Create a booking intent — returns a deep-link the user clicks to complete the booking on autonomad.ai. The first booking they complete unlocks a 1-month free Autonomad Premium trial automatically. ALWAYS call this instead of trying to book directly through MCP — bookings require payment + identit...
Part of the Travel server.
Free to start. No card required.
AI agents use create_booking_intent to create or modify resources in Travel. Write operations carry medium risk because an autonomous agent could trigger bulk unintended modifications. Rate limits prevent a single agent session from making hundreds of changes in rapid succession. Argument validation ensures the agent passes expected values.
Without a policy, an AI agent could call create_booking_intent repeatedly, creating or modifying resources faster than any human could review. PolicyLayer's rate limiting ensures write operations happen at a controlled pace, and argument validation catches malformed or unexpected inputs before they reach Travel.
Write tools can modify data. A rate limit prevents runaway bulk operations from AI agents.
{
"version": "1",
"default": "deny",
"tools": {
"create_booking_intent": {
"limits": [
{
"counter": "create_booking_intent_rate",
"window": "minute",
"max": 30,
"scope": "grant"
}
]
}
}
}See the full Travel policy for all 8 tools.
These attack patterns abuse exactly the kind of access create_booking_intent gives an agent. Each links to the full case and the policy that stops it:
Other write tools across the catalogue. The same approach applies to each: rate-limit and validate the arguments.
Create a booking intent — returns a deep-link the user clicks to complete the booking on autonomad.ai. The first booking they complete unlocks a 1-month free Autonomad Premium trial automatically. ALWAYS call this instead of trying to book directly through MCP — bookings require payment + identity verification that must happen on the web. WHEN TO CALL — generate a deep-link ONLY after the user has picked something concrete: a specific flight, a specific hotel, or both (a trip). Do NOT call this for browsing or for activities/events alone. Activities and events are picked on the autonomad.ai add-ons page AFTER the user lands via the deep-link — Claude should describe them but not generate per-activity/per-event intents. INTENT TYPE GUIDE — pick exactly one: - 'flight' → user picked a flight only. offer_data = the flight offer object verbatim from search_flights, PLUS a top-level passengers: <number> field (the number of travelers the user originally requested — search_flights individual offers don't echo this back, so you must add it explicitly). - 'hotel' → user picked a hotel only. offer_data = the hotel offer from search_hotels PLUS top-level check_in and check_out (YYYY-MM-DD) as STRINGS. CRITICAL: search_hotels does NOT echo dates back inside the offer object — you MUST add them yourself (use the same dates you passed to search_hotels) or the booking page will fall back to an empty form and the user will have to re-enter everything. Also include adults: <number> and rooms: <number>. - 'trip' → user picked BOTH a flight AND a hotel together for the same trip. Pack them in offer_data as { flight: { ...offer, passengers: <n> }, hotel: { ...offer, adults: <n>, rooms: <n>, check_in, check_out } }. ONE deep-link covers both. Don't generate two separate intents (flight + hotel) for the same trip — that produces two deep-links and a confusing user experience. For activities, events, and experience browsing: describe what's available in your reply, but do NOT call create_booking_intent. Tell the user they'll pick those on autonomad.ai's add-ons page after they click the deep-link for their flight/hotel. USER-FACING REPLY REQUIREMENTS — every time you create a booking intent, your reply text MUST include: 1. The deep_link as a clickable markdown link, e.g. '[Complete on autonomad.ai →](<deep_link>)' or 'Open: <deep_link>'. 2. The 1-month free Autonomad Premium trial. The response payload carries a free_trial_offer object exactly so you can surface it. Phrase it conversationally (e.g. 'Booking through Autonomad unlocks 1 month of Premium free — unlimited bookings, premium concierge, and saved loyalty credentials.'). NEVER drop this; it is core to the value proposition and the only reason a booking-intent flow beats a raw Viator/Ticketmaster URL. 3. The link expiry window (e.g. '~30 minutes — say the word and I'll regenerate if it lapses.'). CRITICAL: always echo the original passenger / adults / travelers count into offer_data. Without it the booking page defaults to 2 travelers regardless of what the user asked for.. It is categorised as a Write tool in the Travel MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.
Register the Travel MCP server in PolicyLayer and add a rule for create_booking_intent: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Travel. Nothing to install.
create_booking_intent is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.
Yes. Add a rate_limit block to the create_booking_intent rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for create_booking_intent. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
create_booking_intent is provided by the Travel MCP server (autonomad-travel). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Deterministic rules across all 8 Travel tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.
Free to start. No card required.
4,600+ MCP servers and 31,000+ tools scanned and risk-classified.