Run402

171 tools. 94 can modify or destroy data without limits.

30 destructive tools with no built-in limits. Policy required.

Last updated:

94 can modify or destroy data
77 read-only
171 tools total

Community server · catalogue entry verified 29/06/2026

How to control Run402 ↓

What Run402 exposes to your agents

Read (77) Write / Execute (64) Destructive / Financial (30)
Critical Risk

The most dangerous Run402 tools

94 of Run402's 171 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

How to control Run402

PolicyLayer is an MCP gateway — it sits between your AI agents and Run402, and nothing reaches the server without passing your rules. These are the rules we recommend:

Block financial tools by default
{
  "accept_project_transfer": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Requires human approval."
      }
    ]
  }
}

Financial tools should be explicitly enabled per use case, not open by default.

Deny destructive operations
{
  "admin_archive_project": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
{
  "add_custom_domain": {
    "limits": [
      {
        "counter": "add_custom_domain_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "ai_translate": {
    "limits": [
      {
        "counter": "ai_translate_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register Run402 — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON RUN402 →

Instant setup, no code required.

All 171 Run402 tools

DESTRUCTIVE 19 tools
Destructive admin_archive_project Operator moderation action — archive a single project (sets Destructive assets_rm Delete a blob from project storage and decrement the project Destructive ci_revoke_binding Revoke one CI/OIDC deploy binding. Revocation stops future CI gateway requests, but does not undo already depl Destructive delete_function Delete a deployed function from a project. Destructive delete_mailbox Delete the project Destructive delete_mailbox_webhook Delete a webhook. Idempotent — succeeds even if already deleted. Destructive delete_passkey Delete one authenticated-user passkey by id. Destructive delete_project Immediately and irreversibly delete a project: the gateway runs the full destructive cascade (drop tenant sche Destructive delete_secret Delete a secret from a project. Destructive delete_signer Schedule the KMS key for a signer for deletion (7-day AWS minimum window). Refused if the signer has on-chain Destructive delete_subdomain Release a custom subdomain. The URL will stop serving content. Destructive delete_version Delete a published app version. Destructive drain_signer Drain a KMS signer Destructive jobs_cancel Cancel a queued or running managed job. Destructive jobs_purge Purge all managed job runs for a project, terminating known active runners first. Destructive remove_custom_domain Release a custom domain mapping. Traffic to the domain will no longer route to Run402. Destructive remove_org_member Remove a member from an org. Requires an active Destructive remove_sender_domain Remove a project Destructive revoke_project_grant Revoke a per-project capability grant by id. Params:
EXECUTE 14 tools
Execute ai_moderate Run content moderation on text. Returns flagged status and category scores. Free for all projects, requires se Execute contract_deploy Deploy a smart contract from a KMS signer (signs a contract-creation tx with Execute deploy Unified apply primitive. Accepts a structured ReleaseSpec — database (migrations + expose), value-free secrets Execute deploy_function Deploy a serverless function (Node 22) to a project. Handler signature: export default async (req: Request) => Execute deploy_resume Resume a deploy operation that ended in Execute deploy_site Deploy a static site (HTML/CSS/JS) from inline file bytes. Files are staged to a temp directory, then uploaded Execute deploy_site_dir Deploy a static site from a local directory. Walks the tree, hashes each file, and uploads only the bytes the Execute functions_rebuild Refresh function(s) onto the platform Execute init Set up agent allowance, request faucet funding, and check tier status — single-call bootstrap. Idempotent, saf Execute invoke_function Invoke a deployed function via HTTP. Returns the function Execute passkey_login_verify Verify a browser WebAuthn assertion and return a normal Run402 auth session. Execute redrive_mailbox_webhook_delivery Re-queue a dead-lettered (failed_permanent) webhook delivery so the worker attempts delivery again. Use after Execute run_sql Execute SQL (DDL or queries) against a provisioned project. Returns results as a markdown table. Execute test_notification Trigger a real test notification (audit row marked is_test=true). Rate-limited per wallet at 1/min. Verifies t
WRITE 50 tools
