The control plane for agent money-movement.

Your agent moves money.
AgentGuard says yes first.

The neutral gate an autonomous agent passes before it issues a refund, credit, or charge.

No money-moving tool runs without a signed, content-free authorization. The model never holds the keys, your data never leaves your runtime, and every action settles to a receipt anyone can verify.

See it gate a refund → Read the SDK docs
Live · Signing money decisions in real time View dashboard →
>
>
>
> Initializing signer · ed25519 ready

Verifiable by design

Now: workflow-level caps

Hard budget caps for multi-day agent runs.

A three-day workflow can burn through tokens before anyone notices the loop. AgentGuard gives the run one budget envelope, resumable checkpoints, and a receipt chain validated before continuing.

Read workflow docsSee tree verify

For developers

Prefer the SDK path?

Use the same runtime locally: Node, Python, or the browser verifier. Build governed AI agents in 60 seconds. No terminal, no code for the owner flow.

Powered by OpenRouter. Works with OpenAI, Anthropic, Bedrock, and any OpenAI-compatible endpoint.

$ npm install @agentguard-run/spend $ pip install agentguard-spend Verify a receipt →

Outcomes, not tokens

Each outcome gets the cheapest capable model and effort.

AgentGuard maps law, accounting, insurance, real estate, and e-commerce outcomes to model and reasoning-effort routes built from the live OpenRouter catalog. Extraction, reconciliation, claim drafting, and reviewer checks do not need the same model or effort.

High-stakes steps can require a second pass: a configurable rule escalates to a higher-effort review before the action is allowed.

New models ship every week. AgentGuard re-prices against the live OpenRouter catalog daily, routes to the cheapest capable model and effort, and blocks China-origin weights for regulated verticals. You do not chase models. The router does, and the origin block holds.

law.medical_chronology -> low effort drafter
insurance.policy_variance -> high effort reviewer
ecommerce.fba_claim -> draft plus reviewer
Caps still win. Downgrade or block happens before dispatch.
In production. Patent-backed.
Live in production 6 US provisional patents filed 2026 Public on npm + PyPI
agentguard · verify
$ agentguard verify --trace latest
actionpayment:initiate
agentagw-prod-watchdog-v20
amount$142.50/ cap $500.00
timestamp2026-05-21T19:42:31.004Z
────────────────────────────────────────────
signatureed25519:a3f2b1c9d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1
chainsha256:9e4d8fa2b3c1d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0
  Signature valid
  Spend cap not exceeded
  Receipt chain integrity verified
  Receipt tamper-evident
What the market is calling for

Approval flows. Audit logs. Easy rollback.

The runtime layer your super-agent's forward-deployed engineer is missing. Agents make a billion requests in three seconds. AgentGuard is the verification chain, the spend cap, and the kill switch that lets a human stay in the loop without being in the loop.

Patent D · 63/984,626
Approval flows
Every agent action routes through a signed human gate. Per-tool, per-spend, per-cross-domain. Capability escalation is attestation-gated.
DV-2026-006 · 64/071,789
Audit logs
Cryptographic DAG attestation. Multi-party signed. Tamper-evident. Cryptographically verifiable across domains, with selective disclosure for external verifiers.
DV-2026-005 · 64/071,781
Easy rollback
Per-agent spend caps plus kill switches. Capability gating fails closed when the budget hits zero. Every breach produces a signed receipt.
“Agents make a billion requests in three seconds, so you need approval flows, inboxes that summarize what happened, logs, and easy rollback.” — Dan Shipper · Every podcast · May 2026
What it does

Six guardrails. One SDK.

Every AI agent call your code makes runs through the same wrapper. Here's what it does before the provider sees the request.

01 · Sign
Every agent action gets an Ed25519 signature and a hash-chained sequence number.
02 · Block
Runaway spend is stopped before the provider is called. Your API key never sees the request.
03 · Route
Calls auto-downgrade to a cheaper model as caps approach, instead of hard-blocking.
04 · Gate
Capability tiers (read · write · payment) gate what an agent is even allowed to attempt.
05 · Log
Every decision appends to a tamper-evident chain. Filesystem, Redis Streams, or Postgres.
06 · Verify
Any receipt verifies in two lines of code. Auditors, regulators, buyers all check the same way.

Zero data plane.

Read the docs GitHub →
⚠ THE PROBLEM

"An AI consultant tells Axios one of their clients recently spent half a billion dollars in a single month after failing to put usage limits on Claude licenses for employees."

⬡ THE ANSWER

AgentGuard® ships the Kill Switch with every Solo license.

