diff --git a/aptos-move/framework/aptos-framework/doc/overview.md b/aptos-move/framework/aptos-framework/doc/overview.md
index 314baa3612ba96..7ad32f3ea8ec0d 100644
--- a/aptos-move/framework/aptos-framework/doc/overview.md
+++ b/aptos-move/framework/aptos-framework/doc/overview.md
@@ -46,6 +46,7 @@ This is the reference documentation of the Aptos framework.
 -  [`0x1::object`](object.md#0x1_object)
 -  [`0x1::object_code_deployment`](object_code_deployment.md#0x1_object_code_deployment)
 -  [`0x1::optional_aggregator`](optional_aggregator.md#0x1_optional_aggregator)
+-  [`0x1::permissioned_signer`](permissioned_signer.md#0x1_permissioned_signer)
 -  [`0x1::primary_fungible_store`](primary_fungible_store.md#0x1_primary_fungible_store)
 -  [`0x1::randomness`](randomness.md#0x1_randomness)
 -  [`0x1::randomness_api_v0_config`](randomness_api_v0_config.md#0x1_randomness_api_v0_config)
diff --git a/aptos-move/framework/aptos-framework/doc/permissioned_signer.md b/aptos-move/framework/aptos-framework/doc/permissioned_signer.md
new file mode 100644
index 00000000000000..ba22496208f3d5
--- /dev/null
+++ b/aptos-move/framework/aptos-framework/doc/permissioned_signer.md
@@ -0,0 +1,756 @@
+
+<a id="0x1_permissioned_signer"></a>
+
+# Module `0x1::permissioned_signer`
+
+A _permissioned signer_ consists of a pair of the original signer and a generated
+signer which is used store information about associated permissions.
+
+A permissioned signer behaves compatible with the original signer as it comes to <code><b>move_to</b></code>, <code>address_of</code>, and
+existing basic signer functionality. However, the permissions can be queried to assert additional
+restrictions on the use of the signer.
+
+A client which is interested in restricting access granted via a signer can create a permissioned signer
+and pass on to other existing code without changes to existing APIs. Core functions in the framework, for
+example account functions, can then assert availability of permissions, effectively restricting
+existing code in a compatible way.
+
+After introducing the core functionality, examples are provided for withdraw limit on accounts, and
+for blind signing.
+
+
+-  [Struct `PermissionedHandle`](#0x1_permissioned_signer_PermissionedHandle)
+-  [Resource `PermStorage`](#0x1_permissioned_signer_PermStorage)
+-  [Struct `Permission`](#0x1_permissioned_signer_Permission)
+-  [Constants](#@Constants_0)
+-  [Function `create_permissioned_handle`](#0x1_permissioned_signer_create_permissioned_handle)
+-  [Function `create_permissioned_handle_with_expiration`](#0x1_permissioned_signer_create_permissioned_handle_with_expiration)
+-  [Function `destroy_permissioned_handle`](#0x1_permissioned_signer_destroy_permissioned_handle)
+-  [Function `signer_from_permissioned`](#0x1_permissioned_signer_signer_from_permissioned)
+-  [Function `assert_master_signer`](#0x1_permissioned_signer_assert_master_signer)
+-  [Function `authorize`](#0x1_permissioned_signer_authorize)
+-  [Function `check_permission`](#0x1_permissioned_signer_check_permission)
+-  [Function `capacity`](#0x1_permissioned_signer_capacity)
+-  [Function `revoke_permission`](#0x1_permissioned_signer_revoke_permission)
+-  [Function `extract_permission`](#0x1_permissioned_signer_extract_permission)
+-  [Function `get_key`](#0x1_permissioned_signer_get_key)
+-  [Function `address_of`](#0x1_permissioned_signer_address_of)
+-  [Function `consume_permission`](#0x1_permissioned_signer_consume_permission)
+-  [Function `store_permission`](#0x1_permissioned_signer_store_permission)
+-  [Function `is_permissioned_signer`](#0x1_permissioned_signer_is_permissioned_signer)
+-  [Function `permission_signer`](#0x1_permissioned_signer_permission_signer)
+-  [Function `signer_from_permissioned_impl`](#0x1_permissioned_signer_signer_from_permissioned_impl)
+
+
+<pre><code><b>use</b> <a href="../../aptos-stdlib/doc/copyable_any.md#0x1_copyable_any">0x1::copyable_any</a>;
+<b>use</b> <a href="../../aptos-stdlib/../move-stdlib/doc/error.md#0x1_error">0x1::error</a>;
+<b>use</b> <a href="../../aptos-stdlib/../move-stdlib/doc/option.md#0x1_option">0x1::option</a>;
+<b>use</b> <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">0x1::signer</a>;
+<b>use</b> <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table">0x1::smart_table</a>;
+<b>use</b> <a href="timestamp.md#0x1_timestamp">0x1::timestamp</a>;
+<b>use</b> <a href="transaction_context.md#0x1_transaction_context">0x1::transaction_context</a>;
+</code></pre>
+
+
+
+<a id="0x1_permissioned_signer_PermissionedHandle"></a>
+
+## Struct `PermissionedHandle`
+
+
+
+<pre><code><b>struct</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">PermissionedHandle</a> <b>has</b> store
+</code></pre>
+
+
+
+<details>
+<summary>Fields</summary>
+
+
+<dl>
+<dt>
+<code>master_addr: <b>address</b></code>
+</dt>
+<dd>
+
+</dd>
+<dt>
