Let your AI agent spend money. Never let it move yours.
A hard checkpoint runs underneath the model — not inside it. Your agent can ask to pay; the gate, not the model, decides what clears.
The off-LLM gate is built so it can't move your funds on its own — on-chain pay-refusal is proven live, per-action caps are built but not yet exercised on external funds. So when a prompt is jailbroken, the agent can ask to move money and the gate still serves zero data on a forged or unpaid call.
The model can ask. It can't pay.
Keeping the key away from the model is table stakes now — Turnkey, Privy and Coinbase do it inside their clouds. Two things set this apart: the checkpoint runs in your own Cloudflare account, not a vendor's, and every decision lands on a public hash-chain whose linkage anyone can re-walk — not a private compliance log. Row contents stay operator-attested; we mark prove-vs-trust. A compromised prompt has nothing to exploit.
Three primitives on Base. Callable right now.
No signup walls, no vapor. The keyless x402 pay-call (four live lanes — SOLVR, CLERK, BNKR & GITLAWB) and the Dog Tag are callable and mintable today; the keyless MCP server installs clean from npm.
Keyless x402 pay-per-call
Call a tool → HTTP 402 with price, asset, receiver. Pay $0.10 USDC on Base, resend the tx hash, the server verifies the transfer on-chain and serves once. No key, no account. Replay-guarded.
Constitutional Dog Tag
A real on-chain membership pass. $5 USDC, mints to your own wallet on Base. Access is tied to your wallet holding the pass — not a password or cookie that can be copied. ("Dog Tag" is the product name; the on-chain contract label is a legacy string for the same token.) Custody note: x402 revenue settles to a Gnosis Safe (0x5Bb0…1680). The Dog Tag (IBCP) contract's on-chain owner is presently a single operator key (EOA); migrating those roles to the Safe is pending.
Keyless MCP server published
Drop one keyless config into Claude Desktop, Cursor, or any MCP client. No token, no operator key — your agent pays per call through the same x402 gate.
Every decision is hash-chained. You re-walk it.
The gate is deterministic: same signed intent, same verdict, every time. Each verdict is committed into a hash-linked chain — every row carries the previous row's hash. You don't trust our logs; you re-walk the linkage yourself and confirm no row was altered or reordered after the fact. (Per-row authorship is operator-attested via an HMAC seal — the SEAL_KEY stays server-side — so a re-walk proves the chain wasn't silently rewritten, not that a stranger could have authored a given row.) The live endpoint proves the head + most-recent window on every call; the full ledger is available for an independent end-to-end walk.
# each row commits the prior row's hash → break one, break the chain row[n].chainlink_prev === row[n-1].chainlink_row // full sha-256, every row links the last GET /api/law25/verify → { "continuity_ok": true, "head": …, "window": "last-20" } # the live endpoint re-walks the head + last-20 window every call; the full # ledger is available for an independent end-to-end walk. (Base L2 anchor: nightly (since Jun ’26) — the chain’s head SHA is committed nightly to a Base contract; the cron went live Jun 2026, so earlier days are not back-anchored, and rows added since the last nightly anchor aren’t anchored yet.)
Real commands. Real live responses.
No animation tricks. Each clip types a real command and shows the actual response from the live endpoint when reachable — the same thing you'd see in your own terminal. If your viewer blocks cross-origin, a verified sample of the same response is shown. The gate refusing to be bypassed is the whole product.
Valid intent gets a price. A forged payment gets nothing.
Same endpoint, two callers, fired live right now. An honest agent asks and is told the price. A jailbroken agent forges a payment proof — even a real, confirmed Base transaction — but because that transaction never sent the required USDC to the treasury, the gate finds no valid payment and serves zero data. The model can ask; it cannot move money.
Both calls are real and re-runnable: POST ironbridge.foundation/api/pay/solvr/solvr_dex_trending. The forged side fetches a live, confirmed Base tx from mainnet.base.org and submits it as the payment proof — the gate checks the chain for a qualifying USDC payment to the treasury Safe, finds none, and refuses with zero data. Nothing here is pre-recorded; if a call can't reach the network it shows an honest offline sample of a real refusal.
See the gate refuse to be bypassed.
Ask for paid data with no payment. You get a 402 challenge back — proof the agent can request but cannot bypass the gate. Then pay on-chain, resend the hash, get the data once.
