Your AI agents are spending money.
Who's watching?
ActionFence is an AI action firewall that sits in front of your MCP servers and APIs. One JSON policy. Spend caps. Signed receipts. Zero trust by default.
Install ActionFence locally in one command.
npm install actionfenceAgents can book flights, delete databases, and drain your Stripe balance — often before you even know it happened.
Runaway Spending
An agent told to "book the best flight" books 200 hotel rooms instead. Per-call limits aren't enough — smart agents fragment $500 into 100 × $5 transactions.
No Audit Trail
"Who authorized this $2,300 charge?" Without cryptographic receipts, you have no proof of what happened, when, or why.
Honor-System Security
Most "AI safety" tools rely on the agent behaving correctly. Client-side enforcement is a suggestion, not a guarantee.
One line of code.
Three layers of defense.
ActionFence turns a normal tool call into a governed decision with proof attached.
Define your policy
Write the allowlist, spend limits, identity tier, and rate windows in guard-policy.json.
Wrap your server
withGuard() and guard() intercept tool calls before handlers run, then evaluate policy on your server.
Every decision is receipted
Store hash-chained, HMAC-signed receipts in SQLite or PostgreSQL for every allow and block.
Everything you need to govern AI actions. Nothing you don't.
Define guardrails before any tool call can execute.
JSON Policy Engine
Declarative rules in guard-policy.json for allow, deny, identity, and spend caps. Supports wildcard matching (book_*) and hot-reload.
Identity & JWT Verification
Three tiers: anonymous → token → verified, with built-in JWKS verification.
Enforce spend, pace, and approvals while requests are live.
Multi-Layer Spend Caps
Per-action, session, daily, rolling window, and global circuit-breaker caps catch fragmented micro-spending that per-call limits miss.
Rate Limiting
Sliding-window rate limiting with per-agent tracking to stop runaway loops.
Human Approval Webhook
Pause high-value actions for human approval via onApprovalRequired with a 30-second timeout.
Keep a verifiable trail and catch silent control-plane drift.
Signed Receipt Chain
Cryptographic proof of every decision with HMAC-SHA256 signatures and hash-chain continuity.
Schema Drift Detection
Pin tool schemas with SHA-256 hashes and alert when MCP tool definitions silently change.
Simulation Mode
Dry-run policy outcomes and spend impact before anything executes for real.
60 seconds to integrate. We mean it.
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
import { withGuard } from 'actionfence';
const server = new McpServer({ name: 'my-server', version: '1.0.0' });
// One line. That's the entire integration.
withGuard(server, {
policy: './guard-policy.json',
identityReaderOptions: {
jwksUri: 'https://issuer.example/.well-known/jwks.json',
issuer: 'https://issuer.example',
audience: 'bookflight-mcp',
},
});
// Register tools as normal — ActionFence wraps them automatically
server.registerTool('book_flight', {}, async () => {
return { content: [{ type: 'text', text: 'Booked!' }] };
});Server-side enforcement. Not a client-side suggestion.
- [X]Client-side checks can be bypassed or skipped
- [X]Rules can drift across services and environments
- [X]"Please don't do bad things" approach
- [X]No consistent deny-by-default behavior
- [+]One policy gate executes before every tool handler
- [+]Agent never sees guard-policy.json
- [+]All tool calls must pass through middleware
- [+]Blocked requests never reach execution code
- [+]Default rule: deny. Allowlist only.
Zero-Trust Architecture
Policy lives entirely on your server. Agents cannot bypass the middleware, read theguard-policy.json, or tamper with the cryptographic receipt chain.
Every decision leaves a cryptographic trail.
When someone asks who approved what, when, and under which policy, the receipt chain gives a verifiable answer.
Hash-chained
Each receipt references the previous one, so edits or deletions break continuity immediately.
HMAC-SHA256 signed
Every decision record is signed, and tampering fails verification on replay.
Append-only
History grows forward only; no record updates and no silent rewrites.
Verifiable
ReceiptStore.verifyChain() can validate the full timeline in a single integrity pass.
Redactable
Sensitive fields can be removed for storage while preserving decision integrity.
Proof captured. Next step: install and enforce.
Built for anyone giving AI agents real-world permissions.
MCP Server Developers
You build MCP tools that book flights, manage calendars, or query databases. ActionFence ensures no agent overspends, over-queries, or accesses unauthorized tools.
API Providers
Your REST API is consumed by AI agents. Drop in guard() middleware to enforce spend caps, rate limits, and identity checks on every request — without changing your route handlers.
Enterprise / Compliance
You need an audit trail for every AI-initiated action in your system. Signed receipts provide tamper-evident proof for compliance, incident response, and regulatory reporting.
Solo Developers
You're one person shipping an MCP server. npm install actionfence. Write a policy. Done. No enterprise gateways. No container networking. No vendor lock-in.