leashd
DocsFAQCommunityGitHubGet started

Bitcoin-only. Non-custodial. MCP-native.

Give your AI agents money.
Keep them on a leash.

You hold the keys. leashd holds the policy. A non-custodial spend-governance layer for autonomous agents: budget caps, scoped credentials, allowlists, immutable audit, and a graded kill-switch over Bitcoin Lightning and Cashu ecash. Bitcoin only.

Install leashdView on GitHub
leashd: audit feed
  • agent:research-botpay 2,000 sat→ api.foo.com
    ALLOWwithin daily cap
  • agent:research-botpay 50,000 sat→ api.foo.com
    DENIEDdaily cap 20,000 sat exceeded
  • agent:scraper-7pay 8,500 sat→ mint.cashu.space
    CAPPEDrate limit, queued

An agent with an open wallet is a liability

Agents now discover services, buy compute, and pay other agents on their own. Hand one an unconstrained wallet and three failure modes become catastrophic.

Prompt-injection drain

A poisoned tool description or hostile web page convinces an agent to pay an attacker. With an unbounded wallet, that is your whole balance gone.

Runaway loops

An agent stuck in a retry loop can fire thousands of micropayments before anyone notices. Probabilistic guardrails do not stop deterministic spend.

No audit trail

When money moves autonomously, you need a verifiable record of which agent paid whom, for how much, and why. Most setups have none.

What is leashd?

leashd is a deterministic gate between your agent and the rail. Policy is evaluated before settlement, locally, and cannot be bypassed by prompt manipulation. The free open-source leashd runs on your own machine, holds the wallet connection locally, and enforces every rule. Your keys and seed never leave your machine and never reach the control plane, which only authors signed policy and aggregates a tamper-evident audit trail.

Read the full quickstart to see how it plugs into your stack.

How it works

A bouncer with a rulebook, standing between your agent and your money.

A network diagram over a stylized world map: an AI agent sends a payment request to the central leashd policy gate, which checks caps, allowlist, and rate limits, then settles over Lightning or Cashu ecash, while writing a signed entry to the audit log.
  1. 01

    Agent requests a payment

    Your agent calls a policy-gated pay tool over MCP. It never holds your wallet.

  2. 02

    leashd checks the policy

    Caps, allowlist, rate limits, and kill-switch are evaluated locally before any money moves.

  3. 03

    Decision is recorded

    Allow, cap, or deny. Either way a signed event lands in your audit feed.

Read the docs

A deterministic gate between your agent and the rail

Policy is evaluated before settlement, locally, and cannot be bypassed by prompt manipulation.

A wallet meter with a green bar capping a flow of sats at a hard limit.

Budget caps

Per-task, rolling hourly, daily, and monthly limits, plus a per-transaction maximum. Hit the cap and the next payment is denied, deterministically.

A leash collar and a scoped key beside a green kill-switch toggle.

Scoped control

Bind agents to spend-limited, revocable rail credentials with explicit scopes, then pull a graded kill-switch the moment something looks wrong. Keys never enter the agent sandbox or the LLM context.

A terminal log feed showing green allow and red deny lines in an append-only ledger.

Immutable audit trail

An append-only, signed, exportable event log of every decision. Designed for EU AI Act Article 12 logging requirements.

A Lightning bolt and a Cashu ecash coin routed through a single green checkpoint.

Bitcoin-only, multi-rail

Bitcoin Lightning and L402, plus Cashu ecash. No EVM, no stablecoins, no shitcoins. Bind rails with priority and fall back when one is unavailable.

Plus the controls you reach for in production

Allowlists

Restrict spend to known endpoints, domains, Lightning addresses, and Cashu mints. An unlisted recipient is rejected atomically.

Rate limits

Transactions per minute and per hour, capping burst spend before it compounds.

Time windows

Define exactly when an agent may spend at all. Outside the window, every request is denied.

Graded shutdown

A dimmer, not a switch: attenuate scope to read-only, drop high-risk tools, escalate approvals, then capture state and quarantine so no orphaned sub-agent keeps spending.

MCP-native

leashd ships as an MCP server exposing a policy-gated pay tool. Drop it into Claude Code or any MCP host.

You hold the keys. leashd holds the policy.

This is non-custodial software. It sits in the policy path, not the custody path. leashd is not a bank, exchange, or money transmitter.

Your keys stay yours

Keys and seeds never leave your machine and never reach the control plane. leashd connects to your wallet locally: a revocable Lightning connection, or a dedicated agent wallet you fund. Settlement is between your wallet and the counterparty.

leashd always runs locally

The agent that holds rail credentials and moves money runs on your own machine, in both the hosted and self-hosted setup. The control plane only signs policy and aggregates audit; it never sees a credential.

Compromise-resistant

Even a total compromise of the platform cannot move your funds, because the platform never holds the keys that can.

Open core. Start free.

leashd is free and open source, and always runs on your own machine. Self-host the control plane too, or let us run it: the hosted control plane saves you the infra, distributes one signed policy across a fleet, aggregates every audit feed, and adds team roles and alerting, all with zero custody risk, because keys never leave your machine. The Free tier ships today. Pro and Team are on the roadmap.

Free

$0

Open-source leashd, plus one workspace on the control plane.

  • leashd, open source, self-hosted
  • 1 workspace
  • Core policy: caps, scope, rate limits, kill-switch
  • 7-day audit retention
Start free

Pro

Roadmap

Coming soon

For developers running serious agent swarms.

  • More agents per workspace
  • Long audit retention and export
  • Approval workflows
  • Alerting on policy events
Get notified

Team

Roadmap

Coming soon

Shared policy and audit across a team.

  • Everything in Pro
  • Team members and roles
  • Workspace-wide policy
  • Aggregated audit across agents
Get notified

Get started in three steps

Open core. leashd is free and open source. The hosted control plane has a paid tier.

  1. 01

    Create a workspace and agent in the dashboard. Copy the one-time token.

    LEASH_AGENT_TOKEN=lsh_live_...
  2. 02

    Set a policy: caps, allowlist, rate limits. The control plane signs it.

    { "caps": { "dailySat": 100000 } }
  3. 03

    Install and run leashd. It verifies the policy and gates every spend.

    curl -fsSL leashd.dev/install.sh | sh
Get startedRead the docs
leashd

Non-custodial spend governance for autonomous AI agents.

Donate sats
Product
DocsFAQGet started
Project
GitHubCommunity
Legal
PrivacyTerms

Built by BrainBytes Studio, an indie solo-dev shop.