diff --git a/api/cosmos/authz/v1beta1/authz.pulsar.go b/api/cosmos/authz/v1beta1/authz.pulsar.go
index 865fe2408dc3..1b3f9f560bf5 100644
--- a/api/cosmos/authz/v1beta1/authz.pulsar.go
+++ b/api/cosmos/authz/v1beta1/authz.pulsar.go
@@ -2756,6 +2756,500 @@ func (x *fastReflection_GrantQueueItem) ProtoMethods() *protoiface.Methods {
 	}
 }
 
+var _ protoreflect.List = (*_AllowedGrantRulesKeys_1_list)(nil)
+
+type _AllowedGrantRulesKeys_1_list struct {
+	list *[]*Rule
+}
+
+func (x *_AllowedGrantRulesKeys_1_list) Len() int {
+	if x.list == nil {
+		return 0
+	}
+	return len(*x.list)
+}
+
+func (x *_AllowedGrantRulesKeys_1_list) Get(i int) protoreflect.Value {
+	return protoreflect.ValueOfMessage((*x.list)[i].ProtoReflect())
+}
+
+func (x *_AllowedGrantRulesKeys_1_list) Set(i int, value protoreflect.Value) {
+	valueUnwrapped := value.Message()
+	concreteValue := valueUnwrapped.Interface().(*Rule)
+	(*x.list)[i] = concreteValue
+}
+
+func (x *_AllowedGrantRulesKeys_1_list) Append(value protoreflect.Value) {
+	valueUnwrapped := value.Message()
+	concreteValue := valueUnwrapped.Interface().(*Rule)
+	*x.list = append(*x.list, concreteValue)
+}
+
+func (x *_AllowedGrantRulesKeys_1_list) AppendMutable() protoreflect.Value {
+	v := new(Rule)
+	*x.list = append(*x.list, v)
+	return protoreflect.ValueOfMessage(v.ProtoReflect())
+}
+
+func (x *_AllowedGrantRulesKeys_1_list) Truncate(n int) {
+	for i := n; i < len(*x.list); i++ {
+		(*x.list)[i] = nil
+	}
+	*x.list = (*x.list)[:n]
+}
+
+func (x *_AllowedGrantRulesKeys_1_list) NewElement() protoreflect.Value {
+	v := new(Rule)
+	return protoreflect.ValueOfMessage(v.ProtoReflect())
+}
+
+func (x *_AllowedGrantRulesKeys_1_list) IsValid() bool {
+	return x.list != nil
+}
+
+var (
+	md_AllowedGrantRulesKeys      protoreflect.MessageDescriptor
+	fd_AllowedGrantRulesKeys_keys protoreflect.FieldDescriptor
+)
+
+func init() {
+	file_cosmos_authz_v1beta1_authz_proto_init()
+	md_AllowedGrantRulesKeys = File_cosmos_authz_v1beta1_authz_proto.Messages().ByName("AllowedGrantRulesKeys")
+	fd_AllowedGrantRulesKeys_keys = md_AllowedGrantRulesKeys.Fields().ByName("keys")
+}
+
+var _ protoreflect.Message = (*fastReflection_AllowedGrantRulesKeys)(nil)
+
+type fastReflection_AllowedGrantRulesKeys AllowedGrantRulesKeys
+
+func (x *AllowedGrantRulesKeys) ProtoReflect() protoreflect.Message {
+	return (*fastReflection_AllowedGrantRulesKeys)(x)
+}
+
+func (x *AllowedGrantRulesKeys) slowProtoReflect() protoreflect.Message {
+	mi := &file_cosmos_authz_v1beta1_authz_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+var _fastReflection_AllowedGrantRulesKeys_messageType fastReflection_AllowedGrantRulesKeys_messageType
+var _ protoreflect.MessageType = fastReflection_AllowedGrantRulesKeys_messageType{}
+
+type fastReflection_AllowedGrantRulesKeys_messageType struct{}
+
+func (x fastReflection_AllowedGrantRulesKeys_messageType) Zero() protoreflect.Message {
+	return (*fastReflection_AllowedGrantRulesKeys)(nil)
+}
+func (x fastReflection_AllowedGrantRulesKeys_messageType) New() protoreflect.Message {
+	return new(fastReflection_AllowedGrantRulesKeys)
+}
+func (x fastReflection_AllowedGrantRulesKeys_messageType) Descriptor() protoreflect.MessageDescriptor {
+	return md_AllowedGrantRulesKeys
+}
+
+// Descriptor returns message descriptor, which contains only the protobuf
+// type information for the message.
+func (x *fastReflection_AllowedGrantRulesKeys) Descriptor() protoreflect.MessageDescriptor {
+	return md_AllowedGrantRulesKeys
+}
+
+// Type returns the message type, which encapsulates both Go and protobuf
+// type information. If the Go type information is not needed,
+// it is recommended that the message descriptor be used instead.
+func (x *fastReflection_AllowedGrantRulesKeys) Type() protoreflect.MessageType {
+	return _fastReflection_AllowedGrantRulesKeys_messageType
+}
+
+// New returns a newly allocated and mutable empty message.
+func (x *fastReflection_AllowedGrantRulesKeys) New() protoreflect.Message {
+	return new(fastReflection_AllowedGrantRulesKeys)
+}
+
+// Interface unwraps the message reflection interface and
+// returns the underlying ProtoMessage interface.
+func (x *fastReflection_AllowedGrantRulesKeys) Interface() protoreflect.ProtoMessage {
+	return (*AllowedGrantRulesKeys)(x)
+}
+
+// Range iterates over every populated field in an undefined order,
+// calling f for each field descriptor and value encountered.
+// Range returns immediately if f returns false.
+// While iterating, mutating operations may only be performed
+// on the current field descriptor.
+func (x *fastReflection_AllowedGrantRulesKeys) Range(f func(protoreflect.FieldDescriptor, protoreflect.Value) bool) {
+	if len(x.Keys) != 0 {
+		value := protoreflect.ValueOfList(&_AllowedGrantRulesKeys_1_list{list: &x.Keys})
+		if !f(fd_AllowedGrantRulesKeys_keys, value) {
+			return
+		}
+	}
+}
+
+// Has reports whether a field is populated.
+//
+// Some fields have the property of nullability where it is possible to
+// distinguish between the default value of a field and whether the field
+// was explicitly populated with the default value. Singular message fields,
+// member fields of a oneof, and proto2 scalar fields are nullable. Such
+// fields are populated only if explicitly set.
+//
+// In other cases (aside from the nullable cases above),
+// a proto3 scalar field is populated if it contains a non-zero value, and
+// a repeated field is populated if it is non-empty.
+func (x *fastReflection_AllowedGrantRulesKeys) Has(fd protoreflect.FieldDescriptor) bool {
+	switch fd.FullName() {
+	case "cosmos.authz.v1beta1.AllowedGrantRulesKeys.keys":
+		return len(x.Keys) != 0
+	default:
+		if fd.IsExtension() {
+			panic(fmt.Errorf("proto3 declared messages do not support extensions: cosmos.authz.v1beta1.AllowedGrantRulesKeys"))
+		}
+		panic(fmt.Errorf("message cosmos.authz.v1beta1.AllowedGrantRulesKeys does not contain field %s", fd.FullName()))
+	}
+}
+
+// Clear clears the field such that a subsequent Has call reports false.
+//
+// Clearing an extension field clears both the extension type and value
