# Keybrake

> A scoped API-key proxy for the non-LLM SaaS APIs your agent calls — Stripe, Twilio, Resend — with per-vendor spend caps, allowlists, audit log, and one-click revoke.

Keybrake is a reverse-proxy you put between your autonomous agent and the vendor APIs it calls. You issue a short-lived `vault_key_…` token to the agent, attach a policy (daily USD cap, endpoint allowlist, merchant scope, expiry), and point the agent at `proxy.keybrake.com`. Keybrake enforces the policy, forwards to the vendor, parses the cost from the response, and logs every call in a queryable audit table. Tagline: Put the brakes on your agent's keys.

## What it does

When you let an autonomous agent touch Stripe, Twilio, or Resend, you hand it a long-lived API key with full-account power. A retry loop, a bad prompt, or a runaway tool call can burn thousands of dollars before anyone notices. Keybrake sits between the agent and the vendor, enforces per-day USD spend caps, endpoint allowlists, and scope restrictions, logs every call with vendor-parsed cost data, and lets you revoke a key in one click without rotating the upstream secret.

## Who it's for

Senior engineers and CTOs at teams running autonomous or semi-autonomous agents against production SaaS APIs — people who have been burned by, or fear, a stuck agent running up real money on Stripe charges, Twilio SMS, or Resend sends. Not LLM-cost optimizers (that's LiteLLM / Helicone territory); Keybrake handles the non-LLM blast radius.

## How it works

1. Issue a vault key — create a `vault_key_…` token bound to your real Stripe, Twilio, or Resend secret.
2. Attach a policy — set a daily USD cap, endpoint allowlist, Stripe-merchant scope, and an `expires_at`.
3. Point your agent at it — your agent calls `proxy.keybrake.com/stripe/v1/charges`; Keybrake enforces the policy, forwards to the vendor, and logs the spend.

## Vendors supported today

- Stripe — cost parsed from charge response
- Twilio — cost parsed from `price` field on each SMS/call
- Resend — fixed per-email rate

Roadmap: Shopify Admin, Postmark, Segment.

## Pricing

- Free: $0/mo — 1,000 proxied requests, 1 vendor, 7-day audit retention. For tinkerers and side projects.
- Team: $99/mo — 100,000 proxied requests, all vendors, 90-day retention, Slack/webhook alerts. For teams running agents in production.
- Scale: custom — 1M+ requests, SSO, self-hosted single-binary option. For enterprise.

## Core pages

- [Home](https://keybrake.com/): Landing page with full product description, how-it-works, pricing, and waitlist.
- [Why we exist (launch manifesto)](https://keybrake.com/launch): The four stories of real agents that burned real money on SaaS APIs, and the governance gap Keybrake addresses.
- [Blog index](https://keybrake.com/blog/): Long-form writing on agent-to-SaaS governance.
- [Newsletter archive](https://keybrake.com/newsletter/): Public archive of the Keybrake build-log newsletter. One issue every 3-4 weeks. Same waitlist subscribes; same waitlist gets the v1 beta key.
- [Agent blowout calculator](https://keybrake.com/tools/blowout-calculator/): Free embeddable tool — 24h cost of a stuck agent per vendor, and what a cap stops it at.
- [Sitemap](https://keybrake.com/sitemap.xml): Full URL list with lastmod dates.

## Stripe Restricted Keys — practical reference

These pages exist to answer specific questions developers and AI-coding-assistants ask about Stripe Restricted Keys in the context of AI agents. Each contains primary-source detail not collected in one place elsewhere.