One command. Every AI agent action across your runtime, halted instantly. Signed receipt logged. Telegram notification posted. Provider never charged. The off-button the half-billion-dollar client should have had.

terminal · kill-switch.sh 
$ agentguard kill-switch on
🛑 KILL SWITCH ACTIVATED
   All AI agent calls refused. Provider never charged.
   Receipt #ag_ks_1a4f signed and logged.
   Notification posted to AgentGuard HQ Telegram.

   Re-enable with: agentguard kill-switch off
Learn about Kill Switch → See pricing →

Stop runaway AI spend. Before the provider charges you.

AgentGuard wraps your provider SDK. Every call is intercepted, projected cost is computed, and the call is blocked before dispatch if it would exceed your cap. The provider never sees the request. The provider never charges you.

HOW IT WORKS

Watch outcome-based AI governance in action
with two queries and one verified audit log.

Request access via Visa CLI as a paid AgentGuard merchant endpoint.
LIVE FLOW
session $0.20
policy ~/.agentguard/policy.yaml  ·  posture compliance  ·  scope tenant=acme-law
> Redline this NDA from Acme Corp.
· capability data_write  · model claude-sonnet-4.6  · $0.08  → contract_redlined
indemnification clause (§7.2) limits to $1M — recommend $5M floor
✓ settled $0.08  ·  receipt ag_8af4d2c1
> Run a research memo on California Civil Code §1102 disclosures.
· capability read_only  · model claude-opus-4.7  · $0.10  → research_memo_delivered
California §1102 TDS required on all residential transfers; wildfire-zone updates per AB 38 apply to any property in or adjacent to a state-mapped fire hazard severity zone.
✓ settled $0.10  ·  receipt ag_8af5e019
> Show me the matter-2026-005 audit log so far today.
· query_audit_log  ·  matter-2026-005  ·  $0.02  →  3 outcomes, all receipts verified
OUTCOME
CAP
SPENT
RECEIPT
VERIFIED
contract_redlined
$2.00
$0.08
research_memo_delivered
$3.00
$0.10
audit_log_queried
$0.10
$0.02
✓ settled $0.02  ·  audit log  ·  receipt ag_8af6f72d
attempted authorized cost succeeded one signed receipt per outcome

Works with OpenAI, Anthropic, Bedrock, LangChain, CrewAI, Vercel AI SDK, Hermes, OpenClaw, and any framework where you bring your own provider client. Node: npm install @agentguard-run/spend · Python: pip install agentguard-spend

supported frameworks
OpenAI SDK Anthropic SDK AWS Bedrock LangChain.js / LangGraph.js Hermes OpenClaw CrewAI LlamaIndex LangChain Python OpenAI Python SDK Anthropic Python SDK Vercel AI SDK soon Mastra soon Inngest soon AutoGen soon
Node SDK: npm install @agentguard-run/spend · Python SDK: pip install agentguard-spend · Cross-language byte-identical canonical JSON + Ed25519 signatures.
built for AI assistants too

Don't know how to wire it up? Let your AI do it.

Paste the prompt below into Claude, GPT, Cursor, Cline, Continue, Devin, or any AI coding assistant. The assistant reads agentguard.run/llms.txt and generates the integration code for your specific provider and framework.

Please read https://agentguard.run/llms.txt and help me integrate AgentGuard Spend (the local-runtime AI spend governance SDK) into my codebase. After reading the doc, ask me which AI provider I'm using (OpenAI / Anthropic / Bedrock) and which framework (LangChain / CrewAI / Hermes / OpenClaw / Vercel AI SDK / custom), then generate the wiring code with per-agent and per-day hard spend caps and signed receipts for blocked actions.
view /llms.txt ~10KB markdown · full SDK reference + integration recipes

Built for teams sharing one provider account.

Your team has one Anthropic or OpenAI account. Five engineers using it. One Claude Code session burned through the month's budget last week. AgentGuard adds per-user spend caps on the same API key, with signed receipts that show exactly who spent what.

scope hierarchy
tenant
└─ team
└─ user
└─ agent
└─ task

Caps stack at any level. Most-specific wins when multiple apply. Every decision is Ed25519-signed and bound to the scope key, so the audit log shows the exact agent + user + team that triggered each block.

