← Back to Blog

How to Add Spending Controls to Any MCP Agent

mcp tutorial security

This week, Coinbase launched Agentic Wallets with MCP support. Phantom shipped an MCP server for Solana. deBridge released an MCP server for cross-chain bridging. The pattern is clear: MCP is becoming the standard interface between AI agents and financial infrastructure.

But there’s a problem none of these announcements addressed. Every one of these MCP servers gives agents unlimited access. An agent connected to the Coinbase MCP server can drain the entire wallet. An agent with the deBridge MCP server can bridge every token to any chain. There’s no spending limit, no daily cap, no per-transaction maximum.

This tutorial shows you how to add deterministic spending controls to any MCP agent — regardless of which wallet or protocol MCP servers it uses.

The MCP Spending Problem

MCP (Model Context Protocol) is a standard for exposing tools to AI agents. An MCP server declares tools — send_transaction, swap_tokens, bridge_assets — and the agent discovers and calls them automatically. It’s elegant, composable, and dangerously permissive.

Consider a typical MCP agent setup:

{
  "mcpServers": {
    "coinbase": {
      "command": "npx",
      "args": ["@coinbase/agentkit-mcp"]
    },
    "debridge": {
      "command": "npx",
      "args": ["@debridge/mcp-server"]
    }
  }
}

This agent can now send any amount, to any recipient, on any chain. The only thing standing between it and a full wallet drain is the system prompt — and prompts aren’t security.

A prompt like “never spend more than $100 per transaction” can be jailbroken, ignored during hallucination, or simply overridden by a sufficiently creative reasoning chain. You need enforcement at the tool layer, not the instruction layer.

PolicyLayer as an MCP Server

PolicyLayer ships as an MCP server itself. When you add it alongside your other MCP servers, your agent gains spending control tools that enforce hard limits before any transaction executes.

{
  "mcpServers": {
    "coinbase": {
      "command": "npx",
      "args": ["@coinbase/agentkit-mcp"]
    },
    "debridge": {
      "command": "npx",
      "args": ["@debridge/mcp-server"]
    },
    "policylayer": {
      "command": "npx",
      "args": ["@policylayer/mcp"],
      "env": {
        "POLICYLAYER_API_KEY": "pl_live_..."
      }
    }
  }
}

The agent now discovers PolicyLayer’s tools alongside Coinbase’s and deBridge’s. Before calling send_transaction on any wallet MCP server, it calls validate_transaction on PolicyLayer. If the transaction violates a policy, the agent gets a structured denial and can reason about alternatives.

Setup in Five Minutes

Step 1: Initialise

npx @policylayer/mcp init

The CLI opens your browser, authenticates your PolicyLayer account, creates an agent, and configures policies interactively. It detects your AI client (Claude Code, Cursor, Claude Desktop) and registers the MCP server automatically.

If you already have a PolicyLayer account and want to skip the interactive flow:

npx @policylayer/mcp init --api-key pl_live_... --daily-limit 500 --per-tx-limit 100

Step 2: Define Policies

During init, you set basic limits. For more granular control, use the dashboard or the API directly:

// Example: policy for a DeFi trading agent
const policy = {
  asset: "USDC",
  chain: "base",
  rules: {
    dailyLimit: "1000",        // $1,000/day maximum
    perTransactionLimit: "250", // $250 per transaction
    hourlyLimit: "500",         // $500/hour to prevent rapid draining
    recipientWhitelist: [       // Only known DEX routers
      "0x1111111254EEB25477B68fb85Ed929f73A960582", // 1inch
      "0x3fC91A3afd70395Cd496C647d5a6CC9D4B2b7FAD", // Uniswap
    ]
  }
};

Policies are enforced server-side by PolicyLayer’s API using two-gate cryptographic verification. The agent can’t bypass them, even if it tries.

Step 3: Agent Discovers Tools

Once the MCP server is registered, your agent automatically discovers five tools:

  • check_budget — How much can I still spend today?
  • validate_transaction — Would this specific transaction be approved?
  • list_policies — What rules apply to me?
  • transaction_history — What have I spent recently?
  • send_transaction — Validate, sign, and broadcast (execution mode only)

The first four are read-only. The agent can query its remaining budget, validate hypothetical transactions, and review history without any risk. send_transaction requires wallet configuration and uses PolicyLayer’s non-custodial architecture — your private key stays on your machine.