+<code>permission_addr: <b>address</b></code>
+</dt>
+<dd>
+
+</dd>
+<dt>
+<code>expiration_time: u64</code>
+</dt>
+<dd>
+
+</dd>
+</dl>
+
+
+</details>
+
+<a id="0x1_permissioned_signer_PermStorage"></a>
+
+## Resource `PermStorage`
+
+
+
+<pre><code><b>struct</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> <b>has</b> key
+</code></pre>
+
+
+
+<details>
+<summary>Fields</summary>
+
+
+<dl>
+<dt>
+<code>perms: <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_SmartTable">smart_table::SmartTable</a>&lt;<a href="../../aptos-stdlib/doc/copyable_any.md#0x1_copyable_any_Any">copyable_any::Any</a>, u256&gt;</code>
+</dt>
+<dd>
+
+</dd>
+</dl>
+
+
+</details>
+
+<a id="0x1_permissioned_signer_Permission"></a>
+
+## Struct `Permission`
+
+
+
+<pre><code><b>struct</b> <a href="permissioned_signer.md#0x1_permissioned_signer_Permission">Permission</a>&lt;K&gt;
+</code></pre>
+
+
+
+<details>
+<summary>Fields</summary>
+
+
+<dl>
+<dt>
+<code>owner_address: <b>address</b></code>
+</dt>
+<dd>
+
+</dd>
+<dt>
+<code>key: K</code>
+</dt>
+<dd>
+
+</dd>
+<dt>
+<code>capacity: u256</code>
+</dt>
+<dd>
+
+</dd>
+</dl>
+
+
+</details>
+
+<a id="@Constants_0"></a>
+
+## Constants
+
+
+<a id="0x1_permissioned_signer_ECANNOT_AUTHORIZE"></a>
+
+Cannot authorize a permission.
+
+
+<pre><code><b>const</b> <a href="permissioned_signer.md#0x1_permissioned_signer_ECANNOT_AUTHORIZE">ECANNOT_AUTHORIZE</a>: u64 = 2;
+</code></pre>
+
+
+
+<a id="0x1_permissioned_signer_ECANNOT_EXTRACT_PERMISSION"></a>
+
+signer doesn't have enough capacity to extract permission.
+
+
+<pre><code><b>const</b> <a href="permissioned_signer.md#0x1_permissioned_signer_ECANNOT_EXTRACT_PERMISSION">ECANNOT_EXTRACT_PERMISSION</a>: u64 = 4;
+</code></pre>
+
+
+
+<a id="0x1_permissioned_signer_ENOT_MASTER_SIGNER"></a>
+
+Trying to grant permission using master signer.
+
+
+<pre><code><b>const</b> <a href="permissioned_signer.md#0x1_permissioned_signer_ENOT_MASTER_SIGNER">ENOT_MASTER_SIGNER</a>: u64 = 1;
+</code></pre>
+
+
+
+<a id="0x1_permissioned_signer_ENOT_PERMISSIONED_SIGNER"></a>
+
+Access permission information from a master signer.
+
+
+<pre><code><b>const</b> <a href="permissioned_signer.md#0x1_permissioned_signer_ENOT_PERMISSIONED_SIGNER">ENOT_PERMISSIONED_SIGNER</a>: u64 = 3;
+</code></pre>
+
+
+
+<a id="0x1_permissioned_signer_E_PERMISSION_EXPIRED"></a>
+
+permission handle has expired.
+
+
+<pre><code><b>const</b> <a href="permissioned_signer.md#0x1_permissioned_signer_E_PERMISSION_EXPIRED">E_PERMISSION_EXPIRED</a>: u64 = 5;
+</code></pre>
+
+
+
+<a id="0x1_permissioned_signer_E_PERMISSION_MISMATCH"></a>
+
+storing extracted permission into a different signer.
+
+
+<pre><code><b>const</b> <a href="permissioned_signer.md#0x1_permissioned_signer_E_PERMISSION_MISMATCH">E_PERMISSION_MISMATCH</a>: u64 = 6;
+</code></pre>
+
+
+
+<a id="0x1_permissioned_signer_create_permissioned_handle"></a>
+
+## Function `create_permissioned_handle`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_create_permissioned_handle">create_permissioned_handle</a>(master: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>): <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">permissioned_signer::PermissionedHandle</a>
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_create_permissioned_handle">create_permissioned_handle</a>(master: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>): <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">PermissionedHandle</a> {
+    <a href="permissioned_signer.md#0x1_permissioned_signer_create_permissioned_handle_with_expiration">create_permissioned_handle_with_expiration</a>(master, 60)
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_create_permissioned_handle_with_expiration"></a>
+
+## Function `create_permissioned_handle_with_expiration`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_create_permissioned_handle_with_expiration">create_permissioned_handle_with_expiration</a>(master: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, expiration_time: u64): <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">permissioned_signer::PermissionedHandle</a>
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_create_permissioned_handle_with_expiration">create_permissioned_handle_with_expiration</a>(master: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, expiration_time: u64): <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">PermissionedHandle</a> {
+    <b>assert</b>!(!<a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(master), <a href="../../aptos-stdlib/../move-stdlib/doc/error.md#0x1_error_permission_denied">error::permission_denied</a>(<a href="permissioned_signer.md#0x1_permissioned_signer_ENOT_MASTER_SIGNER">ENOT_MASTER_SIGNER</a>));
+    // Do we need <b>to</b> <b>move</b> sth similar <b>to</b> ObjectCore <b>to</b> register this <b>address</b> <b>as</b> permission <b>address</b>?
