Four rails frozen in ~432ms — proven on testnet

The kill switch for AI agents that spend money.

Countersign is a neutral, cross-vendor control plane: one policy, one freeze, and one tamper-evident audit ledger — across every agent-wallet backend at once. The one thing no single wallet vendor can do, because each only governs its own rail.

4 rails live — Coinbase · Turnkey · Openfort · Visa card <1s cross-vendor freeze Apache-2.0 open core Ed25519-signed append-only ledger
▶ Live — three agents, three vendors, one freeze in 0.41s
Get started

From install to a working kill switch in minutes.

Pick your entry point — each is one copy-paste away from value. Free, testnet, no account required.

1

Install the SDK

The typed client agents and operators use to wire in the cross-vendor freeze, spend guard, and live ledger. Browser + Node.

$ npm i @countersign/sdk
2

Guard & freeze

One policy compiles to every backend's native controls. Ask before a spend; freeze everything in one call.

import { CountersignClient } from "@countersign/sdk";
const cs = new CountersignClient({ baseUrl, apiKey });

// may this spend happen?
await cs.evaluate({ agentId, amount, asset, venue });
// kill switch — every wallet, < 1s
await cs.freeze();
3

Drop it into your agent (MCP)

Add Countersign as MCP tools in Claude, Cursor, or any MCP client — the kill switch + spend guard, one line.

$ npx @countersign/mcp

Or run the full demo locally: pnpm demo — 3 agents, 3 backends, one freeze <1s.

How it works

Build the layer above the wallets.

① One unified policy

Per-tx caps, rolling daily caps, allow/deny lists, human-approval thresholds, freeze. Written once.

② Compiled to each rail

The compiler lowers it to every backend's native controls — so a compromised agent can't exceed the cap, not just a polite request.

③ One freeze, fully audited

A single action stops every backend concurrently in <1s, fail-closed — and every attempt lands in a signed, append-only ledger.

Enforceability

See exactly where every control binds.

A security control whose binding you can't see isn't one. Countersign publishes, per rail and per policy field, whether it's enforced natively — inside the vendor's MPC, enclave, or on-chain, where a compromised agent can't bypass it — or at Countersign's own pre-flight layer. The freeze is native on every rail. What varies is fine-grained policy, and we never hide which is which.

RailFreezePer-tx capDaily capApproval
Coinbasenativenativenativelayer
Turnkeynativenativelayernative
Openfortnativelayernativelayer
Lithic · Visanativenativelayerlayer
native  bound in the vendor — bypass-proof layer  bound at Countersign's pre-flight guard

Computed live per rail from the policy compiler — the current matrix is served at GET /enforcement and rendered in the live dashboard.

The network effect

Every guarded spend makes the network safer.

Countersign is distributed primarily over MCP — so any agent in Claude, Cursor, or your own stack picks up a spend guard and a kill switch. Each spend that flows through it strengthens a cross-rail safety layer no single wallet vendor can match — because each vendor only governs its own rail. That's the flywheel.

1 · Guard

An agent asks countersign_request_spend before it moves money. Allowed, denied, or held for a human — fail-closed.

2 · Adopt

Operators add the one-line MCP server to their other agents and their team. The kill switch now spans every rail at once.

3 · Strengthen

More agents under one policy + one freeze = a cross-vendor safety net that grows more valuable the more of the agent economy joins it.

Truthful by design: propagation is always a value-adding, opt-in surface. Countersign never makes an agent post, DM, or recruit on its own — a denied spend or a freeze simply offers peers the same protection, which a human or agent can choose to share.

Spread the safety net

Add the badge. Bring your other agents and your team.

If Countersign guards your agent, say so — it signals to users (and other agents) that spending is governed, and it points the next operator to the same kill switch. Drop the badge in your README or app footer.

Spending governed by Countersign ← live preview of the badge

Markdown badge

For your README

[![Spending governed by Countersign](https://img.shields.io/badge/spending%20governed%20by-Countersign-58e6a8?labelColor=0b1020)](https://countersign.network)

HTML badge

For your app or site footer

<a href="https://countersign.network">🛡️ Spending governed by Countersign</a>

Bring your other agents

One line — any MCP client

npx @countersign/mcp

Same policy, same freeze, across your whole fleet. Onboarding a teammate? Send them app.countersign.network/start for an instant key.

Why operators reach for it

The questions a team asks before agents touch money.

These are the recurring asks Countersign is built to answer — not customer quotes. It's testnet-only today; mainnet follows a third-party audit.

“If an agent goes rogue at 2am, can I stop all of them — not just the ones on one wallet?”

— the cross-vendor freeze, proven across four rails in ~432ms

“Can I prove, after the fact, exactly what every agent tried to spend?”

— the append-only, hash-chained, tamper-evident ledger

“Can I write one spending policy instead of N vendor consoles?”

— one unified policy compiled to each backend's native controls

Integrations

The networks your agents already use.

Countersign governs them through one policy, one freeze, and one tamper-evident ledger — across every rail at once. No single vendor can do that, because each only governs its own.

Stripe Turnkey Openfort Lithic Coinbase Airwallex
Ecosystem

Rails + toolkit.

Countersign governs the wallets & cards you already use — the rails — and ships the toolkit your agents build with.

Rails — what Countersign governs

MPC wallets · native per-tx cap pushed into CDP policy.

LIVE

In-enclave CEL policy · native human-approval consensus.

LIVE

Backend smart accounts · custody-level hard freeze.

LIVE

Virtual Visa card · real-time ASA approve/decline.

LIVE
Toolkit — what you build with

MCP server

npx @countersign/mcp — kill switch + spend guard inside any MCP client.

PUBLISHED

SDK

@countersign/sdk · @countersign/api-contract — typed client + live ledger.

PUBLISHED

x402

Govern the HTTP-402 machine-payment standard before it pays.

LIVE

AP2

Guard an Agent Payments Protocol mandate before the agent signs & pays.

LIVE

Open core

Front-door packages under Apache-2.0. Audit it yourself.

APACHE-2.0
Roadmap

Coming soon.

Native-enforcement parity

Close the remaining layer cells in the matrix — reversible on-chain KeysManager freeze, native consensus approvals, card ASA on every issuer — so each guarantee is backend-enforced end to end.

SOON

Durable, HA kill switch

Multi-instance & KMS-signed, with the ledger anchored to a public transparency log — so the freeze survives any single failure and anyone can verify history independently.

SOON

Mainnet & more rails

Real-value operation after an independent security audit — plus Stripe, Airwallex & more wallet and card networks graduating from built to live.

SOON
Copied ✓