How It Works in Practice

Here’s what happens when an MCP agent tries to overspend:

Agent: "Bridge 2,000 USDC from Base to Arbitrum via deBridge."

→ calls validate_transaction(
    chain: "base",
    asset: "usdc",
    to: "0xdeBridge...",
    amount: "2000"
  )

→ PolicyLayer: {
    "decision": "DENIED",
    "reason": "Exceeds daily limit",
    "limit": "1000",
    "remaining": "847.50",
    "suggestion": "Reduce amount to 847.50 or wait until limit resets"
  }

Agent: "The bridge amount exceeds our daily budget. I can bridge
  up to 847.50 USDC today. Want me to proceed with the reduced
  amount, or shall I schedule the full amount across two days?"

The agent didn’t call deBridge’s bridge_assets tool. It checked with PolicyLayer first, got a denial, and offered alternatives. This is tool-layer enforcement — the policy is invisible infrastructure that shapes the agent’s behaviour without the agent needing to understand the rules.

Securing Multi-Server Agents

The real power shows when agents use multiple MCP servers. A single PolicyLayer instance controls spending across all of them:

Agent uses:
  - Coinbase MCP → sending USDC on Base
  - Phantom MCP → swapping SOL on Solana
  - deBridge MCP → bridging assets cross-chain

PolicyLayer enforces:
  - $1,000/day across ALL chains
  - $250 max per transaction on ANY server
  - Only whitelisted recipients per chain
  - 10 transactions/hour frequency cap

Without PolicyLayer, each MCP server operates independently. The agent could spend $1,000 on Coinbase, $1,000 on Phantom, and $1,000 through deBridge in the same hour. With PolicyLayer, spending is tracked across all servers against a unified budget.

This is particularly important as MCP servers proliferate. Every new server you add to your agent’s config is a new attack surface. PolicyLayer ensures that regardless of how many financial tools your agent discovers, the spending envelope remains fixed.

Beyond Validation: Execution Mode

If you want PolicyLayer to handle the full transaction lifecycle — validate, sign, and broadcast — add wallet credentials to the MCP server config:

{
  "mcpServers": {
    "policylayer": {
      "command": "npx",
      "args": ["@policylayer/mcp"],
      "env": {
        "POLICYLAYER_API_KEY": "pl_live_...",
        "WALLET_PRIVATE_KEY": "${WALLET_KEY}",
        "CHAIN": "base",
        "RPC_URL": "https://mainnet.base.org"
      }
    }
  }
}

In execution mode, the agent calls send_transaction directly on PolicyLayer’s MCP server instead of a wallet server. PolicyLayer validates the intent against your policies, signs the transaction locally using your key, and broadcasts it. The private key never leaves your machine — PolicyLayer’s API only sees the intent metadata.

This is useful when you want a single, controlled channel for all transactions rather than letting the agent call multiple wallet servers directly.

What About X402?

The X402 protocol (HTTP 402 Payment Required) is another emerging pattern where agents pay for API access automatically. PolicyLayer’s MCP server handles X402 payments too — the same policies that control direct transactions also control pay-per-request API spending.

An agent browsing X402-enabled APIs gets the same budget enforcement. No separate configuration needed.

The Landscape Is Moving Fast

Coinbase, Phantom, and deBridge shipping MCP servers in the same week isn’t a coincidence. The industry is converging on MCP as the standard agent-to-infrastructure interface. More wallet providers, DEXs, bridges, and protocols will ship MCP servers in the coming months.

Every one of them will give agents more financial capabilities. None of them will ship with spending controls — that’s not their job. Their job is to provide access. Your job is to provide limits.

PolicyLayer is designed to be the control layer that sits alongside any combination of financial MCP servers. Add new servers freely. The spending envelope holds.

Get Started

npx @policylayer/mcp init

One command. Browser auth. Guided policy setup. Your agent has spending controls in under a minute.

Related reading:

Resources:

Ready to secure your AI agents?

Get spending controls for autonomous agents in 5 minutes.

Get Started