+    <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">PermissionedHandle</a> {
+        master_addr: <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer_address_of">signer::address_of</a>(master),
+        permission_addr: generate_auid_address(),
+        expiration_time: expiration_time + <a href="timestamp.md#0x1_timestamp_now_seconds">timestamp::now_seconds</a>(),
+    }
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_destroy_permissioned_handle"></a>
+
+## Function `destroy_permissioned_handle`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_destroy_permissioned_handle">destroy_permissioned_handle</a>(p: <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">permissioned_signer::PermissionedHandle</a>)
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_destroy_permissioned_handle">destroy_permissioned_handle</a>(p: <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">PermissionedHandle</a>) <b>acquires</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> {
+    <b>let</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">PermissionedHandle</a> { master_addr: _, permission_addr, expiration_time: _ } = p;
+    <b>let</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> { perms } = <b>move_from</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(permission_addr);
+    <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_destroy">smart_table::destroy</a>(perms);
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_signer_from_permissioned"></a>
+
+## Function `signer_from_permissioned`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_signer_from_permissioned">signer_from_permissioned</a>(p: &<a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">permissioned_signer::PermissionedHandle</a>): <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_signer_from_permissioned">signer_from_permissioned</a>(p: &<a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">PermissionedHandle</a>): <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a> {
+    <b>assert</b>!(<a href="timestamp.md#0x1_timestamp_now_seconds">timestamp::now_seconds</a>() &lt; p.expiration_time, <a href="../../aptos-stdlib/../move-stdlib/doc/error.md#0x1_error_permission_denied">error::permission_denied</a>(<a href="permissioned_signer.md#0x1_permissioned_signer_E_PERMISSION_EXPIRED">E_PERMISSION_EXPIRED</a>));
+    <a href="permissioned_signer.md#0x1_permissioned_signer_signer_from_permissioned_impl">signer_from_permissioned_impl</a>(p)
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_assert_master_signer"></a>
+
+## Function `assert_master_signer`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_assert_master_signer">assert_master_signer</a>(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>)
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_assert_master_signer">assert_master_signer</a>(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>) {
+    <b>assert</b>!(!<a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(s), <a href="../../aptos-stdlib/../move-stdlib/doc/error.md#0x1_error_permission_denied">error::permission_denied</a>(<a href="permissioned_signer.md#0x1_permissioned_signer_ENOT_MASTER_SIGNER">ENOT_MASTER_SIGNER</a>));
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_authorize"></a>
+
+## Function `authorize`
+
+=====================================================================================================
+Permission Management
+
+Authorizes <code>permissioned</code> with the given permission. This requires to have access to the <code>master</code>
+signer.
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_authorize">authorize</a>&lt;PermKey: <b>copy</b>, drop, store&gt;(master: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, capacity: u256, perm: PermKey)
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_authorize">authorize</a>&lt;PermKey: <b>copy</b> + drop + store&gt;(
+    master: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>,
+    permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>,
+    capacity: u256,
+    perm: PermKey
+) <b>acquires</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> {
+    <b>assert</b>!(
+        <a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(permissioned) &&
+        !<a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(master) &&
+        <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer_address_of">signer::address_of</a>(master) == <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer_address_of">signer::address_of</a>(permissioned),
+        <a href="../../aptos-stdlib/../move-stdlib/doc/error.md#0x1_error_permission_denied">error::permission_denied</a>(<a href="permissioned_signer.md#0x1_permissioned_signer_ECANNOT_AUTHORIZE">ECANNOT_AUTHORIZE</a>)
+    );
+    <b>let</b> permission_signer = <a href="permissioned_signer.md#0x1_permissioned_signer_permission_signer">permission_signer</a>(permissioned);
+    <b>let</b> permission_signer_addr = <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer_address_of">signer::address_of</a>(&permission_signer);
+    <b>if</b>(!<b>exists</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(permission_signer_addr)) {
+        <b>move_to</b>(&permission_signer, <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> { perms: <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_new">smart_table::new</a>()});
+    };
+    <b>let</b> perms = &<b>mut</b> <b>borrow_global_mut</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(permission_signer_addr).perms;
+    <b>let</b> key = <a href="../../aptos-stdlib/doc/copyable_any.md#0x1_copyable_any_pack">copyable_any::pack</a>(perm);
+    <b>if</b>(<a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_contains">smart_table::contains</a>(perms, key)) {
+        <b>let</b> entry = <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_borrow_mut">smart_table::borrow_mut</a>(perms, key);
+        *entry = *entry + capacity;
+    } <b>else</b> {
+        <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_add">smart_table::add</a>(perms, key, capacity);
+    }
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_check_permission"></a>
+
+## Function `check_permission`
+
+Asserts that the given signer has permission <code>PermKey</code>, and the capacity
+to handle <code>weight</code>, which will be subtracted from capacity.
