90-second SatGate proof

Run authority proof: allow, deny, revoke, then inspect the Evidence Pack.

This public proof path is deterministic and uses the same sample Evidence Pack shown in the viewer. It is a buyer-comprehension demo, not a production-promotion claim.

Caveat: budget-before-upstream here is a response-shape proof path. Do not describe it as keyed upstream counter/log-delta proof unless that instrumentation is added separately.

1 · No authority

HTTP 401
decision
denied
reason
DEFAULT_PROTECTION: no capability token presented
route/tool
/v1/invoices/search
budget impact
No budget consumed
receipt
rcpt_demo_unauth_001

2 · Scoped authority issued

capability minted
decision
issued
reason
tenant=acme-finance; scope=/v1/invoices/*; budget<=3.00 USD
route/tool
agent:invoice-reconciler-worker
budget impact
3.00 USD delegated budget
receipt
rcpt_demo_001 / rcpt_demo_002

3 · Allowed action

HTTP 200
decision
allowed
reason
allowed_under_policy
route/tool
mcp:invoices.search
budget impact
0.18 USD spent; 2.82 USD remaining
receipt
rcpt_demo_003

4 · Out-of-scope denial

HTTP 403
decision
blocked
reason
scope_violation:no_customer_data_export
route/tool
/v1/invoices/export
budget impact
No export spend allowed
receipt
rcpt_demo_006

5 · Budget denial

HTTP 402
decision
blocked
reason
budget_exhausted
route/tool
/v1/invoices/reconcile
budget impact
0.78 / 3.00 USD spent; remaining shown as 0.00 after denial
receipt
rcpt_demo_007

6 · Revoke / replay denial

HTTP 401/403
decision
blocked
reason
capability_revoked
route/tool
mcp:invoices.search
budget impact
No additional spend after revoke
receipt
rcpt_demo_008 / rcpt_demo_009

7 · Proof artifact exported

Evidence Pack ep_demo_2026_05_10_001 links every receipt and explains the policy, subject, tenant, route/tool, budget state, receipt chain, hash, and demo signature caveat.

Watch SatGate Stop Unauthorized Spend

Two scenarios CFOs care about: a rogue agent gets denied at the next governed request, and an agent hits its budget ceiling and stops — before the bill arrives.

Ready to simulate

Click "Run Simulation" to watch SatGate enforce access controls in real-time.

FAQ

SatGate demo questions

What does the SatGate demo demonstrate?

The demo page collects the SatGate demo path: Mint for scoped authority, Capability Control for scope/delegation/revocation, Spend Control for budget enforcement, and Paid-Rails for governed payment context.

How does SatGate stop unauthorized agent spend?

SatGate checks each agent request against identity, capability-token caveats, budget, policy, and revocation state before forwarding the request upstream.

Is the demo for AI agent cost control or security?

Both. SatGate treats spend as an enforceable security boundary, combining scoped authority, revocation, audit, and budget limits into an economic firewall for AI agents.

This was a deterministic public proof demo. The production path still requires a separate promotion decision.