+// associated with the given field number.
+//
+// Clear is a mutating operation and unsafe for concurrent use.
+func (x *fastReflection_AllowedGrantRulesKeys) Clear(fd protoreflect.FieldDescriptor) {
+	switch fd.FullName() {
+	case "cosmos.authz.v1beta1.AllowedGrantRulesKeys.keys":
+		x.Keys = nil
+	default:
+		if fd.IsExtension() {
+			panic(fmt.Errorf("proto3 declared messages do not support extensions: cosmos.authz.v1beta1.AllowedGrantRulesKeys"))
+		}
+		panic(fmt.Errorf("message cosmos.authz.v1beta1.AllowedGrantRulesKeys does not contain field %s", fd.FullName()))
+	}
+}
+
+// Get retrieves the value for a field.
+//
+// For unpopulated scalars, it returns the default value, where
+// the default value of a bytes scalar is guaranteed to be a copy.
+// For unpopulated composite types, it returns an empty, read-only view
+// of the value; to obtain a mutable reference, use Mutable.
+func (x *fastReflection_AllowedGrantRulesKeys) Get(descriptor protoreflect.FieldDescriptor) protoreflect.Value {
+	switch descriptor.FullName() {
+	case "cosmos.authz.v1beta1.AllowedGrantRulesKeys.keys":
+		if len(x.Keys) == 0 {
+			return protoreflect.ValueOfList(&_AllowedGrantRulesKeys_1_list{})
+		}
+		listValue := &_AllowedGrantRulesKeys_1_list{list: &x.Keys}
+		return protoreflect.ValueOfList(listValue)
+	default:
+		if descriptor.IsExtension() {
+			panic(fmt.Errorf("proto3 declared messages do not support extensions: cosmos.authz.v1beta1.AllowedGrantRulesKeys"))
+		}
+		panic(fmt.Errorf("message cosmos.authz.v1beta1.AllowedGrantRulesKeys does not contain field %s", descriptor.FullName()))
+	}
+}
+
+// Set stores the value for a field.
+//
+// For a field belonging to a oneof, it implicitly clears any other field
+// that may be currently set within the same oneof.
+// For extension fields, it implicitly stores the provided ExtensionType.
+// When setting a composite type, it is unspecified whether the stored value
+// aliases the source's memory in any way. If the composite value is an
+// empty, read-only value, then it panics.
+//
+// Set is a mutating operation and unsafe for concurrent use.
+func (x *fastReflection_AllowedGrantRulesKeys) Set(fd protoreflect.FieldDescriptor, value protoreflect.Value) {
+	switch fd.FullName() {
+	case "cosmos.authz.v1beta1.AllowedGrantRulesKeys.keys":
+		lv := value.List()
+		clv := lv.(*_AllowedGrantRulesKeys_1_list)
+		x.Keys = *clv.list
+	default:
+		if fd.IsExtension() {
+			panic(fmt.Errorf("proto3 declared messages do not support extensions: cosmos.authz.v1beta1.AllowedGrantRulesKeys"))
+		}
+		panic(fmt.Errorf("message cosmos.authz.v1beta1.AllowedGrantRulesKeys does not contain field %s", fd.FullName()))
+	}
+}
+
+// Mutable returns a mutable reference to a composite type.
+//
+// If the field is unpopulated, it may allocate a composite value.
+// For a field belonging to a oneof, it implicitly clears any other field
+// that may be currently set within the same oneof.
+// For extension fields, it implicitly stores the provided ExtensionType
+// if not already stored.
+// It panics if the field does not contain a composite type.
+//
+// Mutable is a mutating operation and unsafe for concurrent use.
+func (x *fastReflection_AllowedGrantRulesKeys) Mutable(fd protoreflect.FieldDescriptor) protoreflect.Value {
+	switch fd.FullName() {
+	case "cosmos.authz.v1beta1.AllowedGrantRulesKeys.keys":
+		if x.Keys == nil {
+			x.Keys = []*Rule{}
+		}
+		value := &_AllowedGrantRulesKeys_1_list{list: &x.Keys}
+		return protoreflect.ValueOfList(value)
+	default:
+		if fd.IsExtension() {
+			panic(fmt.Errorf("proto3 declared messages do not support extensions: cosmos.authz.v1beta1.AllowedGrantRulesKeys"))
+		}
+		panic(fmt.Errorf("message cosmos.authz.v1beta1.AllowedGrantRulesKeys does not contain field %s", fd.FullName()))
+	}
+}
+
+// NewField returns a new value that is assignable to the field
+// for the given descriptor. For scalars, this returns the default value.
+// For lists, maps, and messages, this returns a new, empty, mutable value.
+func (x *fastReflection_AllowedGrantRulesKeys) NewField(fd protoreflect.FieldDescriptor) protoreflect.Value {
+	switch fd.FullName() {
+	case "cosmos.authz.v1beta1.AllowedGrantRulesKeys.keys":
+		list := []*Rule{}
+		return protoreflect.ValueOfList(&_AllowedGrantRulesKeys_1_list{list: &list})
+	default:
+		if fd.IsExtension() {
+			panic(fmt.Errorf("proto3 declared messages do not support extensions: cosmos.authz.v1beta1.AllowedGrantRulesKeys"))
+		}
+		panic(fmt.Errorf("message cosmos.authz.v1beta1.AllowedGrantRulesKeys does not contain field %s", fd.FullName()))
+	}
+}
+
+// WhichOneof reports which field within the oneof is populated,
+// returning nil if none are populated.
+// It panics if the oneof descriptor does not belong to this message.
+func (x *fastReflection_AllowedGrantRulesKeys) WhichOneof(d protoreflect.OneofDescriptor) protoreflect.FieldDescriptor {
+	switch d.FullName() {
+	default:
+		panic(fmt.Errorf("%s is not a oneof field in cosmos.authz.v1beta1.AllowedGrantRulesKeys", d.FullName()))
+	}
+	panic("unreachable")
+}
+
+// GetUnknown retrieves the entire list of unknown fields.
+// The caller may only mutate the contents of the RawFields
+// if the mutated bytes are stored back into the message with SetUnknown.
+func (x *fastReflection_AllowedGrantRulesKeys) GetUnknown() protoreflect.RawFields {
+	return x.unknownFields
+}
+
+// SetUnknown stores an entire list of unknown fields.
+// The raw fields must be syntactically valid according to the wire format.
+// An implementation may panic if this is not the case.
+// Once stored, the caller must not mutate the content of the RawFields.
+// An empty RawFields may be passed to clear the fields.
+//
+// SetUnknown is a mutating operation and unsafe for concurrent use.
+func (x *fastReflection_AllowedGrantRulesKeys) SetUnknown(fields protoreflect.RawFields) {
+	x.unknownFields = fields
+}
+
+// IsValid reports whether the message is valid.
+//
+// An invalid message is an empty, read-only value.
+//
+// An invalid message often corresponds to a nil pointer of the concrete
