diff --git a/api/api_wallet.go b/api/api_wallet.go
index 891b2fabb..973aaaf6d 100644
--- a/api/api_wallet.go
+++ b/api/api_wallet.go
@@ -35,13 +35,13 @@ type MsgMeta struct {
 }
 
 type Wallet interface {
-	WalletNew(context.Context, types.KeyType) (address.Address, error)
-	WalletHas(context.Context, address.Address) (bool, error)
-	WalletList(context.Context) ([]address.Address, error)
+	WalletNew(context.Context, types.KeyType) (address.Address, error) //perm:admin
+	WalletHas(context.Context, address.Address) (bool, error)          //perm:admin
+	WalletList(context.Context) ([]address.Address, error)             //perm:admin
 
-	WalletSign(ctx context.Context, signer address.Address, toSign []byte, meta MsgMeta) (*crypto.Signature, error)
+	WalletSign(ctx context.Context, signer address.Address, toSign []byte, meta MsgMeta) (*crypto.Signature, error) //perm:admin
 
-	WalletExport(context.Context, address.Address) (*types.KeyInfo, error)
-	WalletImport(context.Context, *types.KeyInfo) (address.Address, error)
-	WalletDelete(context.Context, address.Address) error
+	WalletExport(context.Context, address.Address) (*types.KeyInfo, error) //perm:admin
+	WalletImport(context.Context, *types.KeyInfo) (address.Address, error) //perm:admin
+	WalletDelete(context.Context, address.Address) error                   //perm:admin
 }
diff --git a/api/proxy_gen.go b/api/proxy_gen.go
index 8880fb24c..79d7b0ac6 100644
--- a/api/proxy_gen.go
+++ b/api/proxy_gen.go
@@ -731,19 +731,19 @@ type StorageMinerStub struct {
 
 type WalletStruct struct {
 	Internal struct {
-		WalletDelete func(p0 context.Context, p1 address.Address) error ``
+		WalletDelete func(p0 context.Context, p1 address.Address) error `perm:"admin"`
 
-		WalletExport func(p0 context.Context, p1 address.Address) (*types.KeyInfo, error) ``
+		WalletExport func(p0 context.Context, p1 address.Address) (*types.KeyInfo, error) `perm:"admin"`
 
-		WalletHas func(p0 context.Context, p1 address.Address) (bool, error) ``
+		WalletHas func(p0 context.Context, p1 address.Address) (bool, error) `perm:"admin"`
 
-		WalletImport func(p0 context.Context, p1 *types.KeyInfo) (address.Address, error) ``
+		WalletImport func(p0 context.Context, p1 *types.KeyInfo) (address.Address, error) `perm:"admin"`
 
-		WalletList func(p0 context.Context) ([]address.Address, error) ``
+		WalletList func(p0 context.Context) ([]address.Address, error) `perm:"admin"`
 
-		WalletNew func(p0 context.Context, p1 types.KeyType) (address.Address, error) ``
+		WalletNew func(p0 context.Context, p1 types.KeyType) (address.Address, error) `perm:"admin"`
 
-		WalletSign func(p0 context.Context, p1 address.Address, p2 []byte, p3 MsgMeta) (*crypto.Signature, error) ``
+		WalletSign func(p0 context.Context, p1 address.Address, p2 []byte, p3 MsgMeta) (*crypto.Signature, error) `perm:"admin"`
 	}
 }
 
diff --git a/cmd/lotus-wallet/main.go b/cmd/lotus-wallet/main.go
index d6ca41c24..4e0f2a577 100644
--- a/cmd/lotus-wallet/main.go
+++ b/cmd/lotus-wallet/main.go
@@ -127,8 +127,8 @@ var runCmd = &cli.Command{
 			Usage: "don't query chain state in interactive mode",
 		},
 		&cli.BoolFlag{
-			Name:  "disable-auth",
-			Usage: "(insecure) disable api auth",
+			Name:   "disable-auth",
+			Usage:  "(insecure) disable api auth",
 			Hidden: true,
 		},
 	},
@@ -192,16 +192,20 @@ var runCmd = &cli.Command{
 			w = &LoggedWallet{under: w}
 		}
 
+		rpcApi := metrics.MetricedWalletAPI(w)
+		if !cctx.Bool("disable-auth") {
+			rpcApi = api.PermissionedWalletAPI(rpcApi)
+		}
+
 		rpcServer := jsonrpc.NewServer()
-		rpcServer.Register("Filecoin", metrics.MetricedWalletAPI(w))
+		rpcServer.Register("Filecoin", rpcApi)
 
 		mux.Handle("/rpc/v0", rpcServer)
 		mux.PathPrefix("/").Handler(http.DefaultServeMux) // pprof
 
 		var handler http.Handler = mux
 
-		if cctx.Bool("disable-auth") {
-			log.Info("API auth enabled, use 'lotus wallet get-api-key' to get API key")
+		if !cctx.Bool("disable-auth") {
 			authKey, err := modules.APISecret(ks, lr)
 			if err != nil {
 				return xerrors.Errorf("setting up api secret: %w", err)
@@ -216,6 +220,7 @@ var runCmd = &cli.Command{
 				return payload.Allow, nil
 			}
 
+			log.Info("API auth enabled, use 'lotus-wallet get-api-key' to get API key")
 			handler = &auth.Handler{
 				Verify: authVerify,
 				Next:   mux.ServeHTTP,
@@ -248,7 +253,7 @@ var runCmd = &cli.Command{
 	},
 }
 
-func openRepo(cctx *cli.Context) (repo.LockedRepo, types.KeyStore ,error) {
+func openRepo(cctx *cli.Context) (repo.LockedRepo, types.KeyStore, error) {
 	repoPath := cctx.String(FlagWalletRepo)
 	r, err := repo.NewFS(repoPath)
 	if err != nil {