example caps · one acme-corp account
alice$50 / day
bob$50 / day
carlos$200 / day
finance-bot$200 / day
research-team$1,000 / month
acme-corp (tenant ceiling)$5,000 / month
who this is for
Solo founders running Hermes, OpenClaw, or any custom orchestrator overnight on a personal Anthropic key.
SMBs with 2-20 employees sharing one Claude Teams or OpenAI Workspace account.
Agencies running 10+ client agents on one provider key, where one client's runaway loop eats the agency's margin.
Engineering teams where every IC has Cursor or Claude Code open all day and nobody can attribute spend back to specific projects.
6
US patent provisionals filed · Feb 17, 2026 + May 21, 2026
4
Reduction-to-practice deployments · licensed + internal stacks
Zero
Customer records stored · zero data plane by design
Registered
AgentGuard® US trademark · USPTO Serial 99462472 · Class 042
npm + PyPI
Live on both registries · cross-language byte parity
<50ms
Per-call signed-verdict latency budget · sub-50ms p95
Part of the broader AgentGuard® portfolio

AgentGuard Spend is the live primitive in a broader AgentGuard agent-compliance roadmap, alongside Trace (cryptographic provenance), KYA (Know Your Agent), an LLM firewall, and the Kill Switch.

see the full architecture →

Overview

Tamper-evident by design.

Every agent action is Ed25519-signed at execution time. No database admin, infrastructure operator, or post-hoc modification can forge or alter a signed receipt. Orchestration platforms store mutable database rows; AgentGuard signs each decision so the audit trail survives any database write.

Framework agnostic.

Works with LangChain, Claude Code, Cursor, Vercel AI SDK, Anthropic SDK, OpenAI SDK, Bedrock, Hermes, OpenClaw, or any custom stack. AgentGuard operates at the SDK layer, below orchestration. One install, no platform lock-in.

Spend caps with signed receipts.

Per-agent financial limits enforced at the SDK level, not the application layer. Each cap check produces a signed, verifiable receipt. Verifiable by reviewers, investors, and compliance teams.

DAG trust chain.

Multi-agent workflows produce a cryptographically linked attestation graph. Every hop is independently verifiable. No central authority required. Holds up to external audit without trusting the database.

The ecosystem.

Spend SDK · Live
AgentGuard Spend

Local-runtime spend caps and capability-gated model routing. Wraps OpenAI, Anthropic, and Bedrock SDKs. Hard caps per agent, user, team, and day. Ed25519-signed, hash-chained receipts. No data plane involvement.

npm install @agentguard-run/spend →
Audit · In production
AgentGuard Trace

Signed, tamper-evident audit trail for any agent stack. Ed25519 receipts chain across turns and agents via DAG attestation. Cannot be altered post-execution, even by the infrastructure operator.

Integration guide →
Chargeback SDK · Public
AgentGuard CB

Open-source chargeback receipt package compiler for Stripe / Visa CE 3.0 disputes. MIT-licensed npm package. Builds signed receipt packages locally, never submits, never proxies. Sibling to Spend in the AgentGuard family.

npm install @merchantguard/agentguard-cb →

In production.

Internal infrastructure
Autonomous operations stack

14 custom agent skills managing Dunecrest's production properties without human intervention. 5 scheduled jobs run continuously: infrastructure health monitoring, CVE scanning across active repos, patent-evidence harvesting, shadow QA verification, and cloud billing audit. The same agent architecture that ships in the AgentGuard SDK, running on our own stack.

14 agent skills 5 cron jobs 5 production properties Launchd gateway

Live DAG attestation.

Multi-agent workflows produce a cryptographically linked attestation graph.
Every hop is independently verifiable. No operator can forge a valid Ed25519 signature.

kya · ed25519:a3f2·· ✓ screen · ed25519:7c91·· ✓ kya→sig · ed25519:f44b·· ✓ scr→sig · ed25519:2d08·· ✓ user-intent agent prompt · capability claim kya identity · OPRF cross-platform lookup screening OFAC · LLM firewall · sanctions signer capability gate · ed25519 attestation
chain ✓ 4 receipts · tamper-evident
START NOW

Three ways to ship your first signed receipt.

90 seconds to your first verified outcome. Bring your own provider key. Zero data plane. Free under 10K enforcement calls/month.

FREE TIER

Install the SDK

Local-runtime spend caps + Ed25519 receipts. Wraps OpenAI, Anthropic, Bedrock, OpenRouter. Free under 10K enforcement calls/month.

npm install @agentguard-run/spend
Get started →
NEW
VIA VISA CLI

Let your agent buy it

AgentGuard is a Visa CLI Merchant Registry applicant. Agents with a card on file buy a license autonomously and gain receipts immediately.

visa-cli buy agentguard.run/api/x402/license?tier=solo
See merchant catalog →
ENTERPRISE / IP

Talk to our intake team

For bulk seats, vertical certifications, or custom security postures, reach our intake team.

[email protected]
Request access →
↗ Verify a receipt in your browser See the 5 outcomes Read /llms.txt