apply_promo_code
AI agents use apply_promo_code to commit financial operations through Restaurant Backend MCP Server — usually the final step of a payment, billing, or trading workflow. A call moves real money.
Applying a promo code has financial implications as it reduces the cost of an order, committing a financial discount/obligation. While it doesn't move money directly, it modifies the financial terms of a transaction. The description is empty, which lowers confidence, but the name strongly implies a financial operation in the context of order processing.
From the tool's definition Tool name 'apply_promo_code' on a restaurant backend server that handles order processing and financial transactions.
Attacks that exploit this kind of access
apply_promo_code. It is categorised as a Financial tool in the Restaurant Backend MCP Server MCP Server, which means it involves financial transactions. Block by default and require explicit approval.
Register the Restaurant Backend MCP Server MCP server in PolicyLayer and add a rule for apply_promo_code: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Restaurant Backend MCP Server. Nothing to install.
apply_promo_code is a Financial tool with critical risk. Critical-risk tools should be blocked by default and only enabled with explicit human approval.
Yes. Add a rate_limit block to the apply_promo_code rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for apply_promo_code. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
apply_promo_code is provided by the Restaurant Backend MCP Server MCP server (pasanis/mcp-server). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →