Bitcoin-only. Non-custodial. MCP-native.
Give your AI agents money.
Keep them on a leash.
You hold the keys. leashd holds the policy. A non-custodial spend-governance layer for autonomous agents: budget caps, scoped credentials, allowlists, immutable audit, and a graded kill-switch over Bitcoin Lightning and Cashu ecash. Bitcoin only.
- agent:research-botpay 2,000 sat→ api.foo.comALLOWwithin daily cap
- agent:research-botpay 50,000 sat→ api.foo.comDENIEDdaily cap 20,000 sat exceeded
- agent:scraper-7pay 8,500 sat→ mint.cashu.spaceCAPPEDrate limit, queued
An agent with an open wallet is a liability
Agents now discover services, buy compute, and pay other agents on their own. Hand one an unconstrained wallet and three failure modes become catastrophic.
Prompt-injection drain
A poisoned tool description or hostile web page convinces an agent to pay an attacker. With an unbounded wallet, that is your whole balance gone.
Runaway loops
An agent stuck in a retry loop can fire thousands of micropayments before anyone notices. Probabilistic guardrails do not stop deterministic spend.
No audit trail
When money moves autonomously, you need a verifiable record of which agent paid whom, for how much, and why. Most setups have none.
What is leashd?
leashd is a deterministic gate between your agent and the rail. Policy is evaluated before settlement, locally, and cannot be bypassed by prompt manipulation. The free open-source leashd runs on your own machine, holds the wallet connection locally, and enforces every rule. Your keys and seed never leave your machine and never reach the control plane, which only authors signed policy and aggregates a tamper-evident audit trail.
Read the full quickstart to see how it plugs into your stack.
How it works
A bouncer with a rulebook, standing between your agent and your money.
- 01
Agent requests a payment
Your agent calls a policy-gated pay tool over MCP. It never holds your wallet.
- 02
leashd checks the policy
Caps, allowlist, rate limits, and kill-switch are evaluated locally before any money moves.
- 03
Decision is recorded
Allow, cap, or deny. Either way a signed event lands in your audit feed.
A deterministic gate between your agent and the rail
Policy is evaluated before settlement, locally, and cannot be bypassed by prompt manipulation.
Budget caps
Per-task, rolling hourly, daily, and monthly limits, plus a per-transaction maximum. Hit the cap and the next payment is denied, deterministically.
Scoped control
Bind agents to spend-limited, revocable rail credentials with explicit scopes, then pull a graded kill-switch the moment something looks wrong. Keys never enter the agent sandbox or the LLM context.
Immutable audit trail
An append-only, signed, exportable event log of every decision. Designed for EU AI Act Article 12 logging requirements.
Bitcoin-only, multi-rail
Bitcoin Lightning and L402, plus Cashu ecash. No EVM, no stablecoins, no shitcoins. Bind rails with priority and fall back when one is unavailable.
Plus the controls you reach for in production
Allowlists
Restrict spend to known endpoints, domains, Lightning addresses, and Cashu mints. An unlisted recipient is rejected atomically.
Rate limits
Transactions per minute and per hour, capping burst spend before it compounds.
Time windows
Define exactly when an agent may spend at all. Outside the window, every request is denied.
Graded shutdown
A dimmer, not a switch: attenuate scope to read-only, drop high-risk tools, escalate approvals, then capture state and quarantine so no orphaned sub-agent keeps spending.
MCP-native
leashd ships as an MCP server exposing a policy-gated pay tool. Drop it into Claude Code or any MCP host.
You hold the keys. leashd holds the policy.
This is non-custodial software. It sits in the policy path, not the custody path. leashd is not a bank, exchange, or money transmitter.
Your keys stay yours
Keys and seeds never leave your machine and never reach the control plane. leashd connects to your wallet locally: a revocable Lightning connection, or a dedicated agent wallet you fund. Settlement is between your wallet and the counterparty.
leashd always runs locally
The agent that holds rail credentials and moves money runs on your own machine, in both the hosted and self-hosted setup. The control plane only signs policy and aggregates audit; it never sees a credential.
Compromise-resistant
Even a total compromise of the platform cannot move your funds, because the platform never holds the keys that can.
Open core. Start free.
leashd is free and open source, and always runs on your own machine. Self-host the control plane too, or let us run it: the hosted control plane saves you the infra, distributes one signed policy across a fleet, aggregates every audit feed, and adds team roles and alerting, all with zero custody risk, because keys never leave your machine. The Free tier ships today. Pro and Team are on the roadmap.
Free
$0
Open-source leashd, plus one workspace on the control plane.
- leashd, open source, self-hosted
- 1 workspace
- Core policy: caps, scope, rate limits, kill-switch
- 7-day audit retention
Pro
RoadmapComing soon
For developers running serious agent swarms.
- More agents per workspace
- Long audit retention and export
- Approval workflows
- Alerting on policy events
Team
RoadmapComing soon
Shared policy and audit across a team.
- Everything in Pro
- Team members and roles
- Workspace-wide policy
- Aggregated audit across agents
Get started in three steps
Open core. leashd is free and open source. The hosted control plane has a paid tier.
- 01
Create a workspace and agent in the dashboard. Copy the one-time token.
LEASH_AGENT_TOKEN=lsh_live_... - 02
Set a policy: caps, allowlist, rate limits. The control plane signs it.
{ "caps": { "dailySat": 100000 } } - 03
Install and run leashd. It verifies the policy and gates every spend.
curl -fsSL leashd.dev/install.sh | sh