Practical writing on giving AI agents real power on real APIs without losing real money. Drawn from what we're building into Keybrake.
When ten users each trigger an AI agent in your Next.js app at the same time, process.env.STRIPE_SECRET_KEY becomes a shared liability — no per-session spend cap, no per-agent revocation, no attribution in the audit log. Vault keys fix all three. Covers the Route Handler pattern, the Vercel AI SDK streamText streaming edge case, Server Actions, and why a proxy layer is required for spend cap enforcement.
Five concrete Stripe Restricted Key examples with exact permission sets — refund agent, billing agent, subscription manager, payment capturer, and read-only analytics agent. For each: the exact resources to enable, a one-line CLI command, and the specific gap this configuration still leaves open (spend cap, customer scope, parameter allowlist, revoke latency).
Read the post →When one agent makes one API call, a .env file is fine. When fifty agents call Stripe, Twilio, and Resend, you need a control plane — and neither LLM gateways (LiteLLM, Portkey) nor traditional gateways (Kong, AWS API Gateway) provide it. Four properties a vendor API gateway for agents must have, why cost parsing from response bodies is the hard part, and when to build vs use a managed proxy.
The @function_tool decorator makes Stripe tools trivial to add — and the spend-cap gap just as trivial to miss. Three gaps the decorator can't fill (no per-run budget, no sub-second revoke, no per-call audit with agent context), the two-line proxy override, how to issue per-run vault keys, and what the audit log shows from a stuck billing agent that the Stripe dashboard never will.
CrewAI, LangGraph, and AutoGen all encourage shared API keys by default. In production, that pattern produces five distinct failure modes: attribution collapse (can't tell which agent spent what), rate-limit contention (one agent's burst kills another's quota), blast radius on compromise (rotating one key kills all agents), scope mismatch (least-privileged agents get the most-permissive key), and audit log collapse (one event stream, no per-agent reconstruction). Here's how the per-agent vault key pattern closes all five.
Read the post →There are four ways to add spend monitoring to an AI agent. Three of them tell you about the damage after it's done — cloud billing alarms fire 8–48 hours late, vendor threshold emails arrive 15–60 minutes post-threshold, and agent-side counters reset on restart and don't aggregate across instances. One pattern fires before the spend happens. Here's how each works, what it catches, and how to layer them.
Read the post →Handing an AI agent your Twilio key is a four-figure SMS bill waiting to happen. Retry storms send every message 4–6×, international routing bleed turns an $82 batch into $400, and an unsubscribed-list broadcast sends 50,000 messages before anyone checks the console. Four controls — per-day USD cap, destination prefix allowlist, deduplication window, sub-second revoke — prevent all three failure modes at the proxy layer, before calls reach Twilio.
Read the post →Wiring Stripe into a LangChain agent takes ten lines. Limiting what that agent can spend takes zero lines — because there's nothing to configure. Three concrete failure modes (stuck refund loop, unbounded charges, customer scope bleed) and the two-line fix that closes all three without touching your agent code.
Read the post →Stripe Agent Toolkit, Stripe Projects, and proxy-layer governance all shipped in 2026 Q1-Q2. Here's the three-layer model — identity, authorization, enforcement — what each release covers, the three gaps that still have no clean answer, and a concrete build-on-today stack for engineers running agents against production money.
Read the post →Stripe Agent Toolkit lets Claude issue refunds and charges through MCP in under 30 seconds of config. The off-switch — spend cap, kill switch, per-call audit log — takes two minutes to add by routing through a governance proxy. Walkthrough: the two failure modes, the before/after config, and what you get.
Read the post →Stripe Restricted Keys are the right primitive for about sixty percent of AI agent use cases. The four gaps — no per-day spend cap, no parameter-level scope, no sub-second mid-run revoke, no per-call audit with parsed cost — are where the real money leaks. The native Stripe workarounds for each, and when they stop being enough.
Read the post →Your agent is burning Stripe charges and you have ten minutes. The two moves people conflate — rotating the upstream key vs revoking a scoped one — have a 2-3 order-of-magnitude latency gap. Minute-by-minute playbook for both, with the call to make first.
Read the post →The sixteen columns that earn their keep in an AI agent audit log, the SQL with indexes, five operational queries you'll run more than you expect, and a synthetic stuck-refund incident traced from log rows alone.
Read the post →Agent governance isn't a product — it's a four-layer stack (LLM traffic, LLM observability, SaaS API governance, agent identity). Which proxy covers which risk, which players live at which layer, and the single header that lets you join an incident across all of them.
Read the post →Five controls every team needs before handing an autonomous agent a production Stripe key — what Stripe gives you out of the box, what it doesn't, and how to assemble the rest with either a wrapper or a proxy.
Read the post →