Write add_custom_domain Register a custom domain (e.g. example.com) to point at a Run402 subdomain. Returns DNS instructions for the h Write add_org_member Add a member to an org BY WALLET (POST /orgs/v1/:org_id/members). A brand-new wallet is provisioned as a Write admin_reactivate_project Operator un-archive — flips Write admin_set_lease_perpetual Toggle an organization Write apply_expose Apply a declarative authorization manifest to a project (POST /projects/v1/admin/:id/expose). The manifest des Write assets_put Upload a blob (file or inline content) to project storage via direct-to-S3. Accepts local_path (any size up to Write auth_settings Update project auth settings: allow_password_set, preferred_sign_in_method, public_signup, and require_passkey Write cancel_project_transfer Cancel a pending project transfer of any kind (v1.93+). You must be authorized for the row Write ci_create_binding Create a GitHub Actions CI/OIDC deploy binding by sending a locally signed delegation to the SDK. This MCP wra Write claim_project_transfer Claim an incoming EMAIL transfer into an org (v1.93+) — the email analog of Write claim_subdomain Claim a custom subdomain (e.g. myapp.run402.com) and point it at an existing deployment. Free, requires servic Write create_auth_user Create or update a project auth user with the service key. Can set project_admin and optionally send a trusted Write create_email_organization Create an email-based organization (Stripe-only, no wallet required). Sends a verification email. Idempotent — Write create_mailbox Create a project-scoped email mailbox at <slug>@mail.run402.com. Returns mailbox_settings and next_actions whe Write create_org Create an empty organization on the prototype tier (POST /orgs/v1); you become its owner. Accepts only an opti Write demote_user Demote a user from project_admin role by email. Reverts to default authenticated role. Requires service_key. Write disable_sender_domain_inbound Disable inbound email on a custom sender domain. Replies to <slug>@<your-domain> will no longer be delivered. Write enable_sender_domain_inbound Enable inbound email on a verified custom sender domain. Replies to <slug>@<your-domain> will route through ru Write fork_app Fork a published app into a new project. Creates a full copy including database, functions, site, and optional Write import_project_archive Import a verified portable archive into a new local Run402 Core project through the Core gateway. Automaticall Write invite_auth_user Create/update a project auth user and send a trusted invite magic link. Requires service_key and an allowed re Write jobs_submit Submit a platform-managed job. The request must match the gateway jobs API shape: job_type, input with input.j Write passkey_login_options Create WebAuthn passkey login options for a project app origin. Write passkey_register_options Create WebAuthn passkey registration options for the authenticated user. Write passkey_register_verify Verify a browser WebAuthn registration response and store the user Write project_use Set the active/default project in the local keystore. Write promote_user Promote a user to project_admin role by email. Admins can manage secrets from the browser. Requires service_ke Write provision_postgres_project Provision a new Postgres database. Returns project credentials on success, or payment details if x402 payment Write publish_app Publish a project as a forkable app. Set visibility and tags for discoverability. Write register_mailbox_webhook Register a webhook on the project Write register_sender_domain Register a custom email sending domain for a project. Returns DNS records (DKIM CNAMEs + SPF/DMARC) to add. On Write rename_org Set or clear an organization Write rename_project Rename a project (PATCH /projects/v1/:id) — fix an auto-generated name. Authorization is org-membership based Write request_magic_link Send a passwordless login email (magic link) to a project user. Auto-creates the user on first verification. R Write rotate_webhook_secret Generate a fresh HMAC signing secret for the operator Write send_email Send an email. Two modes: template (project_invite, magic_link, notification) or raw HTML (subject + html). Op Write send_message Send a message to the Run402 developers. Requires an active tier. Write set_agent_contact Register agent contact info (name, email, webhook). New or changed emails start operator email reply verificat Write set_low_balance_alert Set the low-balance threshold (in wei) for a KMS signer. Email alerts fire when the signer Write set_mailbox_defaults Set default_outbound_mailbox_id and/or auth_sender_mailbox_id for a project. Use list_mailboxes first to choos Write set_notification_preferences Update operator notification preferences. Cross-wallet effects require email_verified assurance; webhook URL c Write set_org_member_role Change a member Write set_recovery_address Set or clear the optional recovery address used for auto-drain on day-90 deletion of a KMS signer. Write set_secret Set a project secret (e.g. STRIPE_SECRET_KEY). Values are write-only and injected as process.env variables in Write set_user_password Change, reset, or set a user Write start_operator_passkey_enrollment Email a short-lived Run402 operator passkey enrollment link to the verified contact email. Requires email_veri Write update_function Update a function Write update_mailbox Update per-mailbox settings. Currently supports footer_policy: run402_transparency or none. Prototype projects Write update_mailbox_webhook Update a webhook Write update_version Update metadata (description, tags, visibility, fork_allowed) of a published app version.
