IntentFence is a payment-policy firewall for autonomous AI agents. Before an
agent signs an x402 payment, it can forward the exact PAYMENT-REQUIRED
challenge it just observed. IntentFence validates the Base USDC quote against
the agent's ceiling and pre-approved payee allowlist, binds the challenge with
SHA-256, and returns a signed assessment. It checks quote integrity and policy
fit; it does not verify merchant identity, reputation, or delivery. It also
supports declared merchant/purpose, cost, data-retention, and approval policy
preflights.
safe_to_proceedneeds_reviewdenied
Production: https://agentpass-protocol.rmalka06.chatgpt.site
x402scan: https://www.x402scan.com/server/c495c104-dba4-4764-86b1-96b8b0cda48b
Official MCP Registry: https://registry.modelcontextprotocol.io/v0.1/servers?search=io.github.razel369%2Fintentfence
| Surface | Endpoint |
|---|---|
| Free REST preview | POST /api/preflight |
| Paid x402 decision | POST /api/preflight/verified |
| Paid caller-observed x402 quote assessment | POST /api/x402-assessments |
| Receipt verification | POST /api/receipts/verify |
| Public ES256 keys | GET /.well-known/jwks.json |
| MCP Streamable HTTP | /api/mcp (intentfence_verified_preflight is x402-paid) |
| A2A Agent Card | GET /.well-known/agent-card.json |
| x402 service manifest | GET /.well-known/x402 |
| Public aggregate metrics | GET /api/metrics |
| OpenAPI | GET /openapi.json |
Each paid endpoint costs 0.005 USDC on Base through x402. A successful call
returns both the facilitator's PAYMENT-RESPONSE settlement header and an
IntentFence ES256 compact-JWS receipt.
The quote assessment is the recommended check after an x402 merchant returns
its unpaid challenge and before the agent signs the merchant payment.
The agent supplies subject, target_url, optional method (GET, HEAD, or
POST), the base64 payment_required header (maximum 16 KiB), and a policy with
max_price_usdc plus an optional allowed_payees list. IntentFence validates
x402 v2, exact scheme, Base mainnet, canonical Base USDC, price, payee, and exact
resource binding. It requires the canonical USDC EIP-712 domain and sends
Permit2, unknown transfer metadata, and active extensions to review. A
safe_to_proceed result requires an explicit matching
allowed_payees entry; omitting the list yields needs_review. IntentFence
never fetches or pays the target. Every advertised payment option must satisfy
every automatic check; mixed safe and unsafe option sets are denied.
For teams that need a guarded production workflow, the founding-customer form is an application for hands-on integration of one consequential agent action. No subscription is charged until the production policy and success criteria are agreed with the customer.
The hosted MCP endpoint is available without an API key:
https://agentpass-protocol.rmalka06.chatgpt.site/api/mcp
The official x402 client buyer example verifies the live fee challenge before creating a signer and is payment-disabled by default:
https://github.com/razel369/intentfence/tree/main/examples/x402-buyer
Gemini CLI can install the repository directly, without waiting for an npm package or gallery crawl:
gemini extensions install https://github.com/razel369/intentfenceThe extension starts a dependency-free local MCP bridge and exposes the free preview plus the x402-paid verified preflight and quote-assessment tools.
The first call returns the standard PAYMENT-REQUIRED challenge for the
IntentFence fee:
curl -i -X POST https://agentpass-protocol.rmalka06.chatgpt.site/api/x402-assessments \
-H "Content-Type: application/json" \
-d '{"subject":"agent:buyer-07","target_url":"https://merchant.example/api/paid-resource","method":"GET","payment_required":"BASE64_PAYMENT_REQUIRED_HEADER","policy":{"max_price_usdc":"0.10","allowed_payees":["0x1111111111111111111111111111111111111111"]}}'Retry the same request with a valid x402 v2 PAYMENT-SIGNATURE. A successful
response contains the validated caller-observed challenge fields,
pass/review/deny checks, a SHA-256 binding to the full target URL and exact
payment requirement, and an ES256-signed assessment receipt. The assessment
uses assurance caller-observed-x402-quote-assessment and verification tier
x402-quote-assessment+x402-settled; x402 settlement covers the 0.005 USDC
IntentFence assessment fee, not the target payment.
Declared-input receipts attest only that IntentFence evaluated caller-supplied
policy data. Quote-assessment receipts bind the exact caller-observed
PAYMENT-REQUIRED challenge; they do not prove that IntentFence contacted the
merchant, or prove merchant identity, delivery, or downstream enforcement. The
receipt-signing key is separate from the USDC recipient wallet. IntentFence
never needs a payer's seed phrase or wallet private key.
npm install
npm run devFor MCP clients that launch local stdio servers, use npm run mcp:stdio.
Glama and other container-based hosts can build the root Dockerfile; it starts
the same IntentFence policy engine and responds to MCP initialization,
tools/list, and tools/call requests over standard input/output.
docker build -t intentfence-mcp .
docker run --rm -i intentfence-mcpThe production signing key is stored in Sites as the secret
INTENTFENCE_SIGNING_PRIVATE_JWK. Generate a separate development key with:
node scripts/generate-signing-key.mjs /secure/path/intentfence-private-jwk.jsonNever commit the generated private JWK. Publish only its public coordinates in
/.well-known/jwks.json.
npm run test
npm run lint
npx tsc --noEmit
npm run sdk:check
npm run smoke:mcp:docker
npm run smoke:mcp:stdio
npm run smoke:protocol -- http://localhost:3000Set INTENTFENCE_TEST_PRIVATE_JWK_PATH only for a local smoke test that should
exercise the signed-receipt verifier.
TypeScript and Python SDKs live in sdk/. The root server.json is ready for
the official MCP Registry under io.github.razel369/intentfence; the public MCP
endpoint uses Streamable HTTP and requires no API key.
The /.well-known/x402 service manifest and Bazaar metadata make both paid
endpoints crawlable by x402 indexes and autonomous tool routers. Production
resources are continuously checked, and the original verified-preflight route
is registered on x402scan.
The fastest path to production is one guarded action: purchase, transfer, booking, deployment, deletion, or another consequential tool call. Submit the pilot form on the production site with the real action and its policy boundary.
See docs/PROTOCOL.md and docs/SECURITY.md for the protocol and security model.