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_check_permission">check_permission</a>&lt;PermKey: <b>copy</b>, drop, store&gt;(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, weight: u256, perm: PermKey): bool
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_check_permission">check_permission</a>&lt;PermKey: <b>copy</b> + drop + store&gt;(
+    s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>,
+    weight: u256,
+    perm: PermKey
+): bool <b>acquires</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> {
+    <b>if</b> (!<a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(s)) {
+        // master <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a> <b>has</b> all permissions
+        <b>return</b> <b>true</b>
+    };
+    <b>let</b> addr = <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer_address_of">signer::address_of</a>(&<a href="permissioned_signer.md#0x1_permissioned_signer_permission_signer">permission_signer</a>(s));
+    <b>if</b>(!<b>exists</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(addr)) {
+        <b>return</b> <b>false</b>
+    };
+    <b>let</b> perm = <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_borrow_mut">smart_table::borrow_mut</a>(&<b>mut</b> <b>borrow_global_mut</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(addr).perms, <a href="../../aptos-stdlib/doc/copyable_any.md#0x1_copyable_any_pack">copyable_any::pack</a>(perm));
+    <b>if</b>(*perm &lt; weight) {
+        <b>return</b> <b>false</b>
+    };
+    *perm = *perm - weight;
+    <b>return</b> <b>true</b>
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_capacity"></a>
+
+## Function `capacity`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_capacity">capacity</a>&lt;PermKey: <b>copy</b>, drop, store&gt;(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, perm: PermKey): <a href="../../aptos-stdlib/../move-stdlib/doc/option.md#0x1_option_Option">option::Option</a>&lt;u256&gt;
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_capacity">capacity</a>&lt;PermKey: <b>copy</b> + drop + store&gt;(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, perm: PermKey): Option&lt;u256&gt; <b>acquires</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> {
+    <b>assert</b>!(<a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(s), <a href="../../aptos-stdlib/../move-stdlib/doc/error.md#0x1_error_permission_denied">error::permission_denied</a>(<a href="permissioned_signer.md#0x1_permissioned_signer_ENOT_PERMISSIONED_SIGNER">ENOT_PERMISSIONED_SIGNER</a>));
+    <b>let</b> addr = <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer_address_of">signer::address_of</a>(&<a href="permissioned_signer.md#0x1_permissioned_signer_permission_signer">permission_signer</a>(s));
+    <b>if</b>(!<b>exists</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(addr)) {
+        <b>return</b> <a href="../../aptos-stdlib/../move-stdlib/doc/option.md#0x1_option_none">option::none</a>()
+    };
+    <b>let</b> perm_storage = &<b>borrow_global</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(addr).perms;
+    <b>let</b> key = <a href="../../aptos-stdlib/doc/copyable_any.md#0x1_copyable_any_pack">copyable_any::pack</a>(perm);
+    <b>if</b>(<a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_contains">smart_table::contains</a>(perm_storage, key)) {
+        <a href="../../aptos-stdlib/../move-stdlib/doc/option.md#0x1_option_some">option::some</a>(*<a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_borrow">smart_table::borrow</a>(&<b>borrow_global</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(addr).perms, key))
+    } <b>else</b> {
+        <a href="../../aptos-stdlib/../move-stdlib/doc/option.md#0x1_option_none">option::none</a>()
+    }
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_revoke_permission"></a>
+
+## Function `revoke_permission`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_revoke_permission">revoke_permission</a>&lt;PermKey: <b>copy</b>, drop, store&gt;(permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, perm: PermKey)
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_revoke_permission">revoke_permission</a>&lt;PermKey: <b>copy</b> + drop + store&gt;(permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, perm: PermKey) <b>acquires</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> {
+    <b>if</b>(!<a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(permissioned)) {
+        // Master <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a> <b>has</b> no permissions associated <b>with</b> it.
+        <b>return</b>
+    };
+    <b>let</b> addr = <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer_address_of">signer::address_of</a>(&<a href="permissioned_signer.md#0x1_permissioned_signer_permission_signer">permission_signer</a>(permissioned));
+    <b>if</b>(!<b>exists</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(addr)) {
+        <b>return</b>
+    };
+    <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_remove">smart_table::remove</a>(&<b>mut</b> <b>borrow_global_mut</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(addr).perms, <a href="../../aptos-stdlib/doc/copyable_any.md#0x1_copyable_any_pack">copyable_any::pack</a>(perm));
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_extract_permission"></a>
+
+## Function `extract_permission`
+
+Another flavor of api to extract and store permissions
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_extract_permission">extract_permission</a>&lt;PermKey: <b>copy</b>, drop, store&gt;(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, weight: u256, perm: PermKey): <a href="permissioned_signer.md#0x1_permissioned_signer_Permission">permissioned_signer::Permission</a>&lt;PermKey&gt;
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_extract_permission">extract_permission</a>&lt;PermKey: <b>copy</b> + drop + store&gt;(
+    s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>,
+    weight: u256,
+    perm: PermKey
+): <a href="permissioned_signer.md#0x1_permissioned_signer_Permission">Permission</a>&lt;PermKey&gt; <b>acquires</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> {
