Non-custodial. MCP-native. BTC-first.
Give your AI agents money.
Keep them on a leash.
A non-custodial spend-governance layer for autonomous agents. Budget caps, scoped credentials, allowlists, immutable audit, and a graded kill-switch over Bitcoin Lightning and stablecoin rails. You hold the keys. leashd holds the policy.
- agent:research-botpay 2,000 sat→ api.foo.comALLOWwithin daily cap
- agent:research-botpay 50,000 sat→ api.foo.comDENIEDdaily cap 20,000 sat exceeded
- agent:scraper-7pay 8,500 sat→ mint.cashu.spaceCAPPEDrate limit, queued
What is leashd?
leashd is a deterministic gate between your agent and the rail. Policy is evaluated before settlement, locally, and cannot be bypassed by prompt manipulation. The free open-source sidecar, leashd, runs on your own machine, holds the wallet connection, and enforces every rule. It never touches your funds or keys. The hosted control plane authors signed policy and aggregates a tamper-evident audit trail.
Read the full quickstart to see how it plugs into your stack.
How it works
A bouncer with a rulebook, standing between your agent and your money.
- 01
Agent requests a payment
Your agent calls a policy-gated pay tool over MCP. It never holds your wallet.
- 02
leashd checks the policy
Caps, allowlist, rate limits, and kill-switch are evaluated locally before any money moves.
- 03
Decision is recorded
Allow, cap, or deny. Either way a signed event lands in your audit feed.
A deterministic gate between your agent and the rail
Policy is evaluated before settlement, locally, and cannot be bypassed by prompt manipulation.
Budget caps
Per-task, rolling hourly, daily, and monthly limits, plus a per-transaction maximum. Hit the cap and the next payment is denied, deterministically.
Scoped credentials
Bind agents to spend-limited, revocable rail credentials. Keys never enter the agent sandbox or the LLM context.
Allowlists
Restrict spend to known endpoints, domains, Lightning addresses, and Cashu mints. An unlisted recipient is rejected atomically.
Rate limits
Transactions per minute and per hour, with time windows that say when an agent may spend at all.
Graded shutdown
Not a binary kill switch. A dimmer: attenuate scope to read-only, drop high-risk tools, escalate approvals, then capture state and quarantine so no orphaned sub-agent keeps spending.
Immutable audit trail
An append-only, signed, exportable event log of every decision. Designed for EU AI Act Article 12 logging requirements.
Multi-rail
Bitcoin Lightning and L402, Cashu ecash, and stablecoin over x402. Bind rails with priority and fall back when one is unavailable.
MCP-native
leashd ships as an MCP server exposing a policy-gated pay tool. Drop it into Claude Code or any MCP host.
You hold the keys. leashd holds the policy.
This is non-custodial software. It sits in the policy path, not the custody path. leashd is not a bank, exchange, or money transmitter.
You hold the keys
leashd never takes custody of your funds and never holds your private keys. Settlement happens on your own rail, between your wallet and the counterparty.
leashd runs locally
Rail connections and secrets stay on your machine. The hosted control plane signs policy and aggregates audit; it never sees a credential.
Compromise-resistant
Even a total compromise of the platform cannot move your funds, because the platform never holds the keys that can.
Get started in three steps
Open core. The sidecar is free and open source. The hosted control plane has a paid tier.
- 01
Create a workspace and agent in the dashboard. Copy the one-time token.
LEASH_AGENT_TOKEN=lsh_live_... - 02
Set a policy: caps, allowlist, rate limits. The control plane signs it.
{ "caps": { "dailySat": 100000 } } - 03
Install and run leashd. It verifies the policy and gates every spend.
curl -fsSL leashd.dev/install.sh | sh