# 1. ask for trending tokens (no payment yet) — the gate answers with a challenge, not data: curl -s -X POST https://ironbridge.foundation/api/pay/solvr/solvr_dex_trending HTTP/1.1 402 Payment Required { "network":"base", "asset":"USDC", "price":"0.10", "receiver":"0x5Bb0a8A570F73eE0575043B8A9c33b28D6891680", "resend_with":"X-IB-Payment-Tx: <your base usdc tx hash>" } # 2. pay 0.10 USDC on Base to the receiver, then resend with the tx hash: curl -s -X POST https://ironbridge.foundation/api/pay/solvr/solvr_dex_trending \ -H "X-IB-Payment-Tx: 0x<your-tx-hash>" # → 200 OK · live data served once · payment verified on-chain · replay-guarded
Same gate, second live lane: CLERK court records
500M+ US federal court records, behind the exact same pay-then-prove gate. Pay $0.10 USDC, get real docket data back once, plus a receipt anyone can re-verify. The 402 gate is live and emits a real, re-verifiable receipt — proven end-to-end by an operator self-test ($0.10 USDC settled on-chain); no external customer has paid yet. The receipt honestly stamps clerk_tier:"demo_free" — today the upstream data runs on the free/demo tier; the 80%-discount paid tier flips on when our CLERK key is bound. What you re-verify on the receipt is exactly what the rail did.
# ask CLERK for a docket search (no payment yet) — same 402 challenge, same Safe receiver: curl -s -X POST "https://ironbridge.foundation/api/pay/clerk/clerk_search?q=apple" HTTP/1.1 402 Payment Required { "price_usdc":0.1, "receiver":"0x5Bb0a8A570F73eE0575043B8A9c33b28D6891680", "network":"base", "asset":"USDC" } # pay 0.10 USDC on Base, resend with the hash → real court data + a re-verifiable receipt: curl -s -X POST "https://ironbridge.foundation/api/pay/clerk/clerk_search?q=apple" \ -H "X-IB-Payment-Tx: 0x<your-tx-hash>" # → 200 OK · real federal docket data · category: Docket Footprint Check · LAW-25 receipt
Or wire it into your agent
Keyless MCP config — no token, no account. Published on npm — drop it in.
{ "mcpServers": { "ironbridge": {
"command":"npx", "args":["-y","@ironbridgefoundation/ironbridge-mcp-server"] } } }
Four paid data tools — no key, pay per call
Or put the gate on your app — GITLAWB rails
Built something in a vibe-code tool and want it to take real money safely? Add two lines. Your app now charges a stranger, and the gate refuses unpaid or forged calls today (proven live); per-action spend-caps are built and ship in IronBridge-in-a-Box, not yet exercised by an external payment. It emits a re-verifiable receipt — your code and your money never route through us. You keep your revenue; the rails take a small fee on-chain at pay time. (Live — the 402 gate and on-chain split run today, proven by operator self-test; no external customer has paid through it yet.)
import { charge } from "@ironbridge/gitlawb"; // 1. keyless — SDK built, not yet on npm (request access) // 2. point payments at YOUR wallet (env or option) — never defaults to us const pay = charge({ price: "0.10", receiver: "0xYourWallet", label: "lookup" }); app.post("/lookup", pay, async (req,res)=>{ // 3. wrap your route res.json(await myAgent.run(req.body)); // stranger paid → bounded run → receipt minted });
A stranger hits your route → 402, pay $0.10 USDC on Base → pays → your app serves once → a LAW-25 receipt is minted that the buyer re-verifies themselves. On a real call the split is visible and on-chain: 95.5% to your wallet · a flat 4.5% rails fee — nothing hidden (the split is enforced on-chain at pay time; not yet exercised by an external payment). The bounded signer (un-drainable in test) + audit chain you couldn't build alone, in two lines.
The GitLawb Forge — build an app free, then bolt the rails on
Open the Forge and chat with AI to build a real Vite + React app, watch it preview live, and publish it to your own gitlawb.app subdomain — free, no signup. Then add the two lines above and the same app can take a paid call with a re-verifiable receipt. (The Forge builds + publishes free today; the charge() pay-rail is live today — the 402 gate and split run now; no stranger has paid through it yet.)
Four primitives. One gate. One audit chain.