READ 77 tools
Read ai_translate Translate text to a target language. Requires service key and active AI Translation add-on. Supports optional Read ai_usage Get AI translation usage for the current billing period — used words, quota, and remaining balance. Read allowance_export Export the local agent allowance address. Safe to share publicly. Read allowance_status Check local agent allowance status — address, network, and funding status. Read assets_get Download a blob to a local file path. Writes bytes directly to disk (no context-window bloat). Returns size + Read assets_ls List blobs in a project with optional prefix filter over a flat key namespace. Supports pagination via cursor. Read assets_sign Generate a time-boxed S3 presigned GET URL for a blob. Use this to share a private blob externally without exp Read billing_history View billing ledger history for the agent Read browse_apps Browse public apps available for forking. Optionally filter by tags. Read check_balance Check the organization balance for the agent Read check_domain_status Check if a custom domain Read ci_get_binding Get one CI/OIDC deploy binding by id, including its subject, allowed events/actions, repository id, revocation Read ci_list_bindings List CI/OIDC deploy bindings for a project, including route_scopes when delegated. Use this to inspect which G Read contract_read Read-only smart-contract call (view/pure functions). No signing, no gas, no billing — pure RPC convenience. Read deploy_diagnose_url Read-only authenticated diagnostics for a Run402 public URL or host/path pair. Explains whether the current li Read deploy_events Fetch the recorded phase-event stream for a deploy operation. Returns the same Read deploy_list List recent deploy operations for a project. Returns operation_id, status, release_id, and timestamps. Use thi Read deploy_release_active Fetch the current-live release inventory for a project. Returns Read deploy_release_diff Diff two release targets for a project. Read deploy_release_get Fetch a release inventory by id. Returns release metadata, effective/desired state kind, site path inventory, Read diagnose_public_url Returns the live CDN state for a public blob URL (probed once from gateway-us-east-1 — NOT a global view). Use Read export_project_archive Export the supported Run402 Core runtime slice of a Cloud project as a portable .r402ar archive. Can wait for Read get_agent_contact_status Get the current agent contact assurance state: wallet_only, email_pending, email_verified, passkey_pending, or Read get_app Inspect a specific published app — details, required secrets, fork pricing. Read get_contract_call_status Look up a previously submitted contract call by call_id. Returns lifecycle state (pending/confirmed/failed), b Read get_email Get a sent email with details and any replies. Read get_email_raw Get the raw RFC-822 bytes of an inbound email message, base64-encoded. The decoded bytes are bit-identical to Read get_expose Get the current authorization manifest for a project (GET /projects/v1/admin/:id/expose). Returns the last-app Read get_function_logs Get recent logs from a deployed function. Shows console.log/error output and error stack traces from CloudWatc Read get_mailbox Get the project Read get_mailbox_webhook Get details of a specific webhook by ID. Read get_notification_preferences Read the operator Read get_operator_status Compact operator-health snapshot: contact assurance, critical items, skipped notifications, organizations, pro Read get_org Read one organization (GET /orgs/v1/:org_id) — its Read get_quote Get tier pricing for Run402 projects. Free, no auth required. Shows prices, lease durations, storage limits, a Read get_schema Introspect the database schema — tables, columns, types, constraints, and RLS policies. Useful for understandi Read get_signer Get a KMS signer Read get_usage Get project usage report — API calls, storage usage, limits, and lease expiry. Read inspect_project_archive Inspect a local run402-project-archive.v1 directory or .r402ar tar offline. Reports digest, required secrets, Read jobs_download_artifact Download a completed managed job Read jobs_get Get a managed job run by id. Read jobs_logs Read recent runner logs for a managed job. Use tail to cap entries and since for an ISO-8601 lower bound; lega Read link_wallet_to_organization Link a wallet to an existing email organization, enabling hybrid Stripe + x402 