Build an unsigned approve(spender, amount) transaction that raises (or sets) an ERC-20 allowance — the structured inverse of prepare_revoke_approval. amount is a decimal in token units (e.g. "10" for 10 USDC) or the literal "max" for unlimited. Refuses unlimited approvals to canonical no-key addr...
AI agents use prepare_token_approve to create or update resources in VaultPilot MCP — usually the action step of a workflow, after the agent has gathered context. Every call changes real data in your VaultPilot MCP environment.
| Parameter | Type | Required | Description |
|---|---|---|---|
chain | string | — | |
token | string | Yes | ERC-20 contract address. Must be the actual token contract — wrappers and aTokens have their own approval surfaces and aren't supported here. |
amount | string | Yes | Decimal amount in token units, NOT raw wei/base units. Example: "10" for 10 USDC. Decimals resolved from the token contract. Pass "max" for the uint256-max unli |
wallet | string | Yes | EVM wallet that grants the allowance. Must be paired via `pair_ledger_live`. |
spender | string | Yes | Address that will be allowed to pull tokens via `transferFrom`. Typically a protocol contract (Aave V3 Pool, Uniswap SwapRouter, etc.) or any EOA. Use the read- |
acknowledgeBurnApproval | boolean | — | Override flag for the BURN_ADDRESS_UNLIMITED_APPROVAL refusal. Required only when `amount` is `max` AND `spender` is a canonical no-key address (`0x0…0`, `0x0…d |
Parameters from the server's own tool schema.
An AI agent can call prepare_token_approve faster than any human can review — one bad instruction and it creates or modifies resources in VaultPilot MCP by the hundred, each call as confident as the last.
Risk signalsHandles credentials or secrets (token)
Attacks that exploit this kind of access
Build an unsigned approve(spender, amount) transaction that raises (or sets) an ERC-20 allowance — the structured inverse of prepare_revoke_approval. amount is a decimal in token units (e.g. "10" for 10 USDC) or the literal "max" for unlimited. Refuses unlimited approvals to canonical no-key addresses (0x0…0, 0x0…dEaD, 0xdEaD…0, 0xff…ff) with BURN_ADDRESS_UNLIMITED_APPROVAL; override via acknowledgeBurnApproval: true only when the user explicitly asked for that exact spender + unlimited amount. Resolves a friendly spender label from the canonical CONTRACTS table so the description + Ledger preview reads as "Approve USDC for Aave V3 Pool, 1000 USDC" rather than a raw hex address. EVM-only. Prefer protocol-specific prepare_* (e.g. prepare_aave_supply) when the approval is bundled with a downstream action — those route through the shared buildApprovalTx helper which handles the USDT-style reset pattern in one step. Use this tool for one-off allowance-setting that doesn't fit a bundled prepare. It is categorised as a Write tool in the VaultPilot MCP MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.
prepare_token_approve accepts 6 parameters: chain, token, amount, wallet, spender, acknowledgeBurnApproval. Required: token, amount, wallet, spender. The full parameter table on this page comes from the server's own tool schema.
Register the VaultPilot MCP server in PolicyLayer and add a rule for prepare_token_approve: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches VaultPilot MCP. Nothing to install.
prepare_token_approve is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.
Yes. Add a rate_limit block to the prepare_token_approve rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for prepare_token_approve. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
prepare_token_approve is provided by the VaultPilot MCP server (vaultpilot-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.