+// message type, but the details are implementation dependent.
+// Validity is not part of the protobuf data model, and may not
+// be preserved in marshaling or other operations.
+func (x *fastReflection_AllowedGrantRulesKeys) IsValid() bool {
+	return x != nil
+}
+
+// ProtoMethods returns optional fastReflectionFeature-path implementations of various operations.
+// This method may return nil.
+//
+// The returned methods type is identical to
+// "google.golang.org/protobuf/runtime/protoiface".Methods.
+// Consult the protoiface package documentation for details.
+func (x *fastReflection_AllowedGrantRulesKeys) ProtoMethods() *protoiface.Methods {
+	size := func(input protoiface.SizeInput) protoiface.SizeOutput {
+		x := input.Message.Interface().(*AllowedGrantRulesKeys)
+		if x == nil {
+			return protoiface.SizeOutput{
+				NoUnkeyedLiterals: input.NoUnkeyedLiterals,
+				Size:              0,
+			}
+		}
+		options := runtime.SizeInputToOptions(input)
+		_ = options
+		var n int
+		var l int
+		_ = l
+		if len(x.Keys) > 0 {
+			for _, e := range x.Keys {
+				l = options.Size(e)
+				n += 1 + l + runtime.Sov(uint64(l))
+			}
+		}
+		if x.unknownFields != nil {
+			n += len(x.unknownFields)
+		}
+		return protoiface.SizeOutput{
+			NoUnkeyedLiterals: input.NoUnkeyedLiterals,
+			Size:              n,
+		}
+	}
+
+	marshal := func(input protoiface.MarshalInput) (protoiface.MarshalOutput, error) {
+		x := input.Message.Interface().(*AllowedGrantRulesKeys)
+		if x == nil {
+			return protoiface.MarshalOutput{
+				NoUnkeyedLiterals: input.NoUnkeyedLiterals,
+				Buf:               input.Buf,
+			}, nil
+		}
+		options := runtime.MarshalInputToOptions(input)
+		_ = options
+		size := options.Size(x)
+		dAtA := make([]byte, size)
+		i := len(dAtA)
+		_ = i
+		var l int
+		_ = l
+		if x.unknownFields != nil {
+			i -= len(x.unknownFields)
+			copy(dAtA[i:], x.unknownFields)
+		}
+		if len(x.Keys) > 0 {
+			for iNdEx := len(x.Keys) - 1; iNdEx >= 0; iNdEx-- {
+				encoded, err := options.Marshal(x.Keys[iNdEx])
+				if err != nil {
+					return protoiface.MarshalOutput{
+						NoUnkeyedLiterals: input.NoUnkeyedLiterals,
+						Buf:               input.Buf,
+					}, err
+				}
+				i -= len(encoded)
+				copy(dAtA[i:], encoded)
+				i = runtime.EncodeVarint(dAtA, i, uint64(len(encoded)))
+				i--
+				dAtA[i] = 0xa
+			}
+		}
+		if input.Buf != nil {
+			input.Buf = append(input.Buf, dAtA...)
+		} else {
+			input.Buf = dAtA
+		}
+		return protoiface.MarshalOutput{
+			NoUnkeyedLiterals: input.NoUnkeyedLiterals,
+			Buf:               input.Buf,
+		}, nil
+	}
+	unmarshal := func(input protoiface.UnmarshalInput) (protoiface.UnmarshalOutput, error) {
+		x := input.Message.Interface().(*AllowedGrantRulesKeys)
+		if x == nil {
+			return protoiface.UnmarshalOutput{
+				NoUnkeyedLiterals: input.NoUnkeyedLiterals,
+				Flags:             input.Flags,
+			}, nil
+		}
+		options := runtime.UnmarshalInputToOptions(input)
+		_ = options
+		dAtA := input.Buf
+		l := len(dAtA)
+		iNdEx := 0
+		for iNdEx < l {
+			preIndex := iNdEx
+			var wire uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, runtime.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				wire |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			fieldNum := int32(wire >> 3)
+			wireType := int(wire & 0x7)
+			if wireType == 4 {
+				return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, fmt.Errorf("proto: AllowedGrantRulesKeys: wiretype end group for non-group")
+			}
+			if fieldNum <= 0 {
+				return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, fmt.Errorf("proto: AllowedGrantRulesKeys: illegal tag %d (wire type %d)", fieldNum, wire)
+			}
+			switch fieldNum {
+			case 1:
+				if wireType != 2 {
+					return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, fmt.Errorf("proto: wrong wireType = %d for field Keys", wireType)
+				}
+				var msglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, runtime.ErrIntOverflow
+					}
+					if iNdEx >= l {
+						return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					msglen |= int(b&0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if msglen < 0 {
+					return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, runtime.ErrInvalidLength
+				}
+				postIndex := iNdEx + msglen
+				if postIndex < 0 {
+					return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, runtime.ErrInvalidLength
+				}
+				if postIndex > l {
+					return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, io.ErrUnexpectedEOF
+				}
+				x.Keys = append(x.Keys, &Rule{})
+				if err := options.Unmarshal(dAtA[iNdEx:postIndex], x.Keys[len(x.Keys)-1]); err != nil {
+					return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, err
+				}
+				iNdEx = postIndex
+			default:
+				iNdEx = preIndex
+				skippy, err := runtime.Skip(dAtA[iNdEx:])
+				if err != nil {
+					return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, err
+				}
+				if (skippy < 0) || (iNdEx+skippy) < 0 {
+					return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, runtime.ErrInvalidLength
+				}
+				if (iNdEx + skippy) > l {
+					return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, io.ErrUnexpectedEOF
+				}
+				if !options.DiscardUnknown {
+					x.unknownFields = append(x.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+				}
+				iNdEx += skippy
+			}
+		}
+
+		if iNdEx > l {
+			return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, io.ErrUnexpectedEOF
+		}
+		return protoiface.UnmarshalOutput{NoUnkeyedLiterals: input.NoUnkeyedLiterals, Flags: input.Flags}, nil
+	}
+	return &protoiface.Methods{
+		NoUnkeyedLiterals: struct{}{},
+		Flags:             protoiface.SupportMarshalDeterministic | protoiface.SupportUnmarshalDiscardUnknown,
+		Size:              size,
+		Marshal:           marshal,
+		Unmarshal:         unmarshal,
+		Merge:             nil,
+		CheckInitialized:  nil,
+	}
+}
+
 // Since: cosmos-sdk 0.43
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
@@ -3008,6 +3502,42 @@ func (x *GrantQueueItem) GetMsgTypeUrls() []string {
 	return nil
 }
 