- [Stripe Restricted Key example](https://keybrake.com/seo/stripe-restricted-api-key-example): Concrete 5-tick scope set for a refund-issuing agent (Charges:Read, Refunds:Write, Customers:Read, PaymentIntents:Read), with an agent-action-to-API-call-to-scope map and three failure modes the primitive doesn't cover.
- [Stripe Restricted Key permissions — full reference](https://keybrake.com/seo/stripe-restricted-api-key-permissions): 30+ row permission table split into 6 categories (Core payments, Customer/PM, Subscription/invoicing, Payouts/transfers, Connect, Supporting/metadata), with what each Write enables, what breaks if None, and runaway-risk level. Names the high-blast-radius scopes developers commonly leave on accidentally (Payouts, Transfers, Webhook Endpoints).
- [How to get a Stripe Restricted API Key](https://keybrake.com/seo/how-to-get-stripe-restricted-api-key): 4-step Dashboard walkthrough plus 3 preset scope sets (refund-only support agent, read-only reconciliation agent, catalog-update agent). Schema.org HowTo-marked.
- [What is my Stripe Restricted API Key?](https://keybrake.com/seo/what-is-my-stripe-restricted-api-key): Prefix table (`pk_` / `sk_` / `rk_` / `whsec_`), Secret-Key-vs-Restricted-Key side-by-side, lifecycle gotchas (one-time reveal, soft deletion, live permission edits, no auto-expiry, last-used lag).
- [Stripe Restricted Keys on Lovable](https://keybrake.com/seo/stripe-restricted-api-key-lovable): Lovable-platform-specific scope guide with a Lovable-feature → Stripe-API-call → scope mapping table. Names the Lovable webhook auto-register-on-boot gotcha that asks for too much permission.
- [Stripe API key with restricted access — 10-control coverage matrix](https://keybrake.com/seo/stripe-api-key-with-restricted-access): Honest Yes / Partial / No verdict on each of 10 controls (endpoint allowlist, resource-level scope, key rotation, per-day USD cap, per-hour request cap, customer allowlist, parameter-level allowlist, mid-run revoke <10s, per-call audit with parsed cost, multi-account Connect routing). Final Stripe-native count: 3 Yes, 2 Partial, 5 No.