+    <b>assert</b>!(<a href="permissioned_signer.md#0x1_permissioned_signer_check_permission">check_permission</a>(s, weight, perm), <a href="../../aptos-stdlib/../move-stdlib/doc/error.md#0x1_error_permission_denied">error::permission_denied</a>(<a href="permissioned_signer.md#0x1_permissioned_signer_ECANNOT_EXTRACT_PERMISSION">ECANNOT_EXTRACT_PERMISSION</a>));
+    <a href="permissioned_signer.md#0x1_permissioned_signer_Permission">Permission</a> {
+        owner_address: <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer_address_of">signer::address_of</a>(s),
+        key: perm,
+        capacity: weight,
+    }
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_get_key"></a>
+
+## Function `get_key`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_get_key">get_key</a>&lt;PermKey&gt;(perm: &<a href="permissioned_signer.md#0x1_permissioned_signer_Permission">permissioned_signer::Permission</a>&lt;PermKey&gt;): &PermKey
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_get_key">get_key</a>&lt;PermKey&gt;(perm: &<a href="permissioned_signer.md#0x1_permissioned_signer_Permission">Permission</a>&lt;PermKey&gt;): &PermKey {
+    &perm.key
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_address_of"></a>
+
+## Function `address_of`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_address_of">address_of</a>&lt;PermKey&gt;(perm: &<a href="permissioned_signer.md#0x1_permissioned_signer_Permission">permissioned_signer::Permission</a>&lt;PermKey&gt;): <b>address</b>
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_address_of">address_of</a>&lt;PermKey&gt;(perm: &<a href="permissioned_signer.md#0x1_permissioned_signer_Permission">Permission</a>&lt;PermKey&gt;): <b>address</b> {
+    perm.owner_address
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_consume_permission"></a>
+
+## Function `consume_permission`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_consume_permission">consume_permission</a>&lt;PermKey: <b>copy</b>, drop, store&gt;(perm: &<b>mut</b> <a href="permissioned_signer.md#0x1_permissioned_signer_Permission">permissioned_signer::Permission</a>&lt;PermKey&gt;, weight: u256, perm_key: PermKey): bool
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_consume_permission">consume_permission</a>&lt;PermKey: <b>copy</b> + drop + store&gt;(
+    perm: &<b>mut</b> <a href="permissioned_signer.md#0x1_permissioned_signer_Permission">Permission</a>&lt;PermKey&gt;,
+    weight: u256,
+    perm_key: PermKey
+): bool {
+    <b>if</b>(perm.key != perm_key) {
+        <b>return</b> <b>false</b>
+    };
+    <b>if</b>(perm.capacity &gt;= weight) {
+        perm.capacity = perm.capacity - weight;
+        <b>return</b> <b>true</b>
+    } <b>else</b> {
+        <b>return</b> <b>false</b>
+    }
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_store_permission"></a>
+
+## Function `store_permission`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_store_permission">store_permission</a>&lt;PermKey: <b>copy</b>, drop, store&gt;(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, perm: <a href="permissioned_signer.md#0x1_permissioned_signer_Permission">permissioned_signer::Permission</a>&lt;PermKey&gt;)
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_store_permission">store_permission</a>&lt;PermKey: <b>copy</b> + drop + store&gt;(
+    s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>,
+    perm: <a href="permissioned_signer.md#0x1_permissioned_signer_Permission">Permission</a>&lt;PermKey&gt;
+) <b>acquires</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> {
+    <b>assert</b>!(<a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(s), <a href="../../aptos-stdlib/../move-stdlib/doc/error.md#0x1_error_permission_denied">error::permission_denied</a>(<a href="permissioned_signer.md#0x1_permissioned_signer_ENOT_PERMISSIONED_SIGNER">ENOT_PERMISSIONED_SIGNER</a>));
+    <b>let</b> <a href="permissioned_signer.md#0x1_permissioned_signer_Permission">Permission</a> { key, capacity, owner_address } = perm;
+
+    <b>assert</b>!(<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer_address_of">signer::address_of</a>(s) == owner_address, <a href="../../aptos-stdlib/../move-stdlib/doc/error.md#0x1_error_permission_denied">error::permission_denied</a>(<a href="permissioned_signer.md#0x1_permissioned_signer_E_PERMISSION_MISMATCH">E_PERMISSION_MISMATCH</a>));
+
+    <b>let</b> permission_signer = <a href="permissioned_signer.md#0x1_permissioned_signer_permission_signer">permission_signer</a>(s);
+    <b>let</b> permission_signer_addr = <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer_address_of">signer::address_of</a>(&permission_signer);
+    <b>if</b>(!<b>exists</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(permission_signer_addr)) {
+        <b>move_to</b>(&permission_signer, <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> { perms: <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_new">smart_table::new</a>()});
+    };
+    <b>let</b> perms = &<b>mut</b> <b>borrow_global_mut</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(permission_signer_addr).perms;
+    <b>let</b> key = <a href="../../aptos-stdlib/doc/copyable_any.md#0x1_copyable_any_pack">copyable_any::pack</a>(key);
+    <b>if</b>(<a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_contains">smart_table::contains</a>(perms, key)) {
+        <b>let</b> entry = <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_borrow_mut">smart_table::borrow_mut</a>(perms, key);
+        *entry = *entry + capacity;
+    } <b>else</b> {
+        <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_add">smart_table::add</a>(perms, key, capacity)
+    }
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_is_permissioned_signer"></a>
+
+## Function `is_permissioned_signer`
+
+Creates a permissioned signer from an existing universal signer. The function aborts if the
+given signer is already a permissioned signer.
+
+The implementation of this function requires to extend the value representation for signers in the VM.
+
+Check whether this is a permissioned signer.
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>): bool
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>native</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>): bool;
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_permission_signer"></a>
+
+## Function `permission_signer`
+
+Return the signer used for storing permissions. Aborts if not a permissioned signer.