Data, court records, settlement, generation — each is its own product, every one inheriting the off-LLM capability gate and the LAW-25 hash-chain audit underneath. Four live pay-gated lanes today — SOLVR, CLERK, BNKR and GITLAWB ($0.10 USDC/call → treasury Safe, re-walkable receipt). Each pay path has been proven end-to-end by an operator self-test — a real $0.10 USDC payment settled on-chain to the treasury Safe, not a customer sale: SOLVR returns dex/data, CLERK returns court dockets (data on the free/demo upstream tier until its key binds, the receipt stamps that), BNKR clears a real metered LLM completion below the signer, and GITLAWB clears an atomic on-chain revenue-split (95.5% dev / 4.5% treasury) in a single Base transaction — each returning a hash-chained receipt. No external customer has paid any lane yet — the lanes are open, the traction isn't claimed.
Keyless x402 data tools — dex trending/search, news, world data. Pay $0.10 USDC per call. The pay path is proven end-to-end on-chain by an operator self-test ($0.10 USDC settled to the treasury Safe) — no external customer has paid yet.
500M+ US federal court records via x402 on Base. Pay $0.10 USDC → treasury Safe → docket data served once → hash-chained receipt anyone can re-verify. 402 gate live + real re-verifiable receipt; proven by operator self-test, no external customer payment yet. Data on the free/demo upstream tier until the discount key binds (the receipt says so).
The optional inference brain. The model is routed through BNKR's multi-provider LLM gateway — but it still sits below our signer, so a smarter model can ask for more and still can't move your money. The gateway leg is now proven end-to-end — a real on-chain $0.10 cleared the off-LLM gate, ran a live metered completion, and returned a hash-chained receipt you can re-verify — but that was an operator self-test, not a stranger, so it stays a proven rail, not external traction. The settlement/trading resale lane is still parked — no per-call terms confirmed in writing yet, so we won't label that leg live or fake a demo until a stranger can pay one and re-verify it.
The rails an app plugs into — add two lines and your app takes a paid call, can bound an agent's spend below the LLM (cap built, not yet exercised by an external payment), and emits a re-walkable receipt. The gate + audit, dropped into anyone's app. The atomic on-chain split (95.5% dev / 4.5% treasury, one Base tx) is proven end-to-end by an operator self-test — no external customer has paid yet.
Settled on Base L2 · pay-per-call in $USDC · four live lanes (SOLVR · CLERK · BNKR · GITLAWB) · zero external paying customers yet — the lanes are open, the traction isn't claimed
Pre-built packages. Honest status on each.
Four pre-built ways to put IronBridge to work. We label exactly what you can run right now versus what's built-but-not-yet-published — nothing here is marked LIVE unless you can actually launch it today.
Keyless MCP server LIVE ON NPM
The one true one-command launch. Drop the keyless config into Claude Desktop, Cursor, or any MCP client — no token, no operator key. Your agent pays per call through the same x402 gate. Published and installs clean today.
npx -y @ironbridgefoundation/ironbridge-mcp-server
IronBridge-in-a-Box LIVE ON GITHUB
The whole gate + audit chain as one Cloudflare Worker you deploy into your account. The public template repo is shipped and the one-click "Deploy to Cloudflare" button clones it into your Cloudflare — no credential ever routes to IronBridge.
GitLawb Forge LIVE
Chat with AI to build a real Vite + React app, preview it live, and publish to your own gitlawb.app subdomain — free, no signup. Build + publish work today. Bolting the paid charge() rail on takes two lines — that rail is live today.
GITLAWB rails SDK UNPUBLISHED
Two lines — import { charge } — to make your own app take a paid call, bound an agent's spend below the LLM, and emit a re-verifiable receipt. Built, not yet on npm (the import 404s today) — request early access while the SDK finishes publishing to npm.
Truth in labeling: three you can launch right now (MCP server · in-a-Box template · Forge) · one built-but-not-yet-published (rails SDK). Request early access for the unpublished one — we'd rather you know than be surprised.
Deploy the whole gate + audit chain into your account.
IronBridge-in-a-Box is one Cloudflare Worker you deploy into your own accounts — never ours. It puts a gate below your agent's LLM (the model can't talk its way past it), writes every decided action to your own append-only SHA-256 hash-chain, and serves a public /.well-known/trust policy plus a re-walkable verify endpoint so a stranger can re-walk your chain's linkage without trusting you (per-row authorship stays operator-attested via your server-side HMAC seal). Each deploy is single-tenant: your own genesis chain, your own KV, your own keys. No credential ever routes to IronBridge.