+// AllowedGrantRulesKeys contains the keys allowed for each message.
+type AllowedGrantRulesKeys struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Keys []*Rule `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"`
+}
+
+func (x *AllowedGrantRulesKeys) Reset() {
+	*x = AllowedGrantRulesKeys{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cosmos_authz_v1beta1_authz_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *AllowedGrantRulesKeys) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*AllowedGrantRulesKeys) ProtoMessage() {}
+
+// Deprecated: Use AllowedGrantRulesKeys.ProtoReflect.Descriptor instead.
+func (*AllowedGrantRulesKeys) Descriptor() ([]byte, []int) {
+	return file_cosmos_authz_v1beta1_authz_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *AllowedGrantRulesKeys) GetKeys() []*Rule {
+	if x != nil {
+		return x.Keys
+	}
+	return nil
+}
+
 var File_cosmos_authz_v1beta1_authz_proto protoreflect.FileDescriptor
 
 var file_cosmos_authz_v1beta1_authz_proto_rawDesc = []byte{
@@ -3071,20 +3601,25 @@ var file_cosmos_authz_v1beta1_authz_proto_rawDesc = []byte{
 	0x72, 0x61, 0x6e, 0x74, 0x51, 0x75, 0x65, 0x75, 0x65, 0x49, 0x74, 0x65, 0x6d, 0x12, 0x22, 0x0a,
 	0x0d, 0x6d, 0x73, 0x67, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x5f, 0x75, 0x72, 0x6c, 0x73, 0x18, 0x01,
 	0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x6d, 0x73, 0x67, 0x54, 0x79, 0x70, 0x65, 0x55, 0x72, 0x6c,
-	0x73, 0x42, 0xd0, 0x01, 0x0a, 0x18, 0x63, 0x6f, 0x6d, 0x2e, 0x63, 0x6f, 0x73, 0x6d, 0x6f, 0x73,
-	0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x42, 0x0a,
-	0x41, 0x75, 0x74, 0x68, 0x7a, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x32, 0x63, 0x6f,
-	0x73, 0x6d, 0x6f, 0x73, 0x73, 0x64, 0x6b, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x63,
-	0x6f, 0x73, 0x6d, 0x6f, 0x73, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2f, 0x76, 0x31, 0x62, 0x65,
-	0x74, 0x61, 0x31, 0x3b, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31,
-	0xa2, 0x02, 0x03, 0x43, 0x41, 0x58, 0xaa, 0x02, 0x14, 0x43, 0x6f, 0x73, 0x6d, 0x6f, 0x73, 0x2e,
-	0x41, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xca, 0x02, 0x14,
+	0x73, 0x22, 0x47, 0x0a, 0x15, 0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x47, 0x72, 0x61, 0x6e,
+	0x74, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x2e, 0x0a, 0x04, 0x6b, 0x65,
+	0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x63, 0x6f, 0x73, 0x6d, 0x6f,
+	0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e,
+	0x52, 0x75, 0x6c, 0x65, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x42, 0xd0, 0x01, 0x0a, 0x18, 0x63,
+	0x6f, 0x6d, 0x2e, 0x63, 0x6f, 0x73, 0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e,
+	0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x42, 0x0a, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x50, 0x72,
+	0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x32, 0x63, 0x6f, 0x73, 0x6d, 0x6f, 0x73, 0x73, 0x64, 0x6b,
+	0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x63, 0x6f, 0x73, 0x6d, 0x6f, 0x73, 0x2f, 0x61,
+	0x75, 0x74, 0x68, 0x7a, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x3b, 0x61, 0x75, 0x74,
+	0x68, 0x7a, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xa2, 0x02, 0x03, 0x43, 0x41, 0x58, 0xaa,
+	0x02, 0x14, 0x43, 0x6f, 0x73, 0x6d, 0x6f, 0x73, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x56,
+	0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xca, 0x02, 0x14, 0x43, 0x6f, 0x73, 0x6d, 0x6f, 0x73, 0x5c,
+	0x41, 0x75, 0x74, 0x68, 0x7a, 0x5c, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xe2, 0x02, 0x20,
 	0x43, 0x6f, 0x73, 0x6d, 0x6f, 0x73, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x5c, 0x56, 0x31, 0x62,
-	0x65, 0x74, 0x61, 0x31, 0xe2, 0x02, 0x20, 0x43, 0x6f, 0x73, 0x6d, 0x6f, 0x73, 0x5c, 0x41, 0x75,
-	0x74, 0x68, 0x7a, 0x5c, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d,
-	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x16, 0x43, 0x6f, 0x73, 0x6d, 0x6f, 0x73,
-	0x3a, 0x3a, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31,
-	0xc8, 0xe1, 0x1e, 0x00, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x65, 0x74, 0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
+	0xea, 0x02, 0x16, 0x43, 0x6f, 0x73, 0x6d, 0x6f, 0x73, 0x3a, 0x3a, 0x41, 0x75, 0x74, 0x68, 0x7a,
+	0x3a, 0x3a, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xc8, 0xe1, 0x1e, 0x00, 0x62, 0x06, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -3099,27 +3634,29 @@ func file_cosmos_authz_v1beta1_authz_proto_rawDescGZIP() []byte {
 	return file_cosmos_authz_v1beta1_authz_proto_rawDescData
 }
 
-var file_cosmos_authz_v1beta1_authz_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
+var file_cosmos_authz_v1beta1_authz_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
 var file_cosmos_authz_v1beta1_authz_proto_goTypes = []interface{}{
 	(*GenericAuthorization)(nil),  // 0: cosmos.authz.v1beta1.GenericAuthorization
 	(*Grant)(nil),                 // 1: cosmos.authz.v1beta1.Grant
 	(*Rule)(nil),                  // 2: cosmos.authz.v1beta1.Rule
 	(*GrantAuthorization)(nil),    // 3: cosmos.authz.v1beta1.GrantAuthorization
 	(*GrantQueueItem)(nil),        // 4: cosmos.authz.v1beta1.GrantQueueItem
-	(*anypb.Any)(nil),             // 5: google.protobuf.Any
-	(*timestamppb.Timestamp)(nil), // 6: google.protobuf.Timestamp
+	(*AllowedGrantRulesKeys)(nil), // 5: cosmos.authz.v1beta1.AllowedGrantRulesKeys
+	(*anypb.Any)(nil),             // 6: google.protobuf.Any
+	(*timestamppb.Timestamp)(nil), // 7: google.protobuf.Timestamp
 }
 var file_cosmos_authz_v1beta1_authz_proto_depIdxs = []int32{
-	5, // 0: cosmos.authz.v1beta1.Grant.authorization:type_name -> google.protobuf.Any
-	6, // 1: cosmos.authz.v1beta1.Grant.expiration:type_name -> google.protobuf.Timestamp
+	6, // 0: cosmos.authz.v1beta1.Grant.authorization:type_name -> google.protobuf.Any
+	7, // 1: cosmos.authz.v1beta1.Grant.expiration:type_name -> google.protobuf.Timestamp
 	2, // 2: cosmos.authz.v1beta1.Grant.rules:type_name -> cosmos.authz.v1beta1.Rule
-	5, // 3: cosmos.authz.v1beta1.GrantAuthorization.authorization:type_name -> google.protobuf.Any
-	6, // 4: cosmos.authz.v1beta1.GrantAuthorization.expiration:type_name -> google.protobuf.Timestamp
-	5, // [5:5] is the sub-list for method output_type
-	5, // [5:5] is the sub-list for method input_type
-	5, // [5:5] is the sub-list for extension type_name
-	5, // [5:5] is the sub-list for extension extendee
-	0, // [0:5] is the sub-list for field type_name
+	6, // 3: cosmos.authz.v1beta1.GrantAuthorization.authorization:type_name -> google.protobuf.Any
+	7, // 4: cosmos.authz.v1beta1.GrantAuthorization.expiration:type_name -> google.protobuf.Timestamp
+	2, // 5: cosmos.authz.v1beta1.AllowedGrantRulesKeys.keys:type_name -> cosmos.authz.v1beta1.Rule
+	6, // [6:6] is the sub-list for method output_type
+	6, // [6:6] is the sub-list for method input_type
+	6, // [6:6] is the sub-list for extension type_name
+	6, // [6:6] is the sub-list for extension extendee
+	0, // [0:6] is the sub-list for field type_name
 }
 
 func init() { file_cosmos_authz_v1beta1_authz_proto_init() }
@@ -3188,6 +3725,18 @@ func file_cosmos_authz_v1beta1_authz_proto_init() {
 				return nil
 			}
 		}
+		file_cosmos_authz_v1beta1_authz_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*AllowedGrantRulesKeys); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -3195,7 +3744,7 @@ func file_cosmos_authz_v1beta1_authz_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_cosmos_authz_v1beta1_authz_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   5,
+			NumMessages:   6,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
diff --git a/proto/cosmos/authz/v1beta1/authz.proto b/proto/cosmos/authz/v1beta1/authz.proto
index 85188ba62051..e09853294d77 100644
--- a/proto/cosmos/authz/v1beta1/authz.proto
+++ b/proto/cosmos/authz/v1beta1/authz.proto
@@ -56,3 +56,8 @@ message GrantQueueItem {
   // msg_type_urls contains the list of TypeURL of a sdk.Msg.
   repeated string msg_type_urls = 1;
 }
+
+// AllowedGrantRulesKeys contains the keys allowed for each message.
+message AllowedGrantRulesKeys {
+  repeated cosmos.authz.v1beta1.Rule keys = 1;
+}
diff --git a/simapp/app.go b/simapp/app.go
index 241f7b54a26a..d81602e1f8a9 100644
--- a/simapp/app.go
+++ b/simapp/app.go
@@ -3,6 +3,7 @@
 package simapp
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -562,6 +563,27 @@ func NewSimApp(
 	return app
 }
 
