Economic Access Control — the security primitive for the agent economy

Know what your AI agents
are spending.

Control agent spend at the request layer. Every API call is verified, attributed, and governed — before it hits your upstream.

Not “who are you?” — “what can you afford?” Drop-in gateway. Connect in ~5 minutes.

Start Free Try the Sandbox

Open source — GitHub Sub-ms verification overhead Design partners in pilot Security model →

hero_demo.py — Live Demo

🚗💨 EZ Pass — live metering

Agents badge in once. Every request — verified, metered, budget-enforced.

See how it works

Default Protection + Economic Policies

Protection is the foundation. Choose your economic policy per route.

DEFAULT PROTECTION

Cryptographic Capability Verification

Always-on for non-PUBLIC routes

Every protected route requires valid credentials (Macaroons). Capabilities, caveats, delegation, and revocation—built into the protocol, not bolted on.

✓ Capabilities + Caveats✓ Delegation chains✓ Instant revocation✓ Tamper-evident audit

FREE

Protected by default →

Observe

verify → allow → meter/log

Perfect for audit logs and FinOps visibility.

✓ Usage attribution by team
✓ Cost center tagging
✓ Zero latency impact

PRO

Protected by default →

Control

verify → enforce budget → allow

Enforce strict budgets and spending caps.

✓ Real-time budget enforcement
✓ Works with Stripe, ERP — no crypto required
✓ Per-agent spending caps

PRO

Protected by default →

Charge

verify → payment proof → allow

Monetize via L402 Lightning payments.

✓ Bitcoin Lightning (instant)
✓ Per-request pricing
✓ Agent-native payments

PUBLIC is the explicit opt-out for probes (/healthz), docs, and webhooks. Everything else is protected by default.

See full pricing details →

🚗💨 THE EZ PASS FOR API TRAFFIC

Badge in once. Fly through every gate.

Agents get a credential at startup — like mounting an EZ Pass. Every request after that flows through the gateway: verified, metered, no slowdowns.

Agent StartsK8s / AWS / OIDC

→

MintBadge in (once)

→

EZ PassCapability token

→

Toll GateVerify · Meter · Budget

→

UpstreamYour API

No identity lookups on the hot path. No per-request auth round-trips. Just cryptographic verification at wire speed.

Where It Fits

Three deployment modes. Drop-in. No rip-and-replace.

STANDARD

CDN / WAF

↓

SatGate

↓

Your API

REST, GraphQL, any HTTP endpoint

SIDECAR

Existing Gateway

↓

Legacy traffic

↓

SatGate

↓

Your APIs

Route only agent traffic through SatGate

MCP PROXY

AI Agents

↓

SatGate MCP Proxy

↓

MCP Servers / Tools

Per-tool budgets, delegation trees

How It Works

Four steps to protect your API. No code changes required.

Pick Your Policy

Define routes with economic policies. PUBLIC for probes/docs, protected for everything else.

routes:
  - path: /healthz
    policy: public
  - path: /v1/*
    policy: observe
  - path: /premium/*
    policy: charge

Apply Config

Apply when ready. Version history + audit log. Rollback if needed.

v3 (applied) ← current
v2 (available)
v1 (available)

Audit: who, when, diff

Point Your DNS

Use *.satgate.cloud or your custom domain. Traffic flows through SatGate.

# Your domain
api.yoursite.com
  CNAME → satgate.cloud

# Or use ours
yourapp.satgate.cloud

See Verified Traffic

Real-time: verified vs challenged. Enable Charge policy when ready for revenue.

Verified:   1,203 requests
Challenged: 12,847 (402s)
Metered:    $847 usage

→ Enable Charge policy?