Per-agent spend caps
Every agent carries a daily cap, a monthly cap, and a brand allowlist. Caps are checked and decremented server-side before any purchase settles, so an agent cannot exceed its budget no matter how it is prompted.
AgentRefills is built to move money for autonomous agents without ever giving one the ability to overspend, leak a code, or pay twice. Every guarantee here is structural, enforced server-side on every money-moving call, not a setting you can forget to turn on.
An agent gets its own API key with its own budget. The controls below run on our side of the call, so a compromised or confused agent still cannot spend beyond what you allowed.
Every agent carries a daily cap, a monthly cap, and a brand allowlist. Caps are checked and decremented server-side before any purchase settles, so an agent cannot exceed its budget no matter how it is prompted.
Every purchase passes a policy engine first. If that engine is unreachable or returns an undecided verdict, the request is denied, never allowed. There is no path where an evaluation failure results in a spend.
Purchases at or above a configurable threshold pause and request a human decision, pinged straight to Slack. Nothing settles until a person approves, and a rejection is returned to the agent as a clean, actionable error.
One global switch parks all spending. It is checked before every money-moving action, so flipping it stops new purchases immediately without leaving a half-finished payment behind.
Supply a client reference and a repeated call returns the existing task instead of charging again. A unique payment-per-task constraint backs it in the database, so a double charge is structurally impossible, not merely unlikely.
Every purchase is reconstructable end to end from an OpenTelemetry trace paired with a double-entry ledger. You can see exactly what happened, in what order, and where each cent moved.
A gift card code is bearer money. We treat redemption codes and API secrets as material that must be handled once, in isolation, and never exposed anywhere it does not need to be.
get_code. Any later call for the same task returns ALREADY_RELEASED, so a code cannot be pulled twice.task_id and invoice_id, never the underlying values. Observability never becomes a leak.The books stay consistent under retries, provider hiccups, and duplicate events, and you can prove out an integration before a single real cent moves.
Every inbound webhook is verified with an HMAC signature and deduplicated on (provider, event_id) before it is processed. A replayed or forged event changes nothing.
Money is tracked in a double-entry ledger where every transaction sums to zero. Funds are never created or destroyed by a bug, and the balance always ties out.
A free sandbox mode exercises the entire flow with test products and zero real spend. Build, break, and retry your integration end to end before you switch to live funds.
If you find a security issue in AgentRefills, please report it to security@agentrefills.com. We welcome responsible disclosure, will acknowledge your report, and will work with you on a fix and on timing before any details are made public. Please give us a reasonable window to remediate before sharing findings elsewhere.
Read how the guarantees are wired, or talk to us about your rollout. Start in sandbox and go live when you are ready.