Proof of Concept / MCP Proxy / ~700 lines of TypeScript

TORII

Know Your Agent

A trust layer between AI agents and paid tools so you always know who's spending what, and why.

"Which agent made this call? Can it actually afford it? And who's on the hook if things go sideways?"

See How It Works View Dashboard
// The Problem
Agents can spend freely.
Nobody's watching.

MCP tools charge per call. Wallets are getting attached to agents. But there's no guardrail layer. No identity, no budgets, no audit trail.

🪪

No Identity

Tools just see anonymous API calls. There's no way to tell which agent is calling, who authorized it, or what it should be allowed to do.

💸

No Spending Controls

Give an autonomous agent a wallet and an MCP client and it can drain funds with zero oversight. No session budgets, no per-call caps, no rate limits.

🔍

No Accountability

When an agent overspends or calls something it shouldn't, there's no record of what happened. Without an audit trail, there's no way to resolve disputes.

// How It Works
One proxy. Three guarantees.

Torii sits between the agent and every paid tool. Every call goes through it, no exceptions.

Agent
Claude · GPT · Custom
Any MCP client
tool call
Torii Proxy
① Verify identity
② Check policy
③ Reserve budget
④ Handle x402 payment
⑤ Log to ledger
authorized
Paid Tools
web_search · code_exec
data_api · premium_llm
// Real-time call log
Think of Stripe as the bank. Torii is the expense policy. Your agents have wallets, but the company still sets spending limits and approval workflows.
// Policy Engine
A human defines the rules.
The proxy enforces them.

You write a simple JSON policy. The proxy handles the rest before the agent touches a single paid API.

agent_policy.json
// Policy for: coding-agent-01
{
  "agentId": "coding-agent-01",
  "owner": "asmit@example.com",

  "budget": {
    "sessionLimitCents": 500,   // $5 max per session
    "maxPerCallCents": 50,     // $0.50 max per call
    "dailyLimitCents": 2000    // $20 max per day
  },

  "tools": {
    "allowlist": [
      "web_search",
      "code_executor",
      "github_api"
    ],
    "blocklist": [
      "crypto_trading"  // never
    ]
  },

  "rateLimit": {
    "callsPerMinute": 10,
    "callsPerHour": 200
  }
}
proxy decision log
// Incoming: tools/call { name: "web_search" }

→ VERIFY IDENTITY
  token: jwt.verify(bearer) 
  owner: asmit@example.com
  agentId: coding-agent-01

→ CHECK POLICY
  tool "web_search" in allowlist 
  call cost 12¢ < max 50¢ 
  session: 143¢ + 12¢ < 500¢ 
  rate: 3 calls/min < 10 

→ RESERVE BUDGET
  session: 143¢ → 155¢ (reserved)

→ FORWARD TO UPSTREAM
  POST tools.example.com/search

// HTTP 402 — x402 payment required
→ HANDLE x402
  price: 12¢ USDC on base
  wallet: 2847¢ → 2835¢
  receipt: 0xabc...def 

→ RETRY WITH PAYMENT → 200 OK

→ LOG TO LEDGER
  sessionId, agentId, tool,
  cost, duration, status: OK
// Architecture
Six layers.
All working together.
01
🪪

Identity

JWT-based agent tokens link every agent to a human owner. Tools don't see an anonymous API call, they see "this is Asmit's coding agent, authorized to spend up to $10." Verifiable without a DB round-trip, and the token carries its own permissions.

JWT · HS256 · Bearer tokens
02
📋

Policy Engine

Per-agent JSON policies covering session budgets, per-call cost caps, tool allowlists/blocklists, and rate limits. A human defines what the agent can and can't do before it ever starts running. The proxy enforces these rules on every single call.

JSON policies · Rule evaluation · Zero-trust
03

Budget Tracker

In-memory session state. Tracks total spend, per-tool breakdown, call velocity. Atomic reserve-before-call pattern: reserves budget before the upstream call, refunds if it fails. Prevents concurrent overspend even under parallel agent calls.

Atomic reserves · Concurrent-safe · Per-tool breakdown
04
📒

Ledger

SQLite audit trail. Every tool call gets logged with the agent ID, tool name, cost, block reason (if any), and upstream response time. If an agent overspends, you can trace exactly what happened. That's the foundation for dispute resolution.

SQLite · WAL mode · Full audit trail
05
💳

x402 Integration

The proxy handles HTTP 402 payment challenges automatically. It parses the challenge, checks the agent's policy and wallet balance, pays on behalf of the agent, and retries. The agent never knows about payments, it just makes tool calls.

HTTP 402 · USDC · Base chain · Auto-retry
06
👛

Wallet System

Per-agent wallets with balances, debits, credits, and transaction history. Different agents get different trust levels. Your research bot might get $20/day while a new untested agent gets $0.50. It's the trust boundary between who has money and who can spend it.

Per-agent balances · Full tx history · Scoped trust
// Dashboard
Real-time observability.
You can't trust what you can't see.

You should be able to glance at a screen and know if your agents are behaving. This refreshes every 5 seconds.

localhost:3000/dashboard
● LIVE
Auto-refresh in 5s
Total Spend
$24.17
↑ $1.83 this session
Active Sessions
3
↑ 1 started 2m ago
Total Calls
847
↑ 12 in last minute
Blocked Calls
14
budget exceeded (9) · rate limit (5)
Agent Spend Breakdown
Agent Calls Spend
coding-agent-01 312 $9.44
research-bot 401 $11.20
data-scraper 134 $3.53
Wallet Health
coding-agent-01
$39.11
research-bot
$9.60
data-scraper
$1.47
Recent Tool Calls
OK
web_search
coding-agent-01
$0.12
OK
github_api
coding-agent-01
$0.05
BLOCKED
data_api
research-bot
budget
OK
code_executor
coding-agent-01
$0.08
OK
premium_llm
research-bot
$0.45
BLOCKED
crypto_trading
data-scraper
blocklist
OK
web_search
research-bot
$0.12
// The Design Principle
The human controls policy.
The agent controls execution.
Torii is the boundary between them.

Built in a day as a proof of concept to work through the identity and accountability gap in agentic payments. About 700 lines of TypeScript running on Bun + Hono + SQLite.

← Back to asmit.space