+func (app *SimApp) RegisterUpgradeHandlers() {
+	// Upgrade handler for v2
+	app.UpgradeKeeper.SetUpgradeHandler(
+		"v2",
+		func(ctx context.Context, plan upgradetypes.Plan, fromVM module.VersionMap) (module.VersionMap, error) {
+			app.AuthzKeeper.SetAuthzRulesKeys(ctx, &authz.AllowedGrantRulesKeys{
+				Keys: []*authz.Rule{
+					&authz.Rule{Key: sdk.MsgTypeURL(&banktypes.MsgSend{}), Values: []string{
+						authz.MaxAmount, authz.AllowedRecipients,
+					}},
+					&authz.Rule{Key: sdk.MsgTypeURL(&stakingtypes.MsgDelegate{}), Values: []string{
+						authz.AllowedStakeValidators, authz.AllowedMaxStakeAmount,
+					}},
+				},
+			})
+
+			return app.ModuleManager.RunMigrations(ctx, app.Configurator(), fromVM)
+		},
+	)
+}
+
 func (app *SimApp) setAnteHandler(txConfig client.TxConfig) {
 	anteHandler, err := NewAnteHandler(
 		HandlerOptions{
diff --git a/x/auth/ante/authz_rules_ante.go b/x/auth/ante/authz_rules_ante.go
index 93ebba1f9f99..9d138ee2d5ce 100644
--- a/x/auth/ante/authz_rules_ante.go
+++ b/x/auth/ante/authz_rules_ante.go
@@ -43,25 +43,24 @@ func (azd AuthzDecorator) AnteHandle(ctx sdk.Context, tx sdk.Tx, simulate bool,
 		// Check if the message is an authorization message
 		if authzMsg, ok := msg.(*authztypes.MsgExec); ok {
 
-			msgs, err := authzMsg.GetMessages()
+			authzMsgs, err := authzMsg.GetMessages()
 			if err != nil {
 				return ctx, err
 			}
 
-			for _, innerMsg := range msgs {
+			for _, innerMsg := range authzMsgs {
 				switch innerMsgConverted := innerMsg.(type) {
 				case *banktypes.MsgSend:
-					isRulesBroken, err := azd.handleSendAuthzRules(ctx, innerMsgConverted, grantee)
-					if isRulesBroken {
+					err := azd.handleSendAuthzRules(ctx, innerMsgConverted, grantee)
+					if err != nil {
 						return ctx, err
 					}
 				case *stakingv1beta1.MsgDelegate:
-					isRulesBroken, err := azd.handleStakeAuthzRules(ctx, innerMsgConverted, grantee)
-					if isRulesBroken {
+					err := azd.handleStakeAuthzRules(ctx, innerMsgConverted, grantee)
+					if err != nil {
 						return ctx, err
 					}
 				}
-
 			}
 		}
 	}
@@ -71,11 +70,10 @@ func (azd AuthzDecorator) AnteHandle(ctx sdk.Context, tx sdk.Tx, simulate bool,
 }
 
 // handleCheckSendAuthzRules returns true if the rules are voilated
-func (azd AuthzDecorator) handleSendAuthzRules(ctx sdk.Context, msg *banktypes.MsgSend, grantee []byte) (bool, error) {
-
+func (azd AuthzDecorator) handleSendAuthzRules(ctx sdk.Context, msg *banktypes.MsgSend, grantee []byte) error {
 	granter, err := azd.ak.AddressCodec().StringToBytes(msg.FromAddress)
 	if err != nil {
-		return true, err
+		return err
 	}
 
 	_, rules := azd.azk.GetAuthzWithRules(ctx, grantee, granter, sdk.MsgTypeURL(&banktypes.MsgSend{}))
@@ -90,29 +88,29 @@ func (azd AuthzDecorator) handleSendAuthzRules(ctx sdk.Context, msg *banktypes.M
 			}
 
 			if !isAllowed {
-				return true, errorsmod.Wrap(sdkerrors.ErrTxDecode, "Recipient is not in the allowed list of the grant")
+				return errorsmod.Wrap(sdkerrors.ErrTxDecode, "Recipient is not in the allowed list of the grant")
 			}
 		}
 
 		if rule.Key == authztypes.MaxAmount {
 			limit, err := sdk.ParseCoinsNormalized(strings.Join(rule.Values, ","))
 			if err != nil {
-				return true, err
+				return err
 			}
 			if !limit.IsAllGTE(msg.Amount) {
-				return true, errorsmod.Wrap(sdkerrors.ErrTxDecode, "Amount exceeds the max_amount limit set by the granter")
+				return errorsmod.Wrap(sdkerrors.ErrTxDecode, "Amount exceeds the max_amount limit set by the granter")
 			}
 		}
 
 	}
 
-	return false, nil
+	return nil
 }
 
-func (azd AuthzDecorator) handleStakeAuthzRules(ctx sdk.Context, msg *stakingv1beta1.MsgDelegate, grantee []byte) (bool, error) {
+func (azd AuthzDecorator) handleStakeAuthzRules(ctx sdk.Context, msg *stakingv1beta1.MsgDelegate, grantee []byte) error {
 	granter, err := azd.ak.AddressCodec().StringToBytes(msg.DelegatorAddress)
 	if err != nil {
-		return true, err
+		return err
 	}
 
 	_, rules := azd.azk.GetAuthzWithRules(ctx, grantee, granter, sdk.MsgTypeURL(&banktypes.MsgSend{}))
@@ -128,25 +126,25 @@ func (azd AuthzDecorator) handleStakeAuthzRules(ctx sdk.Context, msg *stakingv1b
 			}
 
 			if !isAllowed {
-				return true, errorsmod.Wrap(sdkerrors.ErrTxDecode, "Validator is not in the allowed validators of the grant")
+				return errorsmod.Wrap(sdkerrors.ErrTxDecode, "Validator is not in the allowed validators of the grant")
 			}
 		}
 
 		if rule.Key == authztypes.AllowedMaxStakeAmount {
 			limit, err := sdk.ParseCoinsNormalized(strings.Join(rule.Values, ","))
 			if err != nil {
-				return true, err
+				return err
 			}
 			amount, err := sdk.ParseCoinNormalized(msg.Amount.String())
 			if err != nil {
-				return true, err
+				return err
 			}
 
 			if !limit.IsAllGTE(sdk.NewCoins(amount)) {
-				return true, errorsmod.Wrap(sdkerrors.ErrTxDecode, "Amount exceeds the max_amount limit set by the granter")
+				return errorsmod.Wrap(sdkerrors.ErrTxDecode, "Amount exceeds the max_amount limit set by the granter")
 			}
 		}
 	}
 
-	return false, nil
+	return nil
 }
diff --git a/x/authz/authz.pb.go b/x/authz/authz.pb.go
index 6b4a528ffd56..4af0bdcde723 100644
--- a/x/authz/authz.pb.go
+++ b/x/authz/authz.pb.go
@@ -236,50 +236,91 @@ func (m *GrantQueueItem) XXX_DiscardUnknown() {
 
 var xxx_messageInfo_GrantQueueItem proto.InternalMessageInfo
 
+// AllowedGrantRulesKeys contains the keys allowed for each message.
+type AllowedGrantRulesKeys struct {
+	Keys []*Rule `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"`
+}
+
+func (m *AllowedGrantRulesKeys) Reset()         { *m = AllowedGrantRulesKeys{} }
+func (m *AllowedGrantRulesKeys) String() string { return proto.CompactTextString(m) }
+func (*AllowedGrantRulesKeys) ProtoMessage()    {}
+func (*AllowedGrantRulesKeys) Descriptor() ([]byte, []int) {
+	return fileDescriptor_544dc2e84b61c637, []int{5}
+}
+func (m *AllowedGrantRulesKeys) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *AllowedGrantRulesKeys) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_AllowedGrantRulesKeys.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalToSizedBuffer(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (m *AllowedGrantRulesKeys) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_AllowedGrantRulesKeys.Merge(m, src)
+}
+func (m *AllowedGrantRulesKeys) XXX_Size() int {
+	return m.Size()
+}
+func (m *AllowedGrantRulesKeys) XXX_DiscardUnknown() {
+	xxx_messageInfo_AllowedGrantRulesKeys.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_AllowedGrantRulesKeys proto.InternalMessageInfo
+
 func init() {
 	proto.RegisterType((*GenericAuthorization)(nil), "cosmos.authz.v1beta1.GenericAuthorization")
 	proto.RegisterType((*Grant)(nil), "cosmos.authz.v1beta1.Grant")
 	proto.RegisterType((*Rule)(nil), "cosmos.authz.v1beta1.Rule")
 	proto.RegisterType((*GrantAuthorization)(nil), "cosmos.authz.v1beta1.GrantAuthorization")
 	proto.RegisterType((*GrantQueueItem)(nil), "cosmos.authz.v1beta1.GrantQueueItem")
+	proto.RegisterType((*AllowedGrantRulesKeys)(nil), "cosmos.authz.v1beta1.AllowedGrantRulesKeys")
 }
 
