never leave your cold vault, and you can revoke one agent or all of them instantly. An agent can also propose a budget that you approve from a single notification.
Shipped
Private receive
Receive without revealing your wallet. Each private receive hands the sender a fresh, one-time stealth address derived from your seed, unlinkable to your main vault or to your other receipts. Funds land in a separate Private balance and spend like any other holding — receive-only privacy with no mixer and no new trust assumption.
Shipped
Every token, one screen
The Home screen shows your full SPL portfolio with a combined USD total. Send or swap any token with a tap, routed through Jupiter — every transfer still gated by a physical card tap and biometric.
Shipped
Earn on idle SOL
Put idle SOL to work without it leaving the vault: stake to JupSOL in one tap and unstake any time, no epoch wait. A dedicated Earn screen surfaces live yields and your positions, and nudges balances that are just sitting there.
Shipped
Recover funds from a phrase
Enter a lost or legacy vault's 24-word phrase and Tally finds every address that seed controls — master, session wallets, and private receipts — by their on-chain holdings, then imports them so you can sweep the funds into a fresh secure vault. Recovery moves money to a new vault rather than rebuilding an exposed seed in place.
Planned
Readable vault identity
Counterparties send to and verify receipts against a human-readable name instead of a 32-character base58 address. The receipt becomes anchorable to your identity without exposing key material. The card stays the proof; the name becomes the anchor.
Planned
Native approval requests
When an agent needs a fresh authorization, it asks and your phone gets a native push: one tap to approve, the spend stays capped and time-boxed. The agent never needs to know how you were reached, so the approval channel can change without touching agent code. Telegram stays as a fallback.
Planned
Self-hosted x402 gateway
Run your own x402 endpoint backed by Tally's card-tap authorization. Agents pay per request, humans stay in the loop. No third-party proxy, no shared infrastructure.
Shipped
Stablecoin savings
Supply USDC to Kamino Lend for yield and withdraw any time, all from inside the vault with a card tap. Your position shows in real USDC and grows live on screen.
Shipped
Private spend, no link
Spend a privately received balance without revealing your main wallet. The stealth wallet pays its own network fee — funding it from its own USDC when needed — so the payment carries no on-chain tie back to your vault. Send USDC or SOL.