A trust layer between AI agents and paid tools. Identity. Budgets. Accountability.
"Who is this agent? Can it afford this call? Who's accountable if something goes wrong?"
MCP tools charge per call. Wallets are getting attached to agents. But there's no guardrail layer — no identity, no budgets, no audit trail.
Tools receive anonymous API calls. There's no standard way to know which agent is calling, who authorized it, or what it's allowed to do.
An autonomous agent with a wallet and MCP client can drain funds with zero oversight. No per-session budgets, no per-call caps, no rate limits.
When an agent overspends or hits a malicious tool, there's no ledger to trace what happened. No audit trail means no dispute resolution.
KYA sits between the agent and every paid tool. Every call flows through it. Nothing bypasses the trust layer.
Write a simple JSON policy. The proxy does the rest — before the agent touches a single paid API.
// Policy for: coding-agent-01 { "agentId": "coding-agent-01", "owner": "asmit@example.com", "budget": { "sessionLimitCents": 500, // $5 max per session "maxPerCallCents": 50, // $0.50 max per call "dailyLimitCents": 2000 // $20 max per day }, "tools": { "allowlist": [ "web_search", "code_executor", "github_api" ], "blocklist": [ "crypto_trading" // never ] }, "rateLimit": { "callsPerMinute": 10, "callsPerHour": 200 } }
// Incoming: tools/call { name: "web_search" } → VERIFY IDENTITY token: jwt.verify(bearer) ✓ owner: asmit@example.com agentId: coding-agent-01 → CHECK POLICY tool "web_search" in allowlist ✓ call cost 12¢ < max 50¢ ✓ session: 143¢ + 12¢ < 500¢ ✓ rate: 3 calls/min < 10 ✓ → RESERVE BUDGET session: 143¢ → 155¢ (reserved) → FORWARD TO UPSTREAM POST tools.example.com/search // HTTP 402 — x402 payment required → HANDLE x402 price: 12¢ USDC on base wallet: 2847¢ → 2835¢ receipt: 0xabc...def ✓ → RETRY WITH PAYMENT → 200 OK → LOG TO LEDGER sessionId, agentId, tool, cost, duration, status: OK ✓
JWT-based agent tokens link every agent to a human owner. Tools don't see an anonymous API call — they see "this is Asmit's coding agent, authorized to spend up to $10." Verifiable without a DB round-trip. Expirable. Carries permissions.
JWT · HS256 · Bearer tokensPer-agent JSON policies. Session budgets, per-call cost caps, tool allowlists/blocklists, rate limits. A human defines what the agent can and can't do — before it ever starts. The proxy enforces these rules on every single call.
JSON policies · Rule evaluation · Zero-trustIn-memory session state. Tracks total spend, per-tool breakdown, call velocity. Atomic reserve-before-call pattern: reserves budget before the upstream call, refunds if it fails. Prevents concurrent overspend even under parallel agent calls.
Atomic reserves · Concurrent-safe · Per-tool breakdownSQLite audit trail. Every tool call logged: agent ID, tool name, cost, whether it was blocked and why, upstream response time. Full accountability chain. If an agent overspends, you can trace exactly what happened — the foundation for dispute resolution.
SQLite · WAL mode · Full audit trailThe proxy handles HTTP 402 payment challenges automatically. Parses the challenge, checks the agent's policy and wallet balance, pays on behalf of the agent, retries. The agent is completely payment-unaware — it just makes tool calls.
HTTP 402 · USDC · Base chain · Auto-retryPer-agent wallets with balances, debits, credits, and transaction history. Different agents get different trust levels — your research bot gets $20/day, a new untested agent gets $0.50. The trust boundary between who has money and who can spend it.
Per-agent balances · Full tx history · Scoped trustA human should be able to glance and know: are my agents behaving? Auto-refreshes every 5 seconds.
| Agent | Calls | Spend |
|---|---|---|
| coding-agent-01 | 312 | $9.44 |
| research-bot | 401 | $11.20 |
| data-scraper | 134 | $3.53 |
Built in a day as a proof-of-concept to work through the identity + accountability gap in agentic payments. ~700 lines of TypeScript. Bun + Hono + SQLite.
← Back to asmit.space