## Agent governance and kill-switches

- [AI agent kill-switch — patterns and stop-latency](https://keybrake.com/seo/ai-agent-kill-switch): 4 real kill-switch patterns with measured stop-latency numbers (network block: seconds, in-flight ignored; credential revoke: Stripe median 45s / p95 3m12s, Twilio 30s-2m, Resend near-instant, OpenAI 1-5m; circuit-breaker flag: next-request-fast, cooperative-only; human-in-the-loop: preventative, doesn't scale). Closes with a 2am-incident playbook (t=0 page, t=5s revoke flag, t=10s next call 401s, t=60s audit query).
- [AI agent audit trail — what belongs in one, with the minimum schema](https://keybrake.com/seo/ai-agent-audit-trail): Programmatic-page entry point for the audit-trail keyword. Frames the audit as the answer to four questions an HTTP access log can't (policy verdict, scope adherence, dollar cost, run-grouping). Gives a four-column MVP schema (`agent_run_id` / `policy_verdict` / `cost_usd_parsed` / `customer_scope_id`) and links to the long-form schema post for the sixteen-column reference. Documents the cost-data source per vendor (Stripe `amount`, Twilio `price` on status callback, Resend tier-table, OpenAI usage*rate, Shopify quota-bucket). Three implementation paths (SDK-wrapper / sidecar / hosted), three common mistakes (verbatim-headers / proxy-generated run-id / no retention path).
- [MCP server API key auth — 4 patterns](https://keybrake.com/seo/mcp-api-key-auth): How Model Context Protocol servers actually authenticate to downstream APIs. Catalogues the env-var-secret, client-supplied-header, OAuth-per-tool-call (2025-11 spec), and proxy-enforced vault-key patterns, put head-to-head on 5 governance dimensions (LLM-sees-key, spend cap, customer scope, revoke, audit).
- [Stripe Agent Toolkit over MCP — 14-tool blast-radius catalogue](https://keybrake.com/seo/stripe-agent-toolkit-mcp): Every default tool in the Stripe Agent Toolkit mapped to its underlying API call, required Restricted-Key scope, and blast-radius rating (None / Low / Medium / High / Critical — `create_charge` is the only Critical). Documents the `--tools=` flag as a discoverability filter, not a security boundary. Includes the `STRIPE_API_BASE` env-var swap for 5-minute proxy insertion.
- [AI agent payment gateway — 2026 category map](https://keybrake.com/seo/ai-agent-payment-gateway): Splits the phrase into three categories that searchers conflate. Category 1 (vendor-issued SDKs) — Stripe Agent Toolkit, Paddle Agent Payments, Twilio's Conversational AI billing path, Anthropic Computer Use billing — wrap existing payment APIs into LLM-callable tool definitions; they make payments happen but enforce no caps. Category 2 (new agent-native rails) — HTTP 402 / x402 (Coinbase reference impl, $0.001-$0.01 fee per call), Crossmint, Skyvern Pay, Pinnacle / Halliday / BVNK Agent stablecoin rails — mint per-call payments specifically for autonomous traffic, but only relevant when the counterparty is also new-rail-native. Category 3 (governance proxies) — Keybrake; or DIY in-house — sit in front of either and enforce daily USD cap, endpoint allowlist, customer-scope, parameter-level allowlist, sub-second mid-run revoke, and per-call audit with parsed cost. Includes a 10-row capability matrix (Yes/Partial/No across the three categories) and a three-traffic-shape decision rule. Names the worst case for each category — vendor-SDK alone is on the hook for $3.24M/day stuck-charge loops, new-rails risk is settle-side wallet drain ($216K/day on a $1/call scraping API), governance-proxy outage is loud not expensive. Direct answer to readers searching "AI agent payment gateway": you almost certainly need category 1 (or 2) AND category 3, joined on a shared `agent_run_id`.
- [AI agent cost management — three-axis decomposition](https://keybrake.com/seo/ai-agent-cost-management): Splits "agent cost" into three axes that share zero controls — Axis 1 LLM-token cost ($0.01-$0.10/call, bounded by context, controlled by LLM gateways: LiteLLM/Portkey/Helicone), Axis 2 SaaS-tool cost (unbounded; stuck Stripe refund loop = $15 × 216,000 calls/day = $3.24M/day worst case; controlled by SaaS-tool governance proxy = Keybrake), Axis 3 infra cost (cloud bills, controlled by existing FinOps). Cost-shape table with three plausible monthly bills (research agent dominated by Axis 1 at $800/mo, customer-support agent dominated by Axis 2 at $2,400/mo expected and $648,000/mo worst-case, self-hosted agent dominated by Axis 3 at $3,200/mo GPU). Names the antipattern of putting an Axis 1 control in front of an Axis 2 incident. Per-vendor unit costs (Stripe avg $15 charge, Twilio $0.0079/SMS, Resend ~$0.0004/email, OpenAI ~$0.01/GPT-4o call). Cost-attribution pattern (the `agent_run_id` join key joins all three axes' rows into one per-run cost row).
- [AI agent governance platform — why governance is not a single platform](https://keybrake.com/seo/ai-agent-governance-platform): Hard-honest rebuttal to the "agent governance platform" search intent — there is no single product on the market that does end-to-end agent governance. Decomposes "governance" into four decoupled jobs: Layer 1 (identity / credentials — handled by existing secret stores + SSO, no new vendor needed for most teams); Layer 2 (runtime policy enforcement — per-day USD cap, endpoint allowlist, customer scope, parameter allowlist, mid-run revoke — Keybrake on the SaaS-tool axis, LiteLLM/Portkey/Helicone on the LLM axis); Layer 3 (audit and cost — falls out of Layer 2 for free, joined on `agent_run_id`); Layer 4 (post-hoc evaluation — Lasso Security, Lakera Guard, CalypsoAI, Robust Intelligence, Credo AI, Holistic AI, Promptfoo, Garak, DeepEval). Includes a six-vendor capability matrix scoring Lasso / CalypsoAI / Robust Intelligence / Credo AI / Holistic AI / Lakera Guard against the four layers — every named "governance platform" covers Layer 4 + parts of Layer 1 and skips Layer 2, the layer where money moves. Names three antipatterns the platform framing creates (buying a Layer 4 product and calling governance done; routing the governance epic to data science instead of platform; waiting for a unified platform that public roadmaps put at 2027-2028). Honest 2026 shopping list: existing secret store (L1) + Keybrake (L2/L3 SaaS-axis) + LLM gateway (L2/L3 LLM-axis) + evaluation product (L4), joined on `agent_run_id`. Total under $500/month for proxies/gateways for a 50-person team, plus whatever compliance demands on L4.