+
+
+<pre><code><b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_permission_signer">permission_signer</a>(permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>): <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>native</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_permission_signer">permission_signer</a>(permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>): <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>;
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_signer_from_permissioned_impl"></a>
+
+## Function `signer_from_permissioned_impl`
+
+
+invariants:
+signer::address_of(master) == signer::address_of(signer_from_permissioned(create_permissioned_handle(master))),
+
+
+<pre><code><b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_signer_from_permissioned_impl">signer_from_permissioned_impl</a>(p: &<a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">permissioned_signer::PermissionedHandle</a>): <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>native</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_signer_from_permissioned_impl">signer_from_permissioned_impl</a>(p: &<a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">PermissionedHandle</a>): <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>;
+</code></pre>
+
+
+
+</details>
+
+
+[move-book]: https://aptos.dev/move/book/SUMMARY
diff --git a/aptos-move/framework/aptos-framework/sources/permissioned_signer.move b/aptos-move/framework/aptos-framework/sources/permissioned_signer.move
new file mode 100644
index 00000000000000..803db701cc9c73
--- /dev/null
+++ b/aptos-move/framework/aptos-framework/sources/permissioned_signer.move
@@ -0,0 +1,249 @@
+/// A _permissioned signer_ consists of a pair of the original signer and a generated
+/// signer which is used store information about associated permissions.
+///
+/// A permissioned signer behaves compatible with the original signer as it comes to `move_to`, `address_of`, and
+/// existing basic signer functionality. However, the permissions can be queried to assert additional
+/// restrictions on the use of the signer.
+///
+/// A client which is interested in restricting access granted via a signer can create a permissioned signer
+/// and pass on to other existing code without changes to existing APIs. Core functions in the framework, for
+/// example account functions, can then assert availability of permissions, effectively restricting
+/// existing code in a compatible way.
+///
+/// After introducing the core functionality, examples are provided for withdraw limit on accounts, and
+/// for blind signing.
+module aptos_framework::permissioned_signer {
+    use std::signer;
+    use std::error;
+    use std::option::{Option, Self};
+    use aptos_std::copyable_any::{Self, Any};
+    use aptos_std::smart_table::{Self, SmartTable};
+    use aptos_framework::transaction_context::generate_auid_address;
+    use aptos_framework::timestamp;
+
+    /// Trying to grant permission using master signer.
+    const ENOT_MASTER_SIGNER: u64 = 1;
+
+    /// Cannot authorize a permission.
+    const ECANNOT_AUTHORIZE: u64 = 2;
+
+    /// Access permission information from a master signer.
+    const ENOT_PERMISSIONED_SIGNER: u64 = 3;
+
+    /// signer doesn't have enough capacity to extract permission.
+    const ECANNOT_EXTRACT_PERMISSION: u64 = 4;
+
+    /// permission handle has expired.
+    const E_PERMISSION_EXPIRED: u64 = 5;
+
+    /// storing extracted permission into a different signer.
+    const E_PERMISSION_MISMATCH: u64 = 6;
+
+    struct PermissionedHandle has store {
+        master_addr: address,
+        permission_addr: address,
+        expiration_time: u64,
+    }
+
+    struct PermStorage has key {
+        perms: SmartTable<Any, u256>,
+    }
+
+    struct Permission<K> {
+        owner_address: address,
+        key: K,
+        capacity: u256,
+    }
+
+    public fun create_permissioned_handle(master: &signer): PermissionedHandle {
+        create_permissioned_handle_with_expiration(master, 60)
+    }
+
+    public fun create_permissioned_handle_with_expiration(master: &signer, expiration_time: u64): PermissionedHandle {
+        assert!(!is_permissioned_signer(master), error::permission_denied(ENOT_MASTER_SIGNER));
+        // Do we need to move sth similar to ObjectCore to register this address as permission address?
+        PermissionedHandle {
+            master_addr: signer::address_of(master),
+            permission_addr: generate_auid_address(),
+            expiration_time: expiration_time + timestamp::now_seconds(),
+        }
+    }
+
+    public fun destroy_permissioned_handle(p: PermissionedHandle) acquires PermStorage {
+        let PermissionedHandle { master_addr: _, permission_addr, expiration_time: _ } = p;
+        let PermStorage { perms } = move_from<PermStorage>(permission_addr);
+        smart_table::destroy(perms);
+    }
+
+
+    public fun signer_from_permissioned(p: &PermissionedHandle): signer {
+        assert!(timestamp::now_seconds() < p.expiration_time, error::permission_denied(E_PERMISSION_EXPIRED));
+        signer_from_permissioned_impl(p)
+    }
+
+    public fun assert_master_signer(s: &signer) {
+        assert!(!is_permissioned_signer(s), error::permission_denied(ENOT_MASTER_SIGNER));
+    }
+
+    /// =====================================================================================================
+    /// Permission Management
+    ///
+
+    /// Authorizes `permissioned` with the given permission. This requires to have access to the `master`
+    /// signer.
+    public fun authorize<PermKey: copy + drop + store>(
+        master: &signer,
+        permissioned: &signer,
+        capacity: u256,
+        perm: PermKey
+    ) acquires PermStorage {
+        assert!(
+            is_permissioned_signer(permissioned) &&
+            !is_permissioned_signer(master) &&
+            signer::address_of(master) == signer::address_of(permissioned),
+            error::permission_denied(ECANNOT_AUTHORIZE)
+        );
+        let permission_signer = permission_signer(permissioned);
+        let permission_signer_addr = signer::address_of(&permission_signer);
+        if(!exists<PermStorage>(permission_signer_addr)) {
+            move_to(&permission_signer, PermStorage { perms: smart_table::new()});
+        };
+        let perms = &mut borrow_global_mut<PermStorage>(permission_signer_addr).perms;
+        let key = copyable_any::pack(perm);
+        if(smart_table::contains(perms, key)) {
+            let entry = smart_table::borrow_mut(perms, key);
+            *entry = *entry + capacity;
+        } else {
+            smart_table::add(perms, key, capacity);
+        }
+    }
+    /// Asserts that the given signer has permission `PermKey`, and the capacity
+    /// to handle `weight`, which will be subtracted from capacity.
