Frequently Asked Questions About AgentPMT

No. The Credential Vault stores every credential encrypted at rest on AgentPMT servers and injects it server-side at the moment the outbound request leaves for the upstream API. The agent sees the endpoint name and the response, never the raw key, token, or password.

This is enforced by the connected-API builder: every endpoint must select an injection target (header, body, or query parameter) before it can be saved, and the credential value is bound once and never re-emitted to the agent context or the agent memory.

The easiest way is to download our MCP server and installer. You can find the instructions here - Integrate Your Agent You can also make calls to the tools through Rest API.

Create a free account and then go to your dashboard. Click 'Request Vendor Access'. You can create up to five tools in the starter tier. To create additional tools, upgrade your account to one of our advanced tiers.

Open the Control Center tab of your dashboard. Agent Guardrails lists every agent with a pause toggle, a spend cap, and a tool allowlist. Workflow Usage lists every active workflow and lets you pause a single workflow without affecting the rest of your fleet. The Wallets tab adds a pause toggle at the wallet level so you can stop outbound payments with a single click.

Every pause emits an audit entry and is reversible from the same screen. A paused agent cannot spend credits, call tools, or run workflow steps until you unpause it.

Every published workflow exposes a programmatic trigger at POST /api/programmatic/agent-webhooks/{workflowId}/trigger. Send an Authorization: Bearer <token> header and a JSON body with a prompt string. Optionally include your own request_id to carry a correlation id end to end.

Triggered runs pick up the same guardrails as dashboard-initiated runs: agent spend caps, tool allowlists, approval gates, and the append-only audit trail in Agent Activity. The response returns the workflow run id so you can poll status or correlate logs in your own system.

Our team takes your existing OpenAPI or Swagger specification, audits the endpoints for agent-safety, and generates an MCP server that wraps your API with credential handling built in. We can deploy the MCP server on infrastructure you control, or on ours, and we hand over auth keys, a runbook, and a rotation playbook.

A typical engagement takes a few days from spec handover to live MCP server, plus an optional 30-day support window so your team can onboard without the guesswork.

You set caps and reset periods once, and define which digital services your agent is allowed to pay for. The x402Direct smart contract checks every outbound payment against those rules before the transfer clears. A payment that would exceed a cap, or that targets a merchant outside the allowlist, is rejected on-chain with a human-readable reason.

Because the rules live in the contract rather than in agent code, changing an agent prompt cannot bypass them. You can update limits at any time from the dashboard, and each change is written to the audit trail with the actor and the new limit.

There is no cost to sign up to use the AgentPMT system or the MCP server. The tool developers set the price to use each individual micro service.

Our team handles the full lifecycle: discovery of what the business actually needs, design of workflows and guardrails, build of MCP tools and agents and skill chains, and day-to-day operations including monitoring, tuning, and incident response. You get a monthly review with plain-English outcomes and spend so you can keep stakeholders informed without digging through dashboards.

Every engagement starts with a 30-minute discovery call and a short questionnaire. We return a fixed-price statement of work covering deliverables, timeline, and the first operating window.

A paused wallet short-circuits every outbound transfer. The x402Direct contract never receives the request, the agent sees a rejected response with a human-readable reason, and the Audit Trail records who paused the wallet, when, and which agent attempted the transfer. Your USDC balance is unchanged.

Pausing a wallet takes one click in the Wallets tab. Unpausing takes one click as well. Both actions are reversible and written as append-only audit entries so you can always reconstruct the timeline.

You choose the allowed methods per endpoint when you create the connected API: GET, POST, PUT, PATCH, DELETE, or any subset. Requests that use a method outside the allowlist are rejected before the credential is ever attached, so a compromised agent cannot escalate from read to write simply by changing the verb.

You can edit the allowlist on a live endpoint at any time from the Secure API Manager. Changes take effect on the next outbound request.

AgentPMT provisions a Circle programmable wallet for every customer. You control it with your email and a PIN, and it holds USDC on Base by default. Your agent never holds private keys; it asks AgentPMT to move funds, and AgentPMT checks the request against your x402Direct limits before signing.

You can view balance, recent transfers, and per-agent spend from the Wallet tab in the dashboard. Every transfer is recorded on chain and mirrored into the audit trail with the originating agent, the workflow run, and the correlation id.

You do, from the AgentPMT mobile app. When an agent requests a credit card purchase, AgentPMT sends a push notification to your phone with the merchant, the item, and the total amount. You confirm with Face ID or fingerprint before the charge executes. Card details never touch the agent.

If no approval arrives within the approval window, the purchase is cancelled and the agent receives a declined response. Every approval decision, including timeouts, is written to the audit trail with actor, subject, and outcome.