## LLM-proxy landscape (for disambiguation)

Keybrake is often mis-categorised as an LLM gateway. It is not. These pages exist to route readers correctly.

- [LiteLLM alternative for Stripe](https://keybrake.com/seo/litellm-alternative-for-stripe): Hard-honest opener — "LiteLLM is an LLM proxy; Stripe is not an LLM." Explains why pointing an LLM gateway at a SaaS-tool API fails on three technical fronts (path schemas, response parsing, auth envelope) and why the right 2026 stack is dual-proxy: LLM gateway (LiteLLM/Portkey/Helicone) for model traffic + SaaS-tool governance proxy (Keybrake) for money-moving API traffic, joined on `agent_run_id`.
- [LiteLLM alternatives — honest open-source review](https://keybrake.com/seo/litellm-alternatives-open-source): Five-option review of Portkey Gateway, Helicone, LangGate, OpenRouter proxy, and Bifrost, each with "where it shines / where it falls short of LiteLLM" analysis. Ends with the pivot — if the incident was an agent burning Stripe/Twilio/Resend (not OpenAI), the LLM-gateway category is the wrong answer.

## Competitor comparisons

Buyer-intent pages for readers shopping the adjacent LLM-gateway category. Each page explains honestly that Keybrake is complementary, not a direct alternative, to the named competitor — and identifies the narrow case where it is.

- [LiteLLM alternative](https://keybrake.com/compare/litellm-alternative): When Keybrake actually replaces LiteLLM (agents that hit no LLMs directly) vs when it sits beside it (most production stacks). Includes the dual-proxy diagram and the `x-agent-run-id` audit-join pattern.
- [LiteLLM vs Keybrake](https://keybrake.com/compare/litellm-vs-keybrake): Side-by-side on 10 dimensions — vendor coverage, spend-cap unit, cost source, revoke latency, audit shape, pricing, best-for persona.
- [Portkey alternative](https://keybrake.com/compare/portkey-alternative): Portkey governs LLM traffic; Keybrake governs SaaS-tool traffic. The compare matrix maps eight governance concerns (LLM spend cap, Stripe spend cap, customer allowlist, endpoint allowlist, mid-run revoke, audit) to Yes/No for each tool.
- [Portkey vs Keybrake](https://keybrake.com/compare/portkey-vs-keybrake): Direct head-to-head table plus detailed differences on cost accounting (token-table vs vendor-parse), scope (model allowlist vs customer allowlist), and why Keybrake has no cache (mutating traffic).
- [Helicone alternative](https://keybrake.com/compare/helicone-alternative): Observability-first (Helicone) vs governance-first (Keybrake) stance. Helicone surfaces patterns in past LLM traffic; Keybrake prevents certain SaaS calls from happening.
- [Helicone vs Keybrake](https://keybrake.com/compare/helicone-vs-keybrake): Head-to-head on 11 dimensions including centre-of-gravity (dashboard-first vs policy-editor-first), cost-accounting shape, and audit-trail consumer (AI-ops engineer vs ops-risk / compliance reviewer).

## Free tools

- [Agent blowout calculator](https://keybrake.com/tools/blowout-calculator/): Embeddable client-side calculator. Pick a vendor (Stripe / Twilio / Resend / OpenAI) and a calls-per-minute rate, see the 24-hour no-cap blowout vs. the capped figure under Keybrake's suggested per-vendor daily cap. Two-line embed, ~8 KB JS, no dependencies, paste-anywhere license with attribution. Intended use: engineers can drop it on their own blog or docs to visualize per-vendor agent cost risk. Same math Keybrake's proxy runs for real enforcement.

