Spending caps, allowlists, and human-in-the-loop policy engine.
Put guardrails around what autonomous agents can spend and call — before money moves on chain or a paid API runs. Budgets are enforced in the kit; signing, allowlists, and approvals stay where custody belongs: your app and your users.
Cap kit spend. Gate external calls. Keep humans in the loop.
Configure per agent via PATCH /agents/:id/spend-policy. Stored on the agent as metadata.spendPolicy. Evaluated before every paid kit tool runs — before x402 payment is requested or verified.
Per-agent fields
enabledTurn policy on or off for this agent
budgetUsdMaximum spend in USD for the period (e.g. "5.00")
perioddaily or monthly (UTC windows)
hardBlockWhen false, over-budget calls are logged but allowed (advisory); when true (default), calls are denied
Global operator controls
SPEND_POLICY_ENABLEDMaster switch (default false); must be true for any per-agent policy to enforce
SPEND_POLICY_DRY_RUNLog would-be denials but allow the call (staging / rollout without blocking users)
When a call exceeds budget, MCP returns a Spend Policy Denied error with structured data:
reason — budget_exceeded or invalid_policy_configmessage — Human-readable explanation for UI and alertslimitUsdMicros, spentUsdMicros, remainingUsdMicros — Structured limits for agents and dashboardsAfter successful paid kit tool settlement, spend is recorded in agent_spend_ledger so the next call sees accurate period totals.
Today: get_token_price ($0.001 per call). Any tool with a fixed price in its descriptor goes through: evaluate budget → payment required → verify → execute → settle → ledger entry.
paid_fetch uses whatever price the external x402 resource demands. Spend policy does not cap those amounts. Use Discovery Layer filters (maxUsdPrice, network, asset) and your own app rules before the agent calls paid_fetch.
transfer builds unsigned transactions only. The kit does not sign, broadcast, or enforce recipient allowlists or transfer spend limits. Response includes policy.allowlistEnforced: false — custody and approval stay in the wallet or your signing service.
Set PAID_FETCH_HOST_ALLOWLIST to comma-separated hostnames. When configured, paid_fetch may only call those HTTPS hosts — blocking drive-by URLs from prompts or tool hallucinations. Private and local hosts are always blocked.
discover_services supports maxUsdPrice, payTo, network, asset, and scheme so agents only see catalog entries that match your platform's economic and network rules — before any payment is attempted.
Transfer recipients and high-value payouts are not hard-coded in the kit. Recommended pattern: your backend or UI validates to addresses against an allowlist before signing the unsigned tx returned by transfer.
REST and MCP validate credentials per app and agent. Per-agent API keys are 1:1 with agent rows; application keys require agent_id scoping for multi-customer platforms. Baseline trust — isolation before policy.
The kit does not replace your approval UI — it creates natural pause points.
transfertransfer returns intent, unsigned transaction, and preflight suggestions. Nothing hits chain until your user or signing service approves — perfect for review amount and recipient flows in mobile or dashboard.
payment requiredPaid kit tools and paid_fetch first return payment requirements. The host must obtain a signature (wallet, smart account, or delegated signer) before retrying with paymentPayload. Insert confirmation modals, step-up auth, or parent approval between probe and pay.
spend deniedWhen budget is exceeded, the agent receives a clear denial — not a silent failure. Surface remaining budget in your UI and offer request higher limit or human override workflows outside MCP.
dry-runRoll out policies in observe-only mode: SPEND_POLICY_DRY_RUN=true globally or hardBlock: false per agent. Log violations, alert operators, train models — then flip to hard block when ready.
Set SPEND_POLICY_ENABLED=true in your deployment.
PATCH /agents/:id/spend-policy with enabled, budgetUsd, period, and optional hardBlock.
On tools/call (e.g. get_token_price), the router: (1) loads metadata.spendPolicy for the session agent, (2) sums agent_spend_ledger for the current daily or monthly UTC window, (3) compares projected spend (spent + tool price) to budgetUsd, (4) denies the request or continues to x402 payment flow.
Ledger records the spend in agent_spend_ledger (tool name, amount, request key, settled timestamp). Duplicate request keys are skipped idempotently. Remaining budget updates for the next call in the same period.
Policy failures return machine-readable limits and remaining budget so agents and UIs can explain why and recover gracefully.
Fixed kit tool prices are enforceable pre-payment. Variable third-party prices are steered via discovery and app policy — not guessed in the router.
No signing keys in the service. Trust for transfers and large payments is composable: kit prepares, you approve and sign.
Global flag for rollout; per-agent budgets for tenant/customer segmentation; dry-run and advisory hardBlock for safe adoption.
requestKey deduplication prevents double-counting when clients retry payments.
Policy runs inside tools/call — same MCP session as balance and discovery. Payment Required and Spend Policy Denied errors are first-class JSON-RPC responses for hosts to handle.
On-chain ERC-8004 identity proves who the agent is; spend policy limits what that agent can spend through kit-priced tools in a period.
maxUsdPrice and payTo filters are the trust front-door for external APIs. paid_fetch host allowlist is the trust back-door for which hosts may be called.
x402 verify/settle happens after spend policy passes (for kit tools). Ledger ties policy to actual settled micropayments, not estimates.
Cap kit tool spend, gate external calls with allowlists, keep humans in the loop for value that moves on chain.
MCP trust-related responses: Payment Required — approve or sign, then retry with paymentPayload. Spend Policy Denied — see error.data.spendPolicy for limits and remaining budget.
PATCH /agents/{agentId}/spend-policy
Authorization: X-API-Key (application key)
{
"enabled": true,
"budgetUsd": "5.00",
"period": "daily",
"hardBlock": true
}Transfer note: enforce recipient allowlists and transfer limits in your app before signing unsigned transactions from the transfer tool.
No. Set SPEND_POLICY_ENABLED=true globally, then configure each agent via PATCH /agents/:id/spend-policy.
Not by dollar amount. Use discover_services maxUsdPrice and PAID_FETCH_HOST_ALLOWLIST; add app-level approval before payment retry.
No. transfer is unsigned-only with no kit allowlist. Enforce limits and recipient rules in your signing flow.
Ledger sums use UTC period starts (calendar day or first of month). Spend resets automatically for the new window.
Yes. Use SPEND_POLICY_DRY_RUN=true globally or hardBlock: false per agent for advisory-only mode.
Cap what agents can spend on kit tools. Gate what they can call. Keep humans in the loop for everything that moves real value.