Docs / Overview

The kill switch for AI agents that spend money

AI agents now hold wallets and pay for things — machine-payments over x402, mandates over Google's AP2, agentic wallets on Coinbase, Turnkey, Openfort. The control story hasn't caught up: a misbehaving agent retrying a $0.06 call 1,000 times a minute burns ~$86,000 in a day, and most agents in production ship with no reliable way to stop them.

The four controls every spending agent needs

The emerging consensus is a four-element guardrail: permission (what may it spend, on what), approval (a human co-sign above a threshold), audit trail (what did it actually do), and a kill switch (stop everything, now). Most stacks ship one of the four at best.

Why the kill switch is the hard one

Single-vendor kill switches exist — revoke a session key, pause a card. The unsolved part: a serious agent fleet holds wallets on several backends, and no vendor can freeze a competitor's rail. Coinbase can't stop your Turnkey agent; Turnkey can't see your Openfort spend. "Stop my agents" has no single answer — until a neutral layer sits above the wallets.

What good looks like

How Countersign works

Countersign is that layer. You write one policy; the compiler maps each field to the strongest control the rail can express and honestly flags what it can't (the enforceability matrix). Your agent calls POST /evaluate before every spend — the pre-flight guard. One POST /freeze stops the fleet. Every attempt lands in the signed ledger.

# self-serve key — no account, no human
curl -X POST https://app.countersign.network/signup \
  -H 'content-type: application/json' -d '{"ref":"docs"}'
// one declarative policy — amounts are base-unit integer strings
import { CountersignClient } from "@countersign/sdk";
const cs = new CountersignClient({ baseUrl: "https://app.countersign.network", apiKey });

await cs.applyPolicy({ policy: {
  schemaVersion: 1, asset: "USDC",
  perTxCap: "1000000",           // 1 USDC per transaction
  dailyCap: "5000000",           // 5 USDC per rolling 24 h
  allowlist: ["0x1111…"],        // counterparties
}});

// the pre-flight guard, before EVERY spend
const d = await cs.evaluate({ agentId, amount: "400000", asset: "USDC", venue: "base-sepolia" });
if (d.outcome !== "allow") throw new Error(d.reason);

// the kill switch — every backend at once, < 1 s
await cs.freeze();

Or drop it into Claude / Cursor / any MCP client as tools:

{ "mcpServers": { "countersign": {
  "command": "npx", "args": ["-y", "@countersign/mcp"],
  "env": { "COUNTERSIGN_URL": "https://app.countersign.network",
           "COUNTERSIGN_API_KEY": "csk_…" } } } }

The proof

Three reference agents on three backends across three testnets — Coinbase on Base Sepolia, Turnkey on Ethereum Sepolia, Openfort on Polygon Amoy — plus a Lithic virtual Visa card, all stopped by one freeze, confirmed in 432–697 ms across runs, with the signed ledger re-verifying as intact afterward. Watch the loop, then falsify it yourself.

Guides

Honest scope: everything here is testnet-only — no mainnet, no custody, no PII. The hosted sandbox seeds a mock three-backend fleet so you can exercise policy, guard, freeze, and ledger end-to-end; the vendor enforcement described on this page was proven live on real testnet backends. Mainnet follows a third-party security audit.

Try it in 60 seconds — no account, no human

Self-serve key, an isolated sandbox tenant with a three-backend demo fleet, testnet only.

Get a free key → Watch the freeze GitHub