leashd Quickstart
leashd is a non-custodial spend-governance layer for AI agents. You hold the keys; leashd holds the policy. The control plane (this dashboard) authors signed policies and stores a tamper-evident audit log. The local daemon, leashd, runs on your machine, verifies each policy signature, and gates every payment your agent attempts before it touches a rail.
The non-custodial model
leashd never holds your funds and never sees your keys. The dashboard stores only policies and the audit log. Enforcement happens locally in leashd: it pulls the signed policy, verifies it, and authorises, caps, or denies each spend on the spot. If the control plane is unreachable, leashd keeps enforcing the last verified policy, so your agent is never unleashed by an outage.
How it works
Think of leashd as a bouncer with a rulebook standing between your AI agent and your money. The agent wants to pay, the bouncer checks the rulebook (budget left? recipient allowed? under the limit? kill-switch off?), then lets it through or blocks it, and writes every decision in a logbook. The bouncer (leashd) runs on your machine and holds your wallet connection locally. The rulebook and logbook live in this dashboard.
A concrete run: your research agent wants to pay 50 sat for an API call.
- The agent never gets your wallet. It gets a policy-gated pay tool over MCP that points at leashd.
- The agent calls pay 50 sat to api.foo.com.
- leashd checks your policy locally: allowlisted recipient, under the per-transaction max, daily budget remaining, kill-switch off.
- Allowed: leashd tells your own Lightning wallet (over NWC) to pay the invoice. The sats go directly from your wallet to the API. leashd never touches them.
- Denied or capped: leashd returns a structured refusal to the agent. No money moves.
- Either way, leashd writes a signed event and pushes it to your Audit feed.
AI agent --pay 50 sat--> leashd (your machine)
| check policy (caps . allowlist . kill-switch)
|- allowed -> your wallet (NWC) --> api.foo.com
|- capped/denied -> refusal back to agent
'- signed audit event --> dashboard feedThat is the whole idea: a prepaid card with a hard limit and an itemised statement for your AI. Even a fully compromised agent, or a breach of leashd itself, cannot move funds, because the keys never leave your machine.
Quickstart
In the dashboard, open Agents and create your first agent. You will get a one-time token shown once. Copy it now; it is the credential leashd uses to authenticate.
LEASH_AGENT_TOKEN=lsh_live_xxxxxxxxxxxxxxxxOpen Policies and define caps and an allowlist. A spend over a cap is capped; an endpoint outside the allowlist is denied. The control plane signs the policy and leashd verifies the signature before enforcing it.
{
"caps": { "perTxnSat": 10000, "dailySat": 100000 },
"allowlist": ["api.example.com", "*.lightning.dev"]
}Install the daemon and start it with your LEASH_* environment. It connects out to the control plane, pulls the signed policy, and listens locally as an MCP server.
# install
curl -fsSL https://leashd.dev/install.sh | sh
# run with your env
LEASH_AGENT_TOKEN=lsh_live_xxxxxxxxxxxxxxxx \
LEASH_API_URL=https://leashd.dev \
leashdWire it into your agent stack. For Claude Code, add leashd to your .mcp.json:
{
"mcpServers": {
"leash": {
"command": "leashd",
"args": ["--mcp"],
"env": {
"LEASH_AGENT_TOKEN": "lsh_live_xxxxxxxxxxxxxxxx",
"LEASH_API_URL": "https://leashd.dev"
}
}
}
}Every pay call your agent makes routes through leashd, which authorises (allowed), throttles (capped), or blocks (denied) it against the verified policy. Each decision lands in your signed audit feed.
View the Audit feed