access. Fails if the wallet is Read list_custom_domains List all custom domains registered for a project. Read list_emails List sent emails from the project Read list_functions List all deployed functions for a project. Shows names, URLs, runtime, timeout, memory, and (for functions dep Read list_incoming_transfers List pending project transfers OFFERED TO the authenticated wallet (v1.59+). Each entry carries Read list_mailbox_webhook_deliveries List durable webhook delivery rows for the project Read list_mailbox_webhooks List all webhooks registered on the project Read list_mailboxes List a project Read list_notifications List the operator Read list_org_members List the members of an org and their roles. Params: Read list_orgs List the orgs you are a member of, with each org Read list_outgoing_transfers List pending project transfers INITIATED BY the authenticated wallet (v1.59+). Each entry carries Read list_passkeys List the authenticated user Read list_projects List projects from the named, domain-aware inventory (GET /projects/v1). Membership-scoped by default: every p Read list_secrets List secret keys for a project. Values and value-derived hashes are never shown; use this only to check which Read list_signers List all KMS signers owned by the project, including deleted ones. Read list_subdomains List all subdomains claimed by a project. Read list_versions List published versions of a project. Read preview_project_transfer Fetch the preview document for a project transfer of any pending kind (v1.93+). Returns the safe review payloa Read project_get Authoritative server read of a project — name, owning org, tier, effective status, active deploy, mailbox addr Read project_info Show local project details — REST URL, keys, site URL, and deployment info. Reads from local keystore only. Read project_keys Get anon_key and service_key for a project from the local keystore. Read rest_query Query or mutate data via the PostgREST REST API. Supports GET/POST/PATCH/DELETE with query params. Read scaffold_roles Generate a role-table migration + requireRole gate snippet + first-operator bootstrap for Run402 function role Read sender_domain_status Check the verification status of a project Read service_health Liveness check for the Run402 SERVICE — not your organization. For your organization status (allowance, tier, Read service_status Reports on the Run402 SERVICE (availability, capabilities, operator, deployment) — not your organization. For Read status Full organization snapshot — allowance, billing balance, tier subscription, projects, and active project. Sing Read tier_status Check current tier subscription — tier name, status, expiry, usage, and function authoring caps when returned Read validate_manifest Validate an auth/expose manifest without applying it. This checks the authorization manifest used by manifest. Read verify_agent_contact_email Start or resend the operator email reply challenge for the active agent contact email. Does not expose the cha Read verify_magic_link Exchange a magic link token for access_token + refresh_token. Creates the user if they don Read verify_project_archive Verify a local run402-project-archive.v1 directory or .r402ar tar offline. Checks integrity and compatibility Read wait_for_cdn_freshness Polls the CDN until a MUTABLE blob URL serves the expected SHA-256, or the timeout elapses. For mutable URLs o Read whoami Resolve the caller

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

Questions about Run402

Can an AI agent move money through the Run402 MCP server? +

Yes. The Run402 server exposes 11 financial tools including accept_project_transfer, allowance_create, contract_call. Without a policy, an autonomous agent can call these with no spend caps, no rate limits, and no approval flow. PolicyLayer lets you block financial tools by default, require human approval, or set per-tool rate limits — enforced on every call.

Can an AI agent delete data through the Run402 MCP server? +

Yes. The Run402 server exposes 19 destructive tools including admin_archive_project, assets_rm, ci_revoke_binding. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through Run402? +

The Run402 server has 50 write tools including add_custom_domain, add_org_member, admin_reactivate_project. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach Run402.

How many tools does the Run402 MCP server expose? +

171 tools across 5 categories: Destructive, Execute, Financial, Read, Write. 77 are read-only. 94 can modify, create, or delete data.

How do I enforce a policy on Run402? +

Register the Run402 MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every Run402 tool call.

Deterministic rules across all 171 Run402 tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

Instant setup, no code required.

171 Run402 tools catalogued and risk-classified — across an index of 43,000+ MCP servers.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.