 func init() { proto.RegisterFile("cosmos/authz/v1beta1/authz.proto", fileDescriptor_544dc2e84b61c637) }
 
 var fileDescriptor_544dc2e84b61c637 = []byte{
-	// 505 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x53, 0xcb, 0x6e, 0xd3, 0x40,
-	0x14, 0x8d, 0xe3, 0xb4, 0xd0, 0xa9, 0x8a, 0xc0, 0x8a, 0x90, 0xc9, 0xc2, 0x89, 0x2c, 0x84, 0x2a,
-	0xa4, 0xd8, 0x6d, 0x61, 0xc5, 0x8a, 0x58, 0x48, 0x15, 0xec, 0x30, 0x65, 0xc3, 0x26, 0x1a, 0x27,
-	0x97, 0x89, 0x15, 0xdb, 0x63, 0xcd, 0xa3, 0xaa, 0xfb, 0x09, 0xac, 0xfa, 0x0d, 0x7c, 0x01, 0x8b,
+	// 533 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x54, 0xcb, 0x6e, 0xd3, 0x40,
+	0x14, 0x8d, 0x93, 0xb4, 0xd0, 0xa9, 0x8a, 0xc0, 0x0a, 0xc8, 0x64, 0xe1, 0x44, 0x16, 0x42, 0x15,
+	0x52, 0xec, 0xb6, 0xb0, 0x62, 0x45, 0x2c, 0xa4, 0x08, 0x58, 0x61, 0xca, 0x86, 0x4d, 0x34, 0x4e,
+	0x2e, 0x13, 0x2b, 0xb6, 0xc7, 0x9a, 0x47, 0xa9, 0xfb, 0x09, 0xac, 0xfa, 0x0d, 0x7c, 0x01, 0x8b,
 	0x7e, 0x44, 0xc4, 0xaa, 0x62, 0xc5, 0x8a, 0x47, 0xb2, 0xe0, 0x37, 0x90, 0x67, 0x6c, 0x48, 0xda,
-	0x48, 0x64, 0xc1, 0xc6, 0xf2, 0x9d, 0x7b, 0xce, 0x7d, 0x9c, 0x33, 0x83, 0x7a, 0x23, 0xca, 0x53,
-	0xca, 0x7d, 0x2c, 0xc5, 0xe4, 0xdc, 0x3f, 0x3d, 0x8c, 0x40, 0xe0, 0x43, 0x1d, 0x79, 0x39, 0xa3,
-	0x82, 0x5a, 0x6d, 0x8d, 0xf0, 0xf4, 0x59, 0x85, 0xe8, 0xdc, 0xc3, 0x69, 0x9c, 0x51, 0x5f, 0x7d,
-	0x35, 0xb0, 0xf3, 0x40, 0x03, 0x87, 0x2a, 0xf2, 0x2b, 0x96, 0x4e, 0x75, 0x09, 0xa5, 0x24, 0x01,
-	0x5f, 0x45, 0x91, 0x7c, 0xef, 0x8b, 0x38, 0x05, 0x2e, 0x70, 0x9a, 0x57, 0x80, 0x36, 0xa1, 0x84,
-	0x6a, 0x62, 0xf9, 0x57, 0x57, 0xbc, 0x4e, 0xc3, 0x59, 0x51, 0xa5, 0x9c, 0x6a, 0xee, 0x08, 0x73,
-	0xf8, 0x33, 0xf6, 0x88, 0xc6, 0x99, 0xce, 0xbb, 0x02, 0xb5, 0x8f, 0x21, 0x03, 0x16, 0x8f, 0x06,
-	0x52, 0x4c, 0x28, 0x8b, 0xcf, 0xb1, 0x88, 0x69, 0x66, 0xdd, 0x45, 0x66, 0xca, 0x89, 0x6d, 0xf4,
-	0x8c, 0xfd, 0x9d, 0xb0, 0xfc, 0x7d, 0xf6, 0xea, 0xf3, 0x65, 0xdf, 0x5d, 0xb7, 0xa3, 0xb7, 0xc2,
-	0xfc, 0xf0, 0xeb, 0xd3, 0xe3, 0xae, 0x86, 0xf5, 0xf9, 0x78, 0xea, 0xaf, 0xab, 0xee, 0x2e, 0x0c,
-	0xb4, 0x75, 0xcc, 0x70, 0x26, 0xac, 0x08, 0xed, 0xe1, 0xe5, 0x94, 0xea, 0xb8, 0x7b, 0xd4, 0xf6,
-	0xf4, 0x4a, 0x5e, 0xbd, 0x92, 0x37, 0xc8, 0x8a, 0xe0, 0xd1, 0x66, 0x23, 0x84, 0xab, 0x25, 0xad,
-	0x17, 0x08, 0xc1, 0x59, 0x1e, 0x33, 0xdd, 0xa0, 0xa9, 0x1a, 0x74, 0x6e, 0x34, 0x38, 0xa9, 0xa5,
-	0x0e, 0x6e, 0xcf, 0xbe, 0x75, 0x8d, 0x8b, 0xef, 0x5d, 0x23, 0x5c, 0xe2, 0x59, 0x07, 0x68, 0x8b,
-	0xc9, 0x04, 0xb8, 0x6d, 0xf6, 0x4c, 0x55, 0x60, 0xed, 0x20, 0xa1, 0x4c, 0x20, 0xd4, 0x40, 0xf7,
-	0x00, 0xb5, 0xca, 0xb0, 0xd4, 0x72, 0x0a, 0x45, 0xad, 0xe5, 0x14, 0x0a, 0xeb, 0x3e, 0xda, 0x3e,
-	0xc5, 0x89, 0x04, 0x6e, 0x37, 0x7b, 0xe6, 0xfe, 0x4e, 0x58, 0x45, 0xee, 0xc7, 0x26, 0xb2, 0x94,
-	0x2e, 0xab, 0x66, 0x1c, 0xa1, 0x5b, 0xa4, 0x3c, 0x05, 0xa6, 0x8b, 0x04, 0xf6, 0x97, 0xcb, 0x7e,
-	0x7d, 0xdf, 0x06, 0xe3, 0x31, 0x03, 0xce, 0xdf, 0x08, 0x16, 0x67, 0x24, 0xac, 0x81, 0x7f, 0x39,
-	0xa0, 0x36, 0xde, 0x80, 0x03, 0x37, 0xcd, 0x30, 0xff, 0xbf, 0x19, 0xcf, 0x57, 0xcc, 0x68, 0xfd,
-	0xd3, 0x8c, 0xd6, 0x75, 0x23, 0xdc, 0xa7, 0xe8, 0x8e, 0xd2, 0xe8, 0xb5, 0x04, 0x09, 0x2f, 0x05,
-	0xa4, 0x96, 0x8b, 0xf6, 0x52, 0x4e, 0x86, 0xa2, 0xc8, 0x61, 0x28, 0x59, 0xc2, 0x6d, 0x43, 0xa9,
-	0xba, 0x9b, 0x72, 0x72, 0x52, 0xe4, 0xf0, 0x96, 0x25, 0x3c, 0x08, 0x66, 0x3f, 0x9d, 0xc6, 0x6c,
-	0xee, 0x18, 0x57, 0x73, 0xc7, 0xf8, 0x31, 0x77, 0x8c, 0x8b, 0x85, 0xd3, 0xb8, 0x5a, 0x38, 0x8d,
-	0xaf, 0x0b, 0xa7, 0xf1, 0xee, 0x21, 0x89, 0xc5, 0x44, 0x46, 0xde, 0x88, 0xa6, 0xd5, 0x8b, 0xf4,
-	0x97, 0xee, 0xf0, 0x99, 0x7e, 0xe8, 0xd1, 0xb6, 0x9a, 0xef, 0xc9, 0xef, 0x00, 0x00, 0x00, 0xff,
-	0xff, 0x7b, 0x22, 0x81, 0x7c, 0x0d, 0x04, 0x00, 0x00,
