Stripe · AI agents · Spend control
AI agent Stripe spend cap: enforcing per-run dollar limits
Stripe gives you a secret key. Restricted keys limit which endpoints an agent can reach. Neither gives you a "$200/day maximum" that fires before the charge reaches Stripe. This page covers what Stripe natively offers, where it stops, and the proxy pattern that enforces a real per-agent spend cap — rejecting the call before it hits the payment processor, not after the bill arrives.
TL;DR
Stripe's Radar rules and Dashboard alerts fire after charges happen. Restricted keys limit endpoint access but not dollar volume. The only way to enforce a per-agent daily cap that rejects a charge before it hits Stripe is a proxy layer that tracks the running total per vault key and returns a 429 when the cap is reached. With a vault key policy of "daily_usd_cap": 250, the proxy aborts the call at $250.01 — no charge created, no refund needed.
What Stripe's native tools do (and don't do)
Before reaching for a proxy, it's worth understanding what Stripe actually offers for spend control, because it's genuinely useful — just not for the per-agent case.
| Stripe control | What it does | Per-agent cap? | Pre-charge enforcement? |
|---|---|---|---|
| Restricted API keys | Limits which endpoints the key can access (e.g. allow payment_intents.create, deny refunds.create) |
No — endpoint-scoped, not dollar-scoped | Yes (rejects unauthorized endpoints) |
| Radar rules | Block or review charges that match fraud patterns (card country, velocity, amount threshold) | No — Radar sees individual charges, not agent-run context | Partial — fires at charge creation, not before API call |
| Dashboard spend alerts | Email alert when monthly volume crosses a threshold | No — account-level, not per-key or per-agent | No — fires after charges are already created |
| Stripe Billing usage alerts | Notify when a subscription customer's metered usage crosses a threshold | No — for your customers, not for your agent's API usage | No — after usage is recorded |
None of these let you say "this specific agent run may spend at most $250 on Stripe today." That's the gap a proxy layer fills.
How a proxy-layer spend cap works
The proxy sits between your agent code and api.stripe.com. Your agent holds a vault key instead of the real Stripe secret. On each request:
- The proxy authenticates the vault key.
- It checks the policy attached to that vault key:
daily_usd_cap,allowed_endpoints,expires_at. - It parses the request body to estimate the charge amount (for
payment_intents.create, this is theamountfield in cents). - It compares the running total for this vault key today against the cap. If adding this charge would exceed the cap, it rejects with
429— before the request ever leaves to Stripe. - If within the cap, it forwards the request with the real Stripe key, logs the response (including the
amountparsed from the response body), and updates the running total.
The one-line change in your agent code:
# Before
stripe.api_key = os.environ["STRIPE_SECRET_KEY"]
# After: vault key + proxy base URL
stripe.api_key = os.environ["VAULT_KEY"] # vault_key_xxx
stripe.base_url = "https://proxy.keybrake.com/stripe/v1"The vault key policy you configure once in your Keybrake dashboard (or via the API):
{
"vendor": "stripe",
"daily_usd_cap": 250,
"allowed_endpoints": [
"POST /v1/payment_intents",
"POST /v1/charges",
"GET /v1/customers/*"
],
"expires_in": "24h",
"label": "billing-agent-prod"
}What "pre-charge enforcement" actually buys you
The critical difference between pre-charge and post-charge enforcement is refund exposure. If a Radar rule fires after a charge is created, Stripe has already moved money. Reversing a charge means a refund with a Stripe fee that's typically non-refundable (the processing fee stays with Stripe). Pre-charge enforcement means the call is rejected before money moves — no charge, no refund, no fee.
For a stuck agent loop creating 50 charges at $50 each ($2,500 total), pre-charge enforcement stops at charge 5 ($250 cap). Post-charge enforcement catches it at $2,500 — and then you spend the next hour issuing 50 refunds, paying Stripe's non-refundable processing fee on each.
Per-agent vs. per-account caps
Most teams initially reach for account-level controls (Stripe Dashboard alerts, Radar rules). The problem with account-level caps for multi-agent architectures is granularity: if you have five agents all using the same Stripe account, an account-level cap of $1,000/day is shared across all five. Agent #3 going haywire consumes the entire daily budget for agents #1, #2, #4, and #5.
Per-vault-key caps give each agent run its own independent budget. Agent #3's cap is daily_usd_cap: 200. If it runs to exhaustion, the other four agents are unaffected — they each have their own vault keys with their own caps.
How Keybrake fits
Keybrake is the proxy. You issue vault keys per agent or per agent run, set a daily_usd_cap (and an endpoint allowlist, an expiry, and a human-readable label), and swap the base URL in your Stripe SDK. Spend caps on Stripe, Twilio, and Resend are enforced before calls reach the vendor. The Free tier covers 1,000 proxied requests/month; Hobby ($29/month) adds all three vendors, higher limits, and email alerts on cap breach.
Related questions
Does the daily cap reset at midnight UTC?
Yes — by default, daily_usd_cap resets at midnight UTC. You can also configure a rolling 24-hour window instead of a calendar day, which is useful for agents that run on non-UTC schedules. The current cap usage for a vault key is returned in the X-Keybrake-Cap-Used response header on every proxied call, so your agent code can check remaining budget before triggering expensive operations.
What if the same agent needs to call Stripe twice in one request?
The proxy enforces the cap per individual Stripe API call, not per agent turn. If your agent issues two payment_intents.create calls in the same reasoning step, each one is checked and counted independently. The daily total accumulates across all calls within that vault key's 24-hour window. This is the correct granularity — you want to catch the second charge in a double-charge scenario, not just the first.
Can I cap Twilio and Resend the same way?
Yes. Keybrake proxies Stripe, Twilio, and Resend with the same vault key / policy model. The daily_usd_cap for Twilio counts SMS cost (parsed from the Twilio API response price field). For Resend, the cap counts against a per-email rate you configure (Resend's API doesn't return cost inline, so you set a fixed per-call cost in the policy). You can issue a vault key that covers all three vendors under one cap, or separate vault keys per vendor — your choice.
Further reading
- Why your Stripe restricted key probably isn't restricted enough — deep dive on the three gaps restricted keys leave open beyond spend caps.
- Stripe API key with restricted access — what endpoint restrictions cover and the ten agent use cases where they're still not enough.
- AI agent kill switch patterns — vault key revoke vs. key rotation vs. circuit breakers: latencies and trade-offs.
- Budget alerts for AI agents — the four alert patterns ranked by how late they fire and which ones actually prevent damage.