Your AI agents are spending money.
Who's watching?
ActionFence is an AI action firewall that sits in front of your MCP servers and APIs. One JSON policy. Spend caps. Signed receipts. Zero trust by default.
import { withGuard } from 'actionfence';
withGuard(server, {
policy: './guard-policy.json',
});
// Guarded.Agents can book flights, delete databases, and drain your Stripe balance — often before you even know it happened.
Runaway Spending
An agent told to "book the best flight" books 200 hotel rooms instead. Per-call limits aren't enough — smart agents fragment $500 into 100 × $5 transactions.
No Audit Trail
"Who authorized this $2,300 charge?" Without cryptographic receipts, you have no proof of what happened, when, or why.
Honor-System Security
Most "AI safety" tools rely on the agent behaving correctly. Client-side enforcement is a suggestion, not a guarantee.
One line of code.
Three layers of defense.
Define your policy
Write a guard-policy.json that declares which actions are allowed, spend limits, identity requirements, and rate limits.
Wrap your server
One call to withGuard() or guard() intercepts every tool invocation and runs it through the full policy pipeline — before your handler executes.
Every decision is receipted
Hash-chained, HMAC-signed, append-only receipts stored in SQLite or PostgreSQL. Tamper-evident proof of every allow and every block.
Everything you need to govern AI actions. Nothing you don't.
JSON Policy Engine
Declarative rules in guard-policy.json. Allow, deny, require identity, set spend caps — all in one file. Supports wildcard matching (book_*) and hot-reload on change.
Multi-Layer Spend Caps
Per-action, Session, Daily, Rolling Window, and Global Circuit Breaker. Stop death-by-a-thousand-cuts. A 60-minute rolling window catches fragmented micro-spending that per-call limits miss.
Identity & JWT Verification
Three tiers: anonymous → token → verified. Built-in JWKS verification.
Signed Receipt Chain
Cryptographic proof of every decision. HMAC-SHA256 signed. Hash-chained.
Rate Limiting
Sliding window rate limiter with per-agent tracking. Prevents loops.
Simulation Mode
Dry-run everything before it's real. See policy result and spend impact.
Human Approval Webhook
Pause. Ask a human. Then proceed. High-value actions can trigger an onApprovalRequired callback with a 30-second timeout.
Schema Drift Detection
Pin tool schemas with SHA-256 hashes. ActionFence alerts you when an MCP server silently changes its tool definitions.
60 seconds to integrate. We mean it.
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
import { withGuard } from 'actionfence';
const server = new McpServer({ name: 'my-server', version: '1.0.0' });
// One line. That's the entire integration.
withGuard(server, {
policy: './guard-policy.json',
identityReaderOptions: {
jwksUri: 'https://issuer.example/.well-known/jwks.json',
issuer: 'https://issuer.example',
audience: 'bookflight-mcp',
},
});
// Register tools as normal — ActionFence wraps them automatically
server.registerTool('book_flight', {}, async () => {
return { content: [{ type: 'text', text: 'Booked!' }] };
});Server-side enforcement. Not a client-side suggestion.
- [X]Policy lives on the client
- [X]Agent can read and modify rules
- [X]"Please don't do bad things" approach
- [X]No proof anything happened
- [+]Policy lives on YOUR server
- [+]Agent never sees guard-policy.json
- [+]All tool calls pass through middleware
- [+]Signed receipts prove every decision
- [+]Default rule: deny. Allowlist only.
Every decision leaves a cryptographic trail.
Hash-chained
Each receipt references the previous one. Deleting or modifying breaks the chain.
HMAC-SHA256 signed
Tampered receipts instantly fail signature verification.
Append-only
New receipts only. No updates. No deletes.
Verifiable
ReceiptStore.verifyChain() validates the entire chain in one call.
Redactable
Sensitive fields stripped before storage without breaking hash integrity.
Built for anyone giving AI agents real-world permissions.
MCP Server Developers
You build MCP tools that book flights, manage calendars, or query databases. ActionFence ensures no agent overspends, over-queries, or accesses unauthorized tools.
API Providers
Your REST API is consumed by AI agents. Drop in guard() middleware to enforce spend caps, rate limits, and identity checks on every request — without changing your route handlers.
Enterprise / Compliance
You need an audit trail for every AI-initiated action in your system. Signed receipts provide tamper-evident proof for compliance, incident response, and regulatory reporting.
Solo Developers
You're one person shipping an MCP server. npm install actionfence. Write a policy. Done. No enterprise gateways. No container networking. No vendor lock-in.
What changes when you add ActionFence
- [-] Any agent can call any tool
- [-] No spending visibility
- [-] No identity verification
- [-] No audit trail
- [-] Find out about issues from your invoice
- [-] "I hope the agent behaves"
- [-] Zero configuration for safety
- [+] Actions governed by JSON policy
- [+] Per-action, session, daily, and rolling-window spend caps
- [+] Three-tier identity system with JWKS JWT verification
- [+] Hash-chained, signed receipts for every decision
- [+] Real-time rate limiting and circuit breaker protection
- [+] Server-side enforcement — agents can't bypass it
- [+] One JSON file. One line of code.