+	0x08, 0xba, 0x60, 0x13, 0xcd, 0x9d, 0x7b, 0xce, 0x7d, 0x9c, 0x93, 0x31, 0xea, 0x8e, 0x28, 0x4f,
+	0x28, 0xf7, 0xb0, 0x14, 0x93, 0x13, 0xef, 0x68, 0x3f, 0x04, 0x81, 0xf7, 0x75, 0xe4, 0x66, 0x8c,
+	0x0a, 0x6a, 0xb6, 0x34, 0xc2, 0xd5, 0x77, 0x25, 0xa2, 0x7d, 0x0b, 0x27, 0x51, 0x4a, 0x3d, 0xf5,
+	0xab, 0x81, 0xed, 0xbb, 0x1a, 0x38, 0x54, 0x91, 0x57, 0xb2, 0x74, 0xaa, 0x43, 0x28, 0x25, 0x31,
+	0x78, 0x2a, 0x0a, 0xe5, 0x5b, 0x4f, 0x44, 0x09, 0x70, 0x81, 0x93, 0xac, 0x04, 0xb4, 0x08, 0x25,
+	0x54, 0x13, 0x8b, 0x53, 0x55, 0xf1, 0x22, 0x0d, 0xa7, 0x79, 0x99, 0xb2, 0xcb, 0xb9, 0x43, 0xcc,
+	0xe1, 0xf7, 0xd8, 0x23, 0x1a, 0xa5, 0x3a, 0xef, 0x08, 0xd4, 0x1a, 0x40, 0x0a, 0x2c, 0x1a, 0xf5,
+	0xa5, 0x98, 0x50, 0x16, 0x9d, 0x60, 0x11, 0xd1, 0xd4, 0xbc, 0x89, 0x1a, 0x09, 0x27, 0x96, 0xd1,
+	0x35, 0x76, 0xb7, 0x82, 0xe2, 0xf8, 0xf8, 0xf9, 0xa7, 0xb3, 0x9e, 0xb3, 0x6e, 0x47, 0x77, 0x85,
+	0xf9, 0xfe, 0xe7, 0xc7, 0x07, 0x1d, 0x0d, 0xeb, 0xf1, 0xf1, 0xd4, 0x5b, 0x57, 0xdd, 0x59, 0x18,
+	0x68, 0x63, 0xc0, 0x70, 0x2a, 0xcc, 0x10, 0xed, 0xe0, 0xe5, 0x94, 0xea, 0xb8, 0x7d, 0xd0, 0x72,
+	0xf5, 0x4a, 0x6e, 0xb5, 0x92, 0xdb, 0x4f, 0x73, 0xff, 0xfe, 0xd5, 0x46, 0x08, 0x56, 0x4b, 0x9a,
+	0x4f, 0x11, 0x82, 0xe3, 0x2c, 0x62, 0xba, 0x41, 0x5d, 0x35, 0x68, 0x5f, 0x6a, 0x70, 0x58, 0x49,
+	0xed, 0x5f, 0x9f, 0x7d, 0xed, 0x18, 0xa7, 0xdf, 0x3a, 0x46, 0xb0, 0xc4, 0x33, 0xf7, 0xd0, 0x06,
+	0x93, 0x31, 0x70, 0xab, 0xd1, 0x6d, 0xa8, 0x02, 0x6b, 0x07, 0x09, 0x64, 0x0c, 0x81, 0x06, 0x3a,
+	0x7b, 0xa8, 0x59, 0x84, 0x85, 0x96, 0x53, 0xc8, 0x2b, 0x2d, 0xa7, 0x90, 0x9b, 0x77, 0xd0, 0xe6,
+	0x11, 0x8e, 0x25, 0x70, 0xab, 0xde, 0x6d, 0xec, 0x6e, 0x05, 0x65, 0xe4, 0x7c, 0xa8, 0x23, 0x53,
+	0xe9, 0xb2, 0x6a, 0xc6, 0x01, 0xba, 0x46, 0x8a, 0x5b, 0x60, 0xba, 0x88, 0x6f, 0x7d, 0x3e, 0xeb,
+	0x55, 0xff, 0xb7, 0xfe, 0x78, 0xcc, 0x80, 0xf3, 0x57, 0x82, 0x45, 0x29, 0x09, 0x2a, 0xe0, 0x1f,
+	0x0e, 0xa8, 0x8d, 0xaf, 0xc0, 0x81, 0xcb, 0x66, 0x34, 0xfe, 0xbf, 0x19, 0x4f, 0x56, 0xcc, 0x68,
+	0xfe, 0xd3, 0x8c, 0xe6, 0x45, 0x23, 0x9c, 0x47, 0xe8, 0x86, 0xd2, 0xe8, 0xa5, 0x04, 0x09, 0xcf,
+	0x04, 0x24, 0xa6, 0x83, 0x76, 0x12, 0x4e, 0x86, 0x22, 0xcf, 0x60, 0x28, 0x59, 0xcc, 0x2d, 0x43,
+	0xa9, 0xba, 0x9d, 0x70, 0x72, 0x98, 0x67, 0xf0, 0x9a, 0xc5, 0xdc, 0x19, 0xa0, 0xdb, 0xfd, 0x38,
+	0xa6, 0xef, 0x60, 0xac, 0xc8, 0x85, 0x31, 0xfc, 0x05, 0xe4, 0xdc, 0x74, 0x51, 0x73, 0x0a, 0xb9,
+	0xe6, 0xfc, 0xdd, 0x56, 0x85, 0xf3, 0xfd, 0xd9, 0x0f, 0xbb, 0x36, 0x9b, 0xdb, 0xc6, 0xf9, 0xdc,
+	0x36, 0xbe, 0xcf, 0x6d, 0xe3, 0x74, 0x61, 0xd7, 0xce, 0x17, 0x76, 0xed, 0xcb, 0xc2, 0xae, 0xbd,
+	0xb9, 0x47, 0x22, 0x31, 0x91, 0xa1, 0x3b, 0xa2, 0x49, 0xf9, 0xb4, 0xbd, 0xa5, 0xc7, 0x70, 0xac,
+	0xbf, 0x18, 0xe1, 0xa6, 0x5a, 0xf4, 0xe1, 0xaf, 0x00, 0x00, 0x00, 0xff, 0xff, 0x44, 0xd3, 0x32,
+	0x34, 0x56, 0x04, 0x00, 0x00,
 }
 
 func (m *GenericAuthorization) Marshal() (dAtA []byte, err error) {
@@ -501,6 +542,43 @@ func (m *GrantQueueItem) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
+func (m *AllowedGrantRulesKeys) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *AllowedGrantRulesKeys) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *AllowedGrantRulesKeys) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if len(m.Keys) > 0 {
+		for iNdEx := len(m.Keys) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Keys[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintAuthz(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0xa
+		}
+	}
+	return len(dAtA) - i, nil
+}
+
 func encodeVarintAuthz(dAtA []byte, offset int, v uint64) int {
 	offset -= sovAuthz(v)
 	base := offset
@@ -607,6 +685,21 @@ func (m *GrantQueueItem) Size() (n int) {
 	return n
 }
 
