Intercept Now Enforces Budgets on Paid MCP Tools

913 agents made 34,000 payments in the first week of MPP going live. Prices ranged from $0.003 to $35 per request. No human approved any of them.

The Machine Payments Protocol — built by Stripe and Tempo — lets MCP servers charge agents per tool call. Agent calls a tool, server responds with a price, agent pays, server returns the result. It works. The problem is that nothing between the agent and the server asks: “should this payment actually happen?”

Your agent doesn’t know it has a budget. The MCP server doesn’t enforce one. And the system prompt saying “stay under $50 per day” is a suggestion the model can ignore, misinterpret, or forget entirely. Without deterministic enforcement, every agent with a wallet is one runaway loop away from haemorrhaging funds until the balance hits zero.

What MPP Changes

Before MPP, MCP tool calls were free. The security question was “should this agent be allowed to call this tool?” — permissions, rate limits, argument validation. Intercept already handled all of that with YAML-defined policies.

MPP adds money. When an MCP server supports paid tools, it returns error code -32042 (payment required) with an MPP Challenge containing the exact price, currency, and payment details. The agent’s wallet pays automatically, then retries the call. The server delivers the result.

This is a fundamentally different threat model. A misconfigured agent calling a free tool wastes compute. A misconfigured agent calling a paid tool drains your wallet. The attack surface isn’t theoretical — it’s a line item on your Stripe invoice.

What We Built

Intercept now reads the -32042 response from MCP servers, extracts the price from the MPP Challenge, and evaluates it against your policy before any payment is authorised. If the call violates a budget rule, the payment never happens. The agent receives a denial message explaining why.

This is MCP spend enforcement at the transport layer. The agent doesn’t know Intercept exists. It sees the same tools, same schemas, same interface. But every payment passes through a policy gate first.

How It Works

┌──────────┐       ┌───────────┐       ┌────────────┐
│  Agent   │──────>│ Intercept │──────>│ MCP Server │
│          │       │  (proxy)  │       │  (paid)    │
│          │       │           │<──────│            │
│          │       │  reads    │       └────────────┘
│          │       │  -32042   │
│          │       │  price    │
│          │       │           │
│          │       │  ┌─────┐  │
│          │       │  │check│  │
│          │       │  │policy│ │
│          │       │  └──┬──┘  │
│          │       │     │     │
│          │<──────│  allow or │
│          │       │  deny     │
└──────────┘       └───────────┘

1. Agent calls a paid tool via Intercept
2. MCP server responds with -32042 and the MPP Challenge (amount, currency)
3. Intercept extracts the price from the Challenge
4. Policy engine evaluates: per-call cap, daily budget, global limit, approval rules
5. If allowed: the -32042 passes through to the agent, which pays normally
6. If denied: agent receives denial message, no money moves

The critical detail: Intercept reads the actual price from the server response, not a pre-configured estimate. If the server raises its price from $0.50 to $5.00, your policy catches it immediately.

Policy Examples

Per-Call and Daily Budget

Cap image generation at $5 per call and $50 per day:

version: "1"
description: "Agent budget limits for paid MCP tools"

tools:
  generate_image:
    rules:
      - name: "image budget"
        spend:
          per_call: 5.00
          daily: 50.00

The spend: shorthand expands into conditions and counters automatically — same idea as rate_limit: but for money. Per-call checks the price of each individual call. Daily tracks cumulative spend and resets at midnight UTC.

Global Spend Limit

Regardless of individual tool budgets, cap total agent spending at $200 per day across all paid tools:

  "*":
    rules:
      - name: "global daily budget"
        spend:
          daily: 200.00

The wildcard "*" applies to every tool. An agent can spend $50 on images and $50 on research, but the global limit catches cumulative overspend that per-tool budgets miss.

Approval Escalation

For expensive calls, pause and wait for human approval instead of hard-denying:

  research_report:
    rules:
      - name: "auto-approve cheap"
        spend:
          per_call: 10.00
          daily: 100.00

      - name: "expensive needs approval"
        action: "require_approval"
        conditions:
          - path: "spend.amount"
            op: "gt"
            value: 10000000
        on_deny: "Research report over $10 requires approval"

Calls under $10 flow through automatically. Anything above is held until a human approves or rejects it.

What Makes This Different

Reads the actual price. Most spending controls rely on pre-configured price estimates — “assume each image costs $0.10.” Intercept reads the real amount from the MPP Challenge. If a server changes its pricing, your policies still work.

Reserve and rollback. When a payment is approved, Intercept reserves the amount against your budget counter before forwarding. If the upstream call fails, the reservation is rolled back. Failed calls don’t consume budget.

Approval escalation. Not everything is allow/deny. The require_approval action holds expensive calls for human review without blocking cheap ones. Your agent keeps working on $0.50 lookups while a $35 research report waits for sign-off.

Shadow mode. Run Intercept in mode: shadow to log what would be blocked without actually blocking anything. See how your policies perform against real traffic before enforcing them in production.

Persistent counters. Daily budgets survive process restarts. Intercept stores counter state in SQLite (or Redis for multi-instance deployments). Recycle the process at 3am and your daily spend total picks up where it left off.

Getting Started

Install Intercept:

npx -y @policylayer/intercept

Write a policy file (policy.yaml):

version: "1"
description: "MPP spend enforcement"

tools:
  "*":
    rules:
      - name: "per-call cap"
        spend:
          per_call: 5.00

      - name: "daily budget"
        spend:
          daily: 100.00

Run Intercept as a proxy in front of your paid MCP server:

intercept -c policy.yaml --upstream https://paid-mcp-server.example.com

Or configure it in your .mcp.json for Claude Code, Cursor, or any MCP client:

{
  "mcpServers": {
    "paid-tools": {
      "command": "intercept",
      "args": ["-c", "policy.yaml", "--", "npx", "-y", "@example/paid-mcp-server"],
      "env": {
        "PAYMENT_WALLET_KEY": "..."
      }
    }
  }
}

The agent connects to Intercept thinking it’s the MCP server. Every tool call and every payment passes through your policy first.

What’s Next

This is the first release of MPP spend enforcement. On the roadmap:

• Multi-currency support — enforce budgets across USD, EUR, and crypto denominations in a single policy
• MPP session budgets — cap total spending across an entire agent session, not just daily windows
• HTTP SDK — enforce spend policies on non-MCP agent architectures using a lightweight HTTP middleware

MPP made autonomous agent payments real. Intercept makes them governable.

---

Ready to set agent budget limits on paid MCP tools?

• Quick Start Guide — Production-ready in 5 minutes
• GitHub — Open source proxy
• Scan your MCP server — Discover tools and generate policy scaffolds