+    public fun check_permission<PermKey: copy + drop + store>(
+        s: &signer,
+        weight: u256,
+        perm: PermKey
+    ): bool acquires PermStorage {
+        if (!is_permissioned_signer(s)) {
+            // master signer has all permissions
+            return true
+        };
+        let addr = signer::address_of(&permission_signer(s));
+        if(!exists<PermStorage>(addr)) {
+            return false
+        };
+        let perm = smart_table::borrow_mut(&mut borrow_global_mut<PermStorage>(addr).perms, copyable_any::pack(perm));
+        if(*perm < weight) {
+            return false
+        };
+        *perm = *perm - weight;
+        return true
+    }
+
+    public fun capacity<PermKey: copy + drop + store>(s: &signer, perm: PermKey): Option<u256> acquires PermStorage {
+        assert!(is_permissioned_signer(s), error::permission_denied(ENOT_PERMISSIONED_SIGNER));
+        let addr = signer::address_of(&permission_signer(s));
+        if(!exists<PermStorage>(addr)) {
+            return option::none()
+        };
+        let perm_storage = &borrow_global<PermStorage>(addr).perms;
+        let key = copyable_any::pack(perm);
+        if(smart_table::contains(perm_storage, key)) {
+            option::some(*smart_table::borrow(&borrow_global<PermStorage>(addr).perms, key))
+        } else {
+            option::none()
+        }
+    }
+
+    public fun revoke_permission<PermKey: copy + drop + store>(permissioned: &signer, perm: PermKey) acquires PermStorage {
+        if(!is_permissioned_signer(permissioned)) {
+            // Master signer has no permissions associated with it.
+            return
+        };
+        let addr = signer::address_of(&permission_signer(permissioned));
+        if(!exists<PermStorage>(addr)) {
+            return
+        };
+        smart_table::remove(&mut borrow_global_mut<PermStorage>(addr).perms, copyable_any::pack(perm));
+    }
+
+    /// Another flavor of api to extract and store permissions
+    public fun extract_permission<PermKey: copy + drop + store>(
+        s: &signer,
+        weight: u256,
+        perm: PermKey
+    ): Permission<PermKey> acquires PermStorage {
+        assert!(check_permission(s, weight, perm), error::permission_denied(ECANNOT_EXTRACT_PERMISSION));
+        Permission {
+            owner_address: signer::address_of(s),
+            key: perm,
+            capacity: weight,
+        }
+    }
+
+    public fun get_key<PermKey>(perm: &Permission<PermKey>): &PermKey {
+        &perm.key
+    }
+
+    public fun address_of<PermKey>(perm: &Permission<PermKey>): address {
+        perm.owner_address
+    }
+
+    public fun consume_permission<PermKey: copy + drop + store>(
+        perm: &mut Permission<PermKey>,
+        weight: u256,
+        perm_key: PermKey
+    ): bool {
+        if(perm.key != perm_key) {
+            return false
+        };
+        if(perm.capacity >= weight) {
+            perm.capacity = perm.capacity - weight;
+            return true
+        } else {
+            return false
+        }
+    }
+
+    public fun store_permission<PermKey: copy + drop + store>(
+        s: &signer,
+        perm: Permission<PermKey>
+    ) acquires PermStorage {
+        assert!(is_permissioned_signer(s), error::permission_denied(ENOT_PERMISSIONED_SIGNER));
+        let Permission { key, capacity, owner_address } = perm;
+
+        assert!(signer::address_of(s) == owner_address, error::permission_denied(E_PERMISSION_MISMATCH));
+
+        let permission_signer = permission_signer(s);
+        let permission_signer_addr = signer::address_of(&permission_signer);
+        if(!exists<PermStorage>(permission_signer_addr)) {
+            move_to(&permission_signer, PermStorage { perms: smart_table::new()});
+        };
+        let perms = &mut borrow_global_mut<PermStorage>(permission_signer_addr).perms;
+        let key = copyable_any::pack(key);
+        if(smart_table::contains(perms, key)) {
+            let entry = smart_table::borrow_mut(perms, key);
+            *entry = *entry + capacity;
+        } else {
+            smart_table::add(perms, key, capacity)
+        }
+    }
+
+    // =====================================================================================================
+    // Native Functions
+
+    /// Creates a permissioned signer from an existing universal signer. The function aborts if the
+    /// given signer is already a permissioned signer.
+    ///
+    /// The implementation of this function requires to extend the value representation for signers in the VM.
+    ///
+    /// Check whether this is a permissioned signer.
+    public native fun is_permissioned_signer(s: &signer): bool;
+    /// Return the signer used for storing permissions. Aborts if not a permissioned signer.