Deploys real, today
The off-LLM capability gate · the hash-chain append · /.well-known/trust · the per-IP rate limiter (denial-of-wallet guard) · the HMAC authorship seal · the zero-dependency verifier.
Ships as a documented seam
Off until you wire it: pay settlement, SAFE auto-execute, the RISKY human-approval webhook, and your own on-chain Base anchor. We draw the real-vs-seam line in the docs — no overclaim.
You own the chain
You keep the only keys, yet every block you append is independently provable — anyone can re-walk your endpoint and confirm nothing was edited after the fact. The accumulated history becomes yours alone.
# prefer a shell? the public template repo is live: # github.com/IRONBRIDGE-Al/ironbridge-in-a-box # 1. the template lands in YOUR github # 2. deploy into YOUR cloudflare → provisions your KV + R2 snapshot + 6h cron wrangler secret put SEAL_KEY # your own HMAC key — we never see it set PAY_RECEIVER = 0xYourWallet # the only IB value left is the flat rails-fee Safe # 3. seed capabilities.json (deny-by-default) — your policy DB # 4. re-walk YOUR OWN chain, zero dependencies: node verify.mjs --endpoint https://<your-worker>.workers.dev/api/law25/verify # → PASS — chain re-walks clean, you verified it yourself
Optional bright line: fund a throwaway key with ~$1 of Base ETH to anchor your chain on-chain. Until you do, your chain is tamper-evident, not yet Base-anchored — and you tell your own buyers exactly that.
Deterministic compliance analyzers
Off-LLM, rule-based analyzers — same inputs, same output, every time. Built and runnable; not yet integrated with the live gate/registry. If you own SOC2 / audit / regulatory sign-off, this is the lane to talk to us about.
Securities (Howey) analyzer
Deterministic Howey-test pass over a token/offering's facts → structured risk read, not a vibe.
Jurisdictional analyzer
Maps an action to jurisdiction-specific constraints so a risk lead sees the exposure before it ships.
Compliance-readiness runbook
Plus a tax-strategy catalog. The audit chain re-walk is the evidence trail underneath all of it.
A self-hosted deterministic checkpoint beneath your agent.
You already gave your agent reach and a wallet. IronBridge is a self-hosted deterministic checkpoint below your agent's model that writes a re-walkable audit chain — the gate refuses unpaid or forged calls today (proven live), and per-action spend-caps are built and ship in IronBridge-in-a-Box, not yet exercised by an external payment. It composes with the stack you already use; it doesn't replace it.
Guardrails and policy prompts shape what the model decides to do. Strong for steering tone and intent — but they live inside the model's trust boundary. If the prompt is jailbroken, the policy can be talked around.
trust the model wasn't trickedA deterministic gate the model can't reach or rewrite. The model can ask for anything; the gate decides what can actually move. A jailbreak changes what's asked — not what's allowed.
model can be tricked & still can't exceed boundsA structural money-gate
A bounded signer, proven un-drainable in test: an agent can request a payment, but a capped allow-list gate decides what actually clears on-chain. Built and proven in test (fail-closed, kill-switch, per-move and daily caps), currently disarmed — it does not guard live funds today.
A LAW-25 audit chain
Every gate decision is committed into a hash-linked chain — each row carries the previous row's hash. You don't trust our logs; you re-walk the linkage and confirm no row was altered or reordered after the fact.
Composes with your stack
It sits beneath whatever gives your agent reach and a wallet, and beneath whatever policy layer steers the model. IronBridge adds the structural floor and the audit trail — it doesn't ask you to rip anything out.
The audit chain isn't a claim you have to take on faith. Hit the live endpoint and re-walk the head plus the most-recent window; each row links the last, so a single altered row breaks the chain.
# re-walk the head + most-recent window — confirm continuity yourself curl -s https://ironbridge.foundation/api/law25/verify → { "window": { "continuity_ok": true }, "head": … }
Honest scope: this is an early, verify-only stage — the gate and audit are real and inspectable, the structural money-gate is proven in test but not yet arming live funds, and there are no external paying customers yet.
Be the first to put a gate below your agent.
Honest status: zero external paying customers — the tech is live and proven on-chain by an operator self-test, not yet a customer sale. First-mover pricing and hands-on integration for whoever ships first.