Your AI agent just burned $500 overnight calling Google Search in a loop. You found out when the bill arrived. Sound familiar?
If you're running Claude Code, Cursor, or Claude Desktop with MCP tools, you've probably had a version of this moment. Maybe it was $50, maybe $5,000. The pattern is always the same: an agent gets stuck, loops on a tool call, and your API bill explodes while you sleep.
There's a fix. And it doesn't involve monitoring dashboards, Slack alerts, or hoping you catch it in time.
The Problem: MCP Has No Credit Card Limit
The Model Context Protocol is brilliant at what it does: giving AI agents structured access to tools. Search engines, databases, code execution, image generation — MCP makes it all available through a clean JSON-RPC interface.
What MCP doesn't do is care about cost. Every tools/call request flows through to the upstream server with no budget awareness whatsoever. The spec has no concept of "you've spent too much" or "stop here."
This creates a specific, expensive failure mode:
- Agent loops — A stuck agent can make thousands of tool calls before anyone notices. Each call costs real money: API credits, compute, tokens.
- No built-in limits — The MCP spec includes no budget, quota, or cost mechanism. It's a capability protocol, not an economic one.
- Rate limits don't help — Rate limits protect servers from overload. They don't protect your wallet from a runaway agent staying within rate limits but burning money for hours.
- Manual monitoring is reactive — By the time you check a dashboard or get a Slack alert, the damage is done.
💸 Real scenario: A developer left Claude Code running overnight with a web search MCP server. The agent hit a reasoning loop, called brave_search 3,200 times in 6 hours. Cost: $480 in API credits. The agent was technically working — just not productively.
The Solution: Economic Governance at the Protocol Level
SatGate MCP Proxy sits between your MCP client and your MCP servers. It intercepts every tools/call, tracks cost in real-time, and enforces hard budget caps — not soft alerts, not warnings, actual enforcement.
When the budget is exhausted, the proxy returns HTTP 402 Payment Required. The agent receives a clean "Budget exceeded" message and stops. No infinite loops. No surprise bills.
The enforcement mechanism uses L402 macaroons — cryptographic tokens with embedded budget constraints. Unlike API keys (which grant unlimited access until revoked), a macaroon can encode: "This agent can spend up to $5 on search tools, expiring in 1 hour." The constraints are baked into the token itself and verified on every call.
The Governance Gap
Here's what changes when you add economic governance to MCP:
| Feature | Standard MCP | SatGate-Enabled MCP |
|---|---|---|
| Budget Enforcement | Faith-based (wait for bill) | Real-time hard caps |
| Cost Attribution | Aggregate (one big bill) | Per-tool, per-agent |
| Access Control | Static API keys | Attenuated macaroons |
| Visibility | Post-mortem logs | Live economic telemetry |
| Agent Loops | Infinite spend potential | Automated kill-switch |
How It Works
Architecture
The proxy is transparent to both sides. Your MCP client thinks it's talking to the server. The server thinks it's talking to the client. SatGate sits in the middle, enforcing policy.
┌─────────────┐ ┌──────────────────┐ ┌────────────────┐
│ Claude Code │────▶│ SatGate Proxy │────▶│ MCP Server │
│ Cursor │◀────│ │◀────│ (search, db…) │
│ Claude │ │ ✓ Budget check │ │ │
│ Desktop │ │ ✓ Cost tracking │ │ │
│ │ │ ✓ 402 on limit │ │ │
└─────────────┘ └──────────────────┘ └────────────────┘Configuration
Point your MCP client to SatGate instead of directly to the upstream server. Here's an example for Claude Desktop:
{
"mcpServers": {
"search": {
"command": "satgate-proxy",
"args": [
"--upstream", "npx @anthropic/mcp-server-brave-search",
"--budget", "500",
"--budget-window", "1h",
"--cost-per-call", "5"
]
}
}
}That's it. Your agent now has a hard cap of 500 sats per hour on search calls. No code changes. No agent modifications.
What Happens on Each Tool Call
- Intercept — Proxy receives the
tools/callJSON-RPC request - Resolve cost — Looks up the tool name in the cost table (exact match or wildcard)
- Check budget — Compares accumulated spend against the macaroon's budget caveat
- Forward or reject — If within budget: forward to upstream, debit cost. If over budget: return 402 with a clear error message
// What the agent sees when budget is exhausted:
{
"jsonrpc": "2.0",
"error": {
"code": -32000,
"message": "Budget exceeded: 500/500 sats used. Reset in 23m."
}
}The agent receives a clean error, stops calling the tool, and continues with other work. No crash, no hang — just a boundary.
Macaroon Delegation
This is where it gets powerful. L402 macaroons support attenuation — you can take a token and add restrictions to it, but never remove them. This lets you create delegation chains:
# Create a root macaroon with $10 budget
satgate token create --budget 1000 --tools "web_search,database_query"
# Delegate to an agent: $5 budget, expires in 1 hour
satgate token attenuate <root-token> \
--max-budget 500 \
--expires 1h \
--tools "web_search"
# Result: agent can spend up to $5 on web_search only, for 1 hour
# No way to escalate beyond these constraintsGive your coding agent a tight budget for search. Give your research agent more for database access. Each gets exactly the permissions and budget they need — cryptographically enforced.
Getting Started
☁️ SatGate Cloud
Managed proxy — deploy in minutes, no infrastructure to manage.
🔧 Self-Hosted
Open-source proxy — run it on your own infrastructure.
📊 ROI Calculator
Calculate how much you're losing to uncontrolled agent spend.
MCP is powerful. But power without governance is just risk. SatGate adds the economic guardrails that let you deploy agents with confidence — and a budget.