+    native fun permission_signer(permissioned: &signer): signer;
+    ///
+    /// invariants:
+    ///   signer::address_of(master) == signer::address_of(signer_from_permissioned(create_permissioned_handle(master))),
+    ///
+    native fun signer_from_permissioned_impl(p: &PermissionedHandle): signer;
+}
diff --git a/aptos-move/framework/aptos-framework/tests/permissioned_signer_tests.move b/aptos-move/framework/aptos-framework/tests/permissioned_signer_tests.move
new file mode 100644
index 00000000000000..1f1c7107daf38a
--- /dev/null
+++ b/aptos-move/framework/aptos-framework/tests/permissioned_signer_tests.move
@@ -0,0 +1,118 @@
+#[test_only]
+module aptos_framework::permissioned_signer_tests {
+    use aptos_framework::account::create_signer_for_test;
+    use aptos_framework::permissioned_signer;
+    use aptos_framework::timestamp;
+    use std::option;
+    use std::signer;
+
+    struct OnePermission has copy, drop, store {}
+
+    struct AddressPermission has copy, drop, store {
+        addr: address
+    }
+
+
+    #[test(creator = @0xcafe)]
+    fun test_permission_e2e(
+        creator: &signer,
+    ) {
+        let aptos_framework = create_signer_for_test(@0x1);
+        timestamp::set_time_has_started_for_testing(&aptos_framework);
+
+        let perm_handle = permissioned_signer::create_permissioned_handle(creator);
+        let perm_signer = permissioned_signer::signer_from_permissioned(&perm_handle);
+
+        assert!(permissioned_signer::is_permissioned_signer(&perm_signer), 1);
+        assert!(!permissioned_signer::is_permissioned_signer(creator), 1);
+        assert!(signer::address_of(&perm_signer) == signer::address_of(creator), 1);
+
+        permissioned_signer::authorize(creator, &perm_signer, 100, OnePermission {});
+        assert!(permissioned_signer::capacity(&perm_signer, OnePermission {}) == option::some(100), 1);
+
+        assert!(permissioned_signer::check_permission(&perm_signer, 10, OnePermission {}), 1);
+        assert!(permissioned_signer::capacity(&perm_signer, OnePermission {}) == option::some(90), 1);
+
+        permissioned_signer::authorize(creator, &perm_signer, 5, AddressPermission { addr: @0x1 });
+
+        assert!(permissioned_signer::capacity(&perm_signer, AddressPermission { addr: @0x1 }) == option::some(5), 1);
+        assert!(permissioned_signer::capacity(&perm_signer, AddressPermission { addr: @0x2 }) == option::none(), 1);
+
+        // Not enough capacity, check permission should return false
+        assert!(!permissioned_signer::check_permission(&perm_signer, 10, AddressPermission { addr: @0x1 }), 1);
+
+        permissioned_signer::revoke_permission(&perm_signer, OnePermission {});
+        assert!(permissioned_signer::capacity(&perm_signer, OnePermission {}) == option::none(), 1);
+
+        permissioned_signer::destroy_permissioned_handle(perm_handle);
+    }
+
+    // invalid authorization
+    // 1. master signer is a permissioned signer
+    // 2. permissioned signer is a master signer
+    // 3. permissioned and main signer address mismatch
+    #[test(creator = @0xcafe)]
+    #[expected_failure(abort_code = 0x50002, location = aptos_framework::permissioned_signer)]
+    fun test_auth_1(
+        creator: &signer,
+    ) {
+        let aptos_framework = create_signer_for_test(@0x1);
+        timestamp::set_time_has_started_for_testing(&aptos_framework);
+
+        let perm_handle = permissioned_signer::create_permissioned_handle(creator);
+        let perm_signer = permissioned_signer::signer_from_permissioned(&perm_handle);
+
+        permissioned_signer::authorize(&perm_signer, &perm_signer, 100, OnePermission {});
+        permissioned_signer::destroy_permissioned_handle(perm_handle);
+    }
+
+    #[test(creator = @0xcafe)]
+    #[expected_failure(abort_code = 0x50002, location = aptos_framework::permissioned_signer)]
+    fun test_auth_2(
+        creator: &signer,
+    ) {
+        permissioned_signer::authorize(creator, creator, 100, OnePermission {});
+    }
+
+    #[test(creator = @0xcafe, creator2 = @0xbeef)]
+    #[expected_failure(abort_code = 0x50002, location = aptos_framework::permissioned_signer)]
+    fun test_auth_3(
+        creator: &signer,
+        creator2: &signer,
+    ) {
+        let aptos_framework = create_signer_for_test(@0x1);
+        timestamp::set_time_has_started_for_testing(&aptos_framework);
+
+        let perm_handle = permissioned_signer::create_permissioned_handle(creator);
+        let perm_signer = permissioned_signer::signer_from_permissioned(&perm_handle);
+
+        permissioned_signer::authorize(creator2, &perm_signer, 100, OnePermission {});
+        permissioned_signer::destroy_permissioned_handle(perm_handle);
+    }
+
+    // Accessing capacity on a master signer
+    #[test(creator = @0xcafe)]
+    #[expected_failure(abort_code = 0x50003, location = aptos_framework::permissioned_signer)]
+    fun test_invalid_capacity(
+        creator: &signer,
+    ) {
+        permissioned_signer::capacity(creator, OnePermission {});
+    }
+
+    // creating permission using a permissioned signer
+    #[test(creator = @0xcafe)]
+    #[expected_failure(abort_code = 0x50001, location = aptos_framework::permissioned_signer)]
+    fun test_invalid_creation(
+        creator: &signer,
+    ) {
+        let aptos_framework = create_signer_for_test(@0x1);
+        timestamp::set_time_has_started_for_testing(&aptos_framework);
+
+        let perm_handle = permissioned_signer::create_permissioned_handle(creator);
+        let perm_signer = permissioned_signer::signer_from_permissioned(&perm_handle);
+
+        let perm_handle_2 = permissioned_signer::create_permissioned_handle(&perm_signer);
+        permissioned_signer::destroy_permissioned_handle(perm_handle);
+        permissioned_signer::destroy_permissioned_handle(perm_handle_2);
+    }
+}