Stop AI agents from
burning your budget.
Approve, enforce, and execute every payment with Sentinel + ShieldPay using policies, multi-agent validation, and secure escrow to prevent costly mistakes before they happen.
Built by
Approve, enforce, and execute every payment with Sentinel + ShieldPay using policies, multi-agent validation, and secure escrow to prevent costly mistakes before they happen.
Retries and duplicate calls drain funds before you notice, with no kill-switch on the payment layer.
Without spend controls, agents hit retry loops and on-chain calls thousands of times before a human sees it. One misconfiguration cost a team $47k in 72 hours.
Rate limits slow abuse; they don't stop economic damage. There's no agent-level budget governance in the stack.
No kill-switch in the payment path: by the time the invoice lands, it's too late.
$47,000
Lost in 72 hours
Claude Opus loop with no spend policy set
8,400x
No kill-switch
Retries ran unchecked until manual stop
Sentinel decides if a payment should happen. ShieldPay runs it when it's approved: two layers, one flow from policy to settlement.
It answers whether a payment is allowed: multi-agent voting, spend rules (policy), and a clear approve or reject outcome. It does not move funds or call Trustless Work.
Live evaluation
trace · v1> Evaluating transaction...
intent_id pay_8f2a · 1,250 USDC · escrow
> Policy check passed
production_v3 · daily_cap OK
> Multi-agent consensus reached
quorum 3/3 · approve x3
> Approved
signed for ShieldPay · 14ms
Policy through execution: one stack for approvals, limits, monitoring, and audit-ready trails.
Require M-of-N consensus before any intent becomes a payment. Quorums per tier, role, or spend band, enforced before ShieldPay sees a signature.
Compose rules that run at intent time: caps, allowlists, velocity checks, and custom predicates.
Per-call, session, and rolling windows block overruns before they hit your ledger.
Live stream of intents, votes, and policy outcomes with actionable context.
Immutable, queryable history for compliance: who approved what, when, and why.
If governance fails closed, execution never starts. Escrow and routing only after a valid approval.
Clear answers about how Sentinel and ShieldPay work together and separately for integrators and operators.
Sentinel is the governance layer. It evaluates spend policies, coordinates multi-agent consensus votes, and issues approvals or rejections without ever touching funds. ShieldPay is the payment execution layer. It receives Sentinel's signed approval and routes the payment through the x402 facilitator proxy, Trustless Work escrow, or an MPP session on Stellar.
No. Sentinel only issues signed approvals or rejections. Funds move exclusively through ShieldPay, and only after Sentinel signs off. This separation ensures the governance layer cannot be shortcut at the payment layer, even by a compromised agent.
ShieldPay supports x402 (HTTP-native payments), MPP (Micropayment Protocol), and Trustless Work escrow all on the Stellar Network.
When a payment intent is submitted, Sentinel fans it out to the configured agent signatories. Each agent votes approve or reject. The intent proceeds only if the quorum threshold (e.g., 3-of-5) is reached within the session window.
Yes. Sentinel can be used standalone as a governance and policy enforcement engine (just not yet). ShieldPay can be used standalone as a payment facilitator. Running both gives the strongest guarantee: every intent governed before execution, every execution settled trustlessly.
Sentinel blocks the payment intent at policy evaluation time and returns a structured rejection with the violation reason. Depending on your configuration, Sentinel can also freeze the agent's session until a human operator resumes it via the dashboard.