Developer guide

MCP Payment Channels & Agent Security Model

HTTP 402 micropayment channels, spend caps, fail-closed WARDEN firewall, and threat model for third-party MCP tools in autonomous agents.

Status: draft · Owner: ecosystem · Depends on: AIMarketEscrow (Base), AIMarket Hub v2, the Oracle Gateway

How a capability invoked through the MCP gateway gets paid, end to end, and the threat model

+ mandatory controls. Grounded in the live escrow (debitChannel/settleChannel/refundChannel/

expireChannel), the Hub (signed receipts + signed /.well-known + signed /ai-market/v2/prices),

and the gateway.

1. Two payment models (different trust)

ModelKey custodyFlowUse when
Local stdio *(default)*The payer key lives on the user's machine (the MCP server is spawned locally by Claude Desktop/Cursor). The gateway signs DebitAuthorizations locally — the key never leaves the machine.open channel → per call: hub quotes price_usd → gateway signs EIP-712 debit (tight deadline) → hub debitChannel → signed receipt → settle/refund on close.dev, single agent, agent holds its own wallet. Same trust domain as the agent.
Remote / hostedNo custody. Agent deposits on-chain and pre-authorizes spend (debit vouchers bounded by a ceiling); the gateway only relays signed vouchers.agent approves USDC + pre-signs bounded vouchers → gateway relays per call, never exceeding the ceiling → settle/expiry.shared/hosted gateway; the gateway must never hold a user key.

Default = local stdio (the MCP server already runs locally). The remote model is for a hosted gateway and must use pre-signed, bounded vouchers — never custody.

2. Channel lifecycle (what an agent experiences)

  1. Approve USDC to the escrow + openChannel(channelId, USDC, deposit) — a small float (MIN $1).
  2. Per call: invoke {capability_id, input, X-Payment-Channel} → hub returns price_usd + signed receipt.
  3. Debit: depositor signs EIP-712 DebitAuthorization{channelId, hub, token, amount(6dp), receiptId, nonce, deadline}; hub debitChannel. receiptId single-use, nonce increments, first debit binds the hub.
  4. Settle on close/low-balance/timer: settleChannel → used→hub, refund→depositor.
  5. Recovery: refundChannel (pre-debit), or permissionless expireChannel after 24h. No admin freeze/seize — funds are always recoverable.

USD→token: prices are advertised in USD; the debit amount is USDC 6-dp (round(usd * 1e6)); the signed receipt's price_usd is authoritative.

3. Threat model & mandatory controls

From an adversarial red-team across three vectors. C = client/gateway-enforceable, P = protocol/contract, O = ops/governance.

3a. Key custody & prompt-injection-driven drain (the #1 MCP-specific risk)

An MCP tool call is driven by an LLM that can be manipulated (malicious tool output / injected content) into spending. Mitigations:

3b. On-chain payment integrity

3c. Stuck funds & griefing

4. What this spec ships now vs later

5. Acceptance criteria