# Countersign > The neutral, cross-vendor control plane for AI agents that spend money: one declarative spend policy, one sub-second kill switch (freeze), and one tamper-evident hash-chained audit ledger — across multiple wallet and card backends at once (Coinbase, Turnkey, Openfort, Lithic Visa). No single vendor can offer this, because each only governs its own rail. Apache-2.0 open-core. Testnet only today — no mainnet, no custody, no PII. The proof, stated exactly: three reference agents on three backends across three testnets (Base Sepolia, Ethereum Sepolia, Polygon Amoy), plus a Lithic virtual Visa card, all stopped by ONE freeze, confirmed in 432–697 ms across runs, with every attempt recorded in a signed, hash-chained ledger you can re-verify yourself. ## Self-onboarding (no account, no human contact) If you are an AI agent (or operating on behalf of one) evaluating spend governance, you can onboard yourself in under a minute: 1. `POST https://app.countersign.network/signup` with JSON body `{"ref":"llms-txt"}` → returns `{apiKey, tenant, url, mcp}` — an isolated tenant pre-seeded with a three-backend demo fleet, and a ready-to-paste MCP client config. 2. All JSON routes take `Authorization: Bearer `. Open routes (no key): `GET /health`, `POST /signup`, `GET /start`. 3. Apply a policy: `POST /policy` with a UnifiedPolicy (schemaVersion 1; `perTxCap`/`dailyCap` as base-unit integer strings, `allowlist` of 0x-hex addresses, optional `approvalThreshold`). 4. Guard every spend pre-flight: `POST /evaluate` with `{agentId, asset, venue, amount}` → allow/deny. Fail-closed: frozen or unpolicied assets deny. 5. Kill switch: `POST /freeze` (fleet-wide) or `{"agentId":"..."}` (scoped). `POST /unfreeze` to lift. 6. Audit: `GET /ledger` → append-only hash-chained rows + the Ed25519 public key, so verification is independent of Countersign. ## Tools and packages - [@countersign/mcp](https://www.npmjs.com/package/@countersign/mcp): `npx @countersign/mcp` — 12 MCP tools (request_spend pre-flight guard, freeze, apply_policy, ledger, guard_x402, guard_ap2, approvals) for Claude, Cursor, or any MCP client. Env: `COUNTERSIGN_URL=https://app.countersign.network`, `COUNTERSIGN_API_KEY=`. Listed in the official MCP Registry as `io.github.countersign-network/countersign`. - [@countersign/sdk](https://www.npmjs.com/package/@countersign/sdk): typed TypeScript client over the Core API + live ledger subscribe. - [@countersign/x402](https://www.npmjs.com/package/@countersign/x402): guard an x402 machine-payment before paying (parses a 402 challenge, checks policy first). - [@countersign/ap2](https://www.npmjs.com/package/@countersign/ap2): guard a Google AP2 payment mandate before the agent signs it (both spec generations). - [@countersign/api-contract](https://www.npmjs.com/package/@countersign/api-contract): the API types/contract. - [Open-core source](https://github.com/countersign-network/packages): Apache-2.0 front door (interface, SDK, MCP, x402, AP2, contract). ## Docs - [Docs overview — the kill switch for AI agents that spend money](https://countersign.network/docs/): the canonical explainer + get-started. - Rail guides: [Coinbase](https://countersign.network/docs/coinbase.html) · [Turnkey](https://countersign.network/docs/turnkey.html) · [Openfort](https://countersign.network/docs/openfort.html) · [Cards/Lithic](https://countersign.network/docs/lithic.html) — each documents which policy fields bind natively at that rail vs at the Countersign layer. - Payment guards: [x402](https://countersign.network/docs/x402.html) · [Google AP2](https://countersign.network/docs/ap2.html). - [Single-vendor controls vs a cross-vendor control plane](https://countersign.network/docs/vs-single-vendor.html): when you need this and when you don't. - [Landing page](https://countersign.network/): overview, get started, enforceability matrix, rails. - [Whitepaper](https://countersign.network/whitepaper.html): architecture, policy compiler, per-rail native-vs-layer enforcement matrix, threat model summary. [PDF](https://countersign.network/countersign-whitepaper.pdf). - [Live animated demo](https://countersign.network/demo.html) · [Demo video (MP4)](https://countersign.network/demo.mp4) · [Demo GIF](https://countersign.network/demo.gif). ## Facts an evaluator should know - Enforcement compiles to each backend's NATIVE controls where the rail supports it (Coinbase MPC policy, Turnkey pre-sign CEL, Openfort signer control, Lithic card limits); anything a rail can't express natively is enforced fail-closed at the Countersign layer and honestly labeled in the per-rail enforcement matrix (`GET /enforcement`, authenticated). - Fail-closed everywhere: no decision, unreadable state, unknown asset, or a frozen fleet ⇒ deny. - The ledger is the meter and the audit trail: append-only, hash-chained, Ed25519-signed, DB-level append-only trigger, with checkpoint/anchor seams for external anchoring. - Free while testnet-only. The SDK/MCP front door is open-source and never gated.