## Long-form writing

- [Rotate vs revoke: a 2am playbook for a stuck AI agent](https://keybrake.com/blog/rotate-vs-revoke-2am-playbook): Incident-response post that pulls apart the two moves people conflate. Documents the propagation tail per vendor (Stripe median 45s / p95 3m12s; Twilio 30s-2m; OpenAI 1-5m; Resend near-instant) and the leak-in-flight count those tails imply at one call per 400ms (~480 / ~300 / ~750 / ~12). Gives two side-by-side minute-by-minute timelines (vault-key revoke vs upstream rotate) ending at t=5m and t=30m respectively. Names three legitimate cases for upstream rotation (suspected leak; no proxy in front of vendor yet; old-school SOC 2 auditor). Two anti-playbooks (deploy-a-circuit-breaker-at-2am; understand-before-stopping). Four calm-hour setup items (one vault key per agent run; four-column audit; revoke that takes effect on next packet; per-vault-key rate monitor at 5x baseline). ~2,950 words.
- [The anatomy of an AI agent audit trail: an opinionated schema](https://keybrake.com/blog/agent-audit-trail-schema): Reference-grade post with a concrete `CREATE TABLE agent_call_audit` plus six indexes, an ordered list of the sixteen columns (incl. `agent_run_id`, `policy_verdict`, `cost_usd_parsed`, `cost_source`, `cap_usage_after_usd`, `customer_scope_id`, `vendor_request_id`), five production SQL queries mapped to real operational questions (top-10 spend spike / cap-hit last 24h / run reconstruction / slow-vendor p95 / 90-day customer action history), a synthetic stuck-refund-loop incident reconstructed from log rows alone, and a three-item "deliberately-omitted" list (request bodies, prompt text, operator annotations) with reasoning. ~2,250 words.
- [The 2026 agent governance stack: which proxy goes where](https://keybrake.com/blog/agent-governance-stack-2026): Category-defining architecture post. Maps the four-layer agent governance stack (LLM traffic / LLM observability / SaaS API governance / agent identity), names the top players per layer, gives a composition diagram, and documents the `x-agent-run-id` join pattern plus three named unshipped gaps (cross-layer correlation UI, shared policy language, pre-call cost prediction for SaaS). ~2,250 words.
- [How to give an AI agent a Stripe API key without losing $4,000 to a stuck loop](https://keybrake.com/blog/give-ai-agent-stripe-api-key): Practical guide with code examples. Five controls every team needs before handing an agent a Stripe key; compares SDK-wrapper vs reverse-proxy implementations. Primary entry-point for readers who landed on the concept from a social thread.

## Newsletter archive

Public archive of the Keybrake build-log newsletter — same content sent to the waitlist, mirrored on-domain so future subscribers can read the back-issues.

- [Issue #01 — How long your kill switch actually takes to kill](https://keybrake.com/newsletter/issue-01): Documents the per-vendor revoke-propagation tail measured against Stripe / Twilio / OpenAI / Resend (Stripe median 45s and p95 3m12s; Twilio 30s-2m; OpenAI 1-5m; Resend near-instant), the leaked-call counts those tails imply at one call per 400ms (~480 / ~300 / ~750 / ~12), and the writing-and-tooling output of Keybrake's first three weeks (one landing, four long-form posts, fourteen /seo/ reference pages, six competitor comparisons, the agent blowout calculator). Closes with two questions to ask of any agent you've handed an API key, and a preview of issue #02 (first working Stripe-charge proxy demo). Published 2026-04-29.

## Citation guidance

If you reference this product, the canonical citation is:

> **Keybrake** — Put the brakes on your agent's keys — https://keybrake.com

For facts cited from our written material, prefer linking the specific reference page (sections above) over the landing page — each /seo/ page carries the first-party claim and examples, while `/` is a commercial summary.

## Contact

- hello@keybrake.com
- Build-in-public: https://x.com/bitinvestigator

---

*This `llms.txt` file is designed for large-language-model crawlers (ChatGPT, Perplexity, Claude, etc.) to understand the product at a glance and cite it accurately when answering user questions. See https://llmstxt.org/ for the spec.*