Authorize · Protect · Govern

SANCTION

Agent Access Key

PXY · •••• · •••• · AGNT

Clearance ◆ 5  ·  Valid Thru ∞

Cardholder

AUTONOMOUS AGENT

SanctionFinancial control for autonomous agents.

Don't give your agent your credit card. Give it a Sanction key.

Track and cap what every agent spends, and approve, gate, or deny each action before the money moves or a secret is used. One key governs spend and access.

Start freeSee it live →

MCP · AWS Bedrock Action Groups · REST

Three pillars

Authorize

Agent Wallet

Spend authorization with policy enforcement. Auto-approve under threshold, escalate over it, deny what's blocked. Daily and monthly budgets per agent.

  • Per-transaction & daily limits
  • Auto-approve / escalate / deny
  • Category allow & block lists

Protect

Credential Vault

AES-256-GCM encrypted credentials at rest. Scoped execution JWTs with a 15-minute TTL gate every injection. Nothing leaves the vault unlogged.

  • AES-256-GCM at rest
  • Scoped 15-min execution tokens
  • Every access audit-logged

Govern

Clearance Levels

A 1–5 clearance system with industry-specific domain authorization. Agents only ever touch what they're explicitly cleared for.

  • 1–5 clearance tiers
  • Domain-scoped authorization
  • Fail-closed by default

How it works

Three steps to a governed agent.

Sanction sits between your agent and the world. You set the rules once; it enforces them on every call — and keeps a receipt.

1

Register an agent

Create a wallet and issue a scoped pxy_ API key for each agent. The key is its identity — every call it makes is attributable.

POST /v1/agents
2

Set a policy

Define the rules once: daily and per-transaction budgets, auto-approve and escalation thresholds, allowed and blocked categories, clearance level.

POST /v1/wallets
3

Authorize in real time

Before the agent spends, it calls /authorize. Sanction returns approve, escalate, or deny in milliseconds — and logs every decision for audit.

POST /v1/authorize

The decision engine

Every authorize call returns one of three outcomes:

Approved

Under the threshold and in an allowed category. The agent proceeds; the spend is logged.

Escalated

Over your escalation limit. The request pauses and waits for a human to approve or reject.

Denied

Blocked category or over the hard cap. The transaction never reaches the merchant.

authorize.sh
curl -X POST https://getsanction.vercel.app/api/v1/authorize \
  -H "x-api-key: pxy_••••" \
  -H "content-type: application/json" \
  -d '{
    "merchant": "openai",
    "amount_usd": 12.50,
    "category": "services"
  }'

# → { "decision": "approved", "remaining_daily_usd": 37.50 }

Use cases

What it looks like in practice.

Coding & research agents

The agent that runs all night

An autonomous coding agent works your backlog overnight — calling Claude, hitting APIs, spinning up sandboxes. Costs compound while you sleep.

With Sanction

  • A daily token budget caps the burn — it stops before it overruns.
  • Every model call is logged with cost, model, and task label.
  • A job that needs $200 of compute escalates to you instead of just running.

Procurement & ops agents

The agent that pays the bills

An ops agent renews SaaS, pays contractors, and buys data. You want it autonomous for the routine and gated for the rest.

With Sanction

  • Routine renewals under $25 auto-approve — no human in the loop.
  • Anything over $100, or in a blocked category, routes to you or stops cold.
  • Payment credentials inject from the vault and expire 15 minutes later.

Integrations

Governs your whole agent stack.

Sanction is provider-agnostic. Meter spend across model providers, gate payment rails, and vault credentials for the tools your agents already use.

Anthropic
Google Gemini
Mistral AI
Hugging Face
Ollama
Perplexity
LangChain
Vercel
Zapier
n8n
Stripe
Coinbase
Visa
MasterCard
PayPal
GitHub
Notion
Linear
Google Cloud
Cloudflare
PostgreSQL
Supabase
Discord
Python

+ any REST API — via MCP, AWS Bedrock Action Groups, or direct calls.

Pricing

Trust through limits.

Start free. Scale when your fleet does.

Free

$0forever

For a single agent finding its feet.

  • 1 wallet, 1 agent
  • 100 authorizations / mo
  • Token usage logging
  • Community support
Start free
Most popular

Pro

$19/ month

For builders running real agents.

  • 3 agents
  • 10,000 authorizations / mo
  • Credential vault (AES-256)
  • Execution JWTs
  • Email support
Start Pro

Team

$49/ month

For fleets that need governance.

  • 10 agents
  • Unlimited authorizations
  • Clearance levels 1–5
  • Audit log export
  • Priority support
Start Team

Enterprise

Custom

For regulated, high-volume deployments.

  • Unlimited agents
  • SSO & custom clearance domains
  • On-prem / VPC deployment
  • SLA & dedicated support
Contact sales