runaway loop away from haemorrhaging funds until the balance hits zero.
What MPP Changes
Before MPP, MCP tool calls were free. The security question was "should this agent be allowed to call this tool?" -- permissions, rate limits, argument validation. Intercept already handled all of that with YAML-defined policies.
MPP adds money. When an MCP server supports paid tools, it returns error code -32042 (payment required) with an MPP Challenge containing the exact price, currency, and payment details. The agent's wallet pays automatically, then retries the call. The server delivers the result.
This is a fundamentally different threat model. A misconfigured agent calling a free tool wastes compute. A misconfigured agent calling a paid tool drains your wallet. The attack surface isn't theoretical -- it's a line item on your Stripe invoice.
What We Built
Intercept now reads the -32042 response from MCP servers, extracts the price from the MPP Challenge, and evaluates it against your policy before any payment is authorised. If the call violates a budget rule, the payment never happens. The agent receives a denial message explaining why.
This is MCP spend enforcement at the transport layer. The agent doesn't know Intercept exists. It sees the same tools, same schemas, same interface. But every payment passes through a policy gate first.
How It Works
┌──────────┐ ┌───────────┐ ┌────────────┐
│ Agent │──────>│ Intercept │──────>│ MCP Server │
│ │ │ (proxy) │ │ (paid) │
│ │ │ │<──────│ │
│ │ │ reads │ └────────────┘
│ │ │ -32042 │
│ │ │ price │
│ │ │ │
│ │ │ ┌─────┐ │
│ │ │ │check│ │
│ │ │ │policy│ │
│ │ │ └──┬──┘ │
│ │ │ │ │
│ │<──────│ allow or │
│ │ │ deny │
└──────────┘ └───────────┘
- Agent calls a paid tool via Intercept
- MCP server responds with
-32042 and the MPP Challenge (amount, currency)
- Intercept extracts the price from the Challenge
- Policy engine evaluates: per-call cap, daily budget, global limit, approval rules
- If allowed: the -32042 passes through to the agent, which pays normally
- If denied: agent receives denial message, no money moves
The critical detail: Intercept reads the actual price from the server response, not a pre-configured estimate. If the server raises its price from 0ドル.50 to 5ドル.00, your policy catches it immediately.
Policy Examples
Per-Call and Daily Budget
Cap image generation at 5ドル per call and 50ドル per day:
version: "1"
description: "AgentbudgetlimitsforpaidMCPtools"
tools:
generate_image:
rules:
- name: "imagebudget"
spend:
per_call: 5.00
daily: 50.00
The spend: shorthand expands into conditions and counters automatically -- same idea as rate_limit: but for money. Per-call checks the price of each individual call. Daily tracks cumulative spend and resets at midnight UTC.
Global Spend Limit
Regardless of individual tool budgets, cap total agent spending at 200ドル per day across all paid tools:
"*":
rules:
- name: "globaldailybudget"
spend:
daily: 200.00
The wildcard "*" applies to every tool. An agent can spend 50ドル on images and 50ドル on research, but the global limit catches cumulative overspend that per-tool budgets miss.
Approval Escalation
For expensive calls, pause and wait for human approval instead of hard-denying:
research_report:
rules:
- name: "auto-approvecheap"
spend:
per_call: 10.00
daily: 100.00
- name: "expensiveneedsapproval"
action: "require_approval"
conditions:
- path: "spend.amount"
op: "gt"
value: 10000000
on_deny: "Researchreportover10ドルrequiresapproval"
Calls under 10ドル flow through automatically. Anything above is held until a human approves or rejects it.
What Makes This Different
Reads the actual price. Most spending controls rely on pre-configured price estimates -- "assume each image costs 0ドル.10." Intercept reads the real amount from the MPP Challenge. If a server changes its pricing, your policies still work.
Reserve and rollback. When a payment is approved, Intercept reserves the amount against your budget counter before forwarding. If the upstream call fails, the reservation is rolled back. Failed calls don't consume budget.
Approval escalation. Not everything is allow/deny. The require_approval action holds expensive calls for human review without blocking cheap ones. Your agent keeps working on 0ドル.50 lookups while a 35ドル research report waits for sign-off.
Shadow mode. Run Intercept in mode: shadow to log what would be blocked without actually blocking anything. See how your policies perform against real traffic before enforcing them in production.
Persistent counters. Daily budgets survive process restarts. Intercept stores counter state in SQLite (or Redis for multi-instance deployments). Recycle the process at 3am and your daily spend total picks up where it left off.
Getting Started
Install Intercept:
npx -y @policylayer/intercept
Write a policy file (policy.yaml):
version: "1"
description: "MPPspendenforcement"
tools:
"*":
rules:
- name: "per-callcap"
spend:
per_call: 5.00
- name: "dailybudget"
spend:
daily: 100.00
Run Intercept as a proxy in front of your paid MCP server:
intercept -c policy.yaml --upstream https://paid-mcp-server.example.com
Or configure it in your .mcp.json for Claude Code, Cursor, or any MCP client:
{"mcpServers":{"paid-tools":{"command":"intercept","args":["-c","policy.yaml","--","npx","-y","@example/paid-mcp-server"],"env":{"PAYMENT_WALLET_KEY":"..."}}}}
The agent connects to Intercept thinking it's the MCP server. Every tool call and every payment passes through your policy first.
What's Next
This is the first release of MPP spend enforcement. On the roadmap:
-
Multi-currency support -- enforce budgets across USD, EUR, and crypto denominations in a single policy
-
MPP session budgets -- cap total spending across an entire agent session, not just daily windows
-
HTTP SDK -- enforce spend policies on non-MCP agent architectures using a lightweight HTTP middleware
MPP made autonomous agent payments real. Intercept makes them governable.
Ready to set agent budget limits on paid MCP tools?