+func (m *AllowedGrantRulesKeys) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if len(m.Keys) > 0 {
+		for _, e := range m.Keys {
+			l = e.Size()
+			n += 1 + l + sovAuthz(uint64(l))
+		}
+	}
+	return n
+}
+
 func sovAuthz(x uint64) (n int) {
 	return (math_bits.Len64(x|1) + 6) / 7
 }
@@ -1233,6 +1326,90 @@ func (m *GrantQueueItem) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *AllowedGrantRulesKeys) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowAuthz
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AllowedGrantRulesKeys: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AllowedGrantRulesKeys: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Keys", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuthz
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Keys = append(m.Keys, &Rule{})
+			if err := m.Keys[len(m.Keys)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipAuthz(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func skipAuthz(dAtA []byte) (n int, err error) {
 	l := len(dAtA)
 	iNdEx := 0
diff --git a/x/authz/keeper/keeper.go b/x/authz/keeper/keeper.go
index 7220ff5c252f..c1a750576c85 100644
--- a/x/authz/keeper/keeper.go
+++ b/x/authz/keeper/keeper.go
@@ -181,13 +181,13 @@ func (k Keeper) DispatchActions(ctx context.Context, grantee sdk.AccAddress, msg
 // SaveGrant method grants the provided authorization to the grantee on the granter's account
 // with the provided expiration time and insert authorization key into the grants queue. If there is an existing authorization grant for the
 // same `sdk.Msg` type, this grant overwrites that.
-func (k Keeper) SaveGrant(ctx context.Context, grantee, granter sdk.AccAddress, authorization authz.Authorization, expiration *time.Time) error {
+func (k Keeper) SaveGrant(ctx context.Context, grantee, granter sdk.AccAddress, authorization authz.Authorization, expiration *time.Time, rules []*authz.Rule) error {
 	sdkCtx := sdk.UnwrapSDKContext(ctx)
 	msgType := authorization.MsgTypeURL()
 	store := k.storeService.OpenKVStore(ctx)
 	skey := grantStoreKey(grantee, granter, msgType)
 
-	grant, err := authz.NewGrant(sdkCtx.BlockTime(), authorization, expiration, nil)
+	grant, err := authz.NewGrant(sdkCtx.BlockTime(), authorization, expiration, rules)
 	if err != nil {
 		return err
 	}
@@ -337,6 +337,35 @@ func (k Keeper) IterateGrants(ctx context.Context,
 	}
 }
 
+func (k Keeper) SetAuthzRulesKeys(ctx context.Context, rules *authz.AllowedGrantRulesKeys) error {
+	store := k.storeService.OpenKVStore(ctx)
+
+	bz, err := k.cdc.Marshal(rules)
+	if err != nil {
+		return err
+	}
+
+	err = store.Set(AuthzOptionsKeys, bz)
+	return err
+}
+
+func (k Keeper) GetAuthzRulesKeys(ctx context.Context) (*authz.AllowedGrantRulesKeys, error) {
+	store := k.storeService.OpenKVStore(ctx)
+	bz, err := store.Get(AuthzOptionsKeys)
+
+	if err != nil {
+		return nil, err
+	}
+
+	var authzRuleKeys *authz.AllowedGrantRulesKeys
+	err = k.cdc.Unmarshal(bz, authzRuleKeys)
+	if err != nil {
+		return nil, err
+	}
+
+	return authzRuleKeys, nil
+}
+
 func (k Keeper) getGrantQueueItem(ctx context.Context, expiration time.Time, granter, grantee sdk.AccAddress) (*authz.GrantQueueItem, error) {
 	store := k.storeService.OpenKVStore(ctx)
 	bz, err := store.Get(GrantQueueKey(expiration, granter, grantee))
diff --git a/x/authz/keeper/keys.go b/x/authz/keeper/keys.go
index 120af14b652e..24e4f1428a1a 100644
--- a/x/authz/keeper/keys.go
+++ b/x/authz/keeper/keys.go
@@ -18,7 +18,7 @@ import (
 var (
 	GrantKey         = []byte{0x01} // prefix for each key
 	GrantQueuePrefix = []byte{0x02}
-	AuthzOptionsKeys = []byte{0x04}
+	AuthzOptionsKeys = []byte{0x03}
 )
 
 var lenTime = len(sdk.FormatTimeBytes(time.Now()))
diff --git a/x/authz/keeper/msg_server.go b/x/authz/keeper/msg_server.go
index 80a7ffc05cad..030acb8e64e0 100644
--- a/x/authz/keeper/msg_server.go
+++ b/x/authz/keeper/msg_server.go
@@ -3,6 +3,8 @@ package keeper
 import (
 	"context"
 	"errors"
+	"fmt"
+	"reflect"
 	"strings"
 
 	errorsmod "cosmossdk.io/errors"
@@ -52,7 +54,14 @@ func (k Keeper) Grant(goCtx context.Context, msg *authz.MsgGrant) (*authz.MsgGra
 		return nil, sdkerrors.ErrInvalidType.Wrapf("%s doesn't exist.", t)
 	}
 
-	err = k.SaveGrantWithRules(ctx, grantee, granter, authorization, msg.Grant.Expiration, msg.Rules)
+	if msg.Rules != nil {
+		err := k.VerifyTheRules(goCtx, msg.Grant.Authorization.GetTypeUrl(), msg.Rules)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	err = k.SaveGrant(ctx, grantee, granter, authorization, msg.Grant.Expiration, msg.Rules)
 	if err != nil {
 		return nil, err
 	}
@@ -60,6 +69,56 @@ func (k Keeper) Grant(goCtx context.Context, msg *authz.MsgGrant) (*authz.MsgGra
 	return &authz.MsgGrantResponse{}, nil
 }
 
+// VerifyTheRules checks the keys of rules provided are allowed
+func (k Keeper) VerifyTheRules(goCtx context.Context, msg string, rules []*authz.Rule) error {
+	registeredRules, err := k.GetAuthzRulesKeys(goCtx)
+	if err != nil {
+		return err
+	}
+
+	var values []string
+	for _, v := range registeredRules.Keys {
+		if v.Key == msg {
+			values = v.Values
+			break
+		}
+	}
+
+	if err := checkStructKeys(rules, values); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func checkStructKeys(s interface{}, allowedKeys []string) error {
+	v := reflect.ValueOf(s)
+	if v.Kind() == reflect.Ptr {
+		v = v.Elem()
+	}
+	if v.Kind() != reflect.Struct {
+		return fmt.Errorf("expected a struct, but got %s", v.Kind())
+	}
+
+	t := v.Type()
+	for i := 0; i < t.NumField(); i++ {
+		field := t.Field(i)
+		if !isAllowedKey(field.Name, allowedKeys) {
+			return fmt.Errorf("field %s is not allowed", field.Name)
+		}
+	}
+	return nil
+}
+
+func isAllowedKey(key string, allowedKeys []string) bool {
+	for _, allowedKey := range allowedKeys {
+		if key == allowedKey {
+			return true
+		}
+	}
+	return false
+}
+
 // Revoke implements the MsgServer.Revoke method.
 func (k Keeper) Revoke(goCtx context.Context, msg *authz.MsgRevoke) (*authz.MsgRevokeResponse, error) {
 	if strings.EqualFold(msg.Grantee, msg.Granter) {