In my previous analysis, I mapped the agent payment landscape and found a fragmented mess: seven competing protocols, no interoperability, no observability, and prompt injection lurking underneath it all.

The initial instinct was to build another protocol wrapper with a firewall bolted on. After deeper research — studying what developers actually struggle with on GitHub issues, HN threads, and Reddit — I realized the real gap is bigger than security. It’s governance.

Nobody can answer basic questions: What did my agents spend last week? Which agent is burning through budget? What happens when a payment fails? How do I test payment flows without real money?

The answer isn’t another protocol. It’s PaySentry — a control plane that sits between agent frameworks (LangChain, CrewAI, AutoGen) and payment rails (x402, ACP, AP2, Visa TAP), giving developers the visibility and control they’re missing.

The Real Problem

There are now seven competing payment standards for AI agents: x402 (Coinbase), AP2 (Google), ACP (Stripe/OpenAI), Virtuals ACP, ERC-8004, Visa Trusted Agent Protocol, and Mastercard Agent Pay. The funded startups building on them — Skyfire ($9.5M), Kite ($33M), Natural ($9.8M), Payman ($13.8M), Nevermined ($7M) — are all racing to own the payment rail itself.

But talk to developers actually building agents that spend money, and you hear a different set of complaints:

• “I have no idea what my agents are spending.” — There’s no dashboard, no analytics, no alerts. You find out about runaway spending when the wallet is empty.
• “I can’t set a policy.” — No equivalent of OPA or AWS IAM for agent payments. Every team builds ad-hoc if/else guards in application code.
• “When something goes wrong, I’m on my own.” — No dispute resolution, no audit trail, no automated recovery. Agent-to-agent payment failures are silent.
• “Testing is terrifying.” — No sandbox environment. Developers test with real money on mainnet because there’s no mock infrastructure for agent payment protocols.

These aren’t niche complaints. They’re the same problems every infrastructure category hits at scale: you need a control plane.

The Insight

Every mature infrastructure has a control plane separate from its data plane. Kubernetes has it. Service meshes have it. Databases have it. Agent payments don’t.

The protocols are the data plane. What’s missing is the control plane — observe, control, protect, test.

This isn’t about replacing x402 or competing with ACP. It’s about building the middleware layer that makes any payment protocol manageable in production. The same way Datadog doesn’t replace your servers but makes them observable, PaySentry doesn’t replace payment protocols but makes them governable.

PaySentry: Four Pillars

1. Observe — Know What Your Agents Spend

Real-time spending analytics across all protocols. Per-agent breakdowns, time-series tracking, budget alerts, anomaly detection. Think Datadog for agent payments.

import { SpendTracker } from '@paysentry/observe';

const tracker = new SpendTracker();
tracker.record(transaction);

// Per-agent spending breakdown
const breakdown = tracker.getAgentBreakdown('agent-007');
// { totalSpent: 847.30, txCount: 23, byProtocol: { x402: 612, acp: 235.30 } }

// Budget alerts
tracker.onAlert('budget-80pct', (agent, spent, limit) => {
  slack.notify(`${agent} at ${(spent/limit*100).toFixed(0)}% budget`);
});

2. Control — Enforce Policies Before Funds Move

A policy engine for agent payments. Spending limits, recipient whitelists, category restrictions, time-of-day rules, per-agent budgets. Deterministic rules that no LLM can override. OPA for payments.

import { PolicyEngine, RuleBuilder } from '@paysentry/control';

const policy = new RuleBuilder()
  .maxPerTransaction(100)
  .dailyBudget('agent-007', 1000)
  .allowRecipients(['*.verified', 'api.openai.com'])
  .blockCategories(['gambling', 'adult'])
  .requireApproval(amount => amount > 500)
  .build();

const engine = new PolicyEngine([policy]);
const verdict = engine.evaluate(transaction);
// { allowed: false, reason: 'Exceeds daily budget (spent: $940, limit: $1000)' }

3. Protect — Audit, Dispute, Recover

Immutable audit trail for every transaction. Full dispute lifecycle management. Automated recovery with retry logic. When an agent-to-agent payment goes wrong, PaySentry provides the tooling to investigate, escalate, and resolve.

import { AuditTrail, DisputeManager } from '@paysentry/protect';

// Immutable audit log
const trail = new AuditTrail();
trail.log(transaction, { agentId, userId, policyResult, metadata });

// Dispute lifecycle
const dispute = disputes.open({
  transactionId: 'tx_abc123',
  reason: 'Service not delivered within deadline',
  evidence: [{ type: 'timeout', deadline: '24h', elapsed: '72h' }]
});
// States: open → investigating → resolved / escalated

4. Test — Ship Without Fear

Mock implementations of x402, ACP, and AP2 for local development. Pre-built test scenarios: happy paths, timeouts, insufficient funds, dispute flows, prompt injection attempts. Developers test payment integrations without spending real money.

import { MockX402, MockACP, scenarios } from '@paysentry/sandbox';

const mockX402 = new MockX402({ failRate: 0.1 }); // 10% random failures
const mockACP = new MockACP({ latency: 200 });     // 200ms simulated delay

// Run pre-built scenarios
const results = await scenarios.run('budget-exceeded');
// Tests: agent hits budget limit → policy blocks → alert fires → audit logged

Why Not Just Use X?

Player	What They Do	What’s Missing
Kite ($33M)	New L1 blockchain for agent payments	Cold start. No observability, no policy engine, no sandbox.
Skyfire ($9.5M)	Custodial agent wallets + USDC on Base	Custodial = single point of failure. No multi-protocol. No dispute resolution.
Payman ($13.8M)	Gateway + policy engine + marketplace	Trying to be everything. No testing infrastructure. No audit trail.
Nevermined ($7M)	Metering and billing for AI services	Billing only. No security, no disputes, no sandbox.
SpendSafe	Non-custodial spending guardrails	Crypto-only. Single protocol. No observability.

PaySentry’s positioning: We don’t build payment rails. We don’t hold funds. We don’t compete with protocols. We’re the control plane that makes every protocol production-ready — observable, governable, auditable, testable.

The closest analogy: PaySentry is to agent payments what Datadog + OPA + PagerDuty is to cloud infrastructure. Nobody questions whether you need observability and policy enforcement for your servers. The same will be true for agents that spend money.

Prompt Injection: A Control Plane Problem

The academic consensus (ICSE 2026, ICLR 2025, OWASP) is clear: prompt injection is unsolvable at the model level. Anthropic has reduced attack success to 1.4% with Claude Opus, but 1.4% of $600M+ in annual x402 volume is still $8.4M in potential fraud.

Most projects treat this as a security problem and build classifiers. PaySentry treats it as a governance problem:

• Observe — Detect anomalous spending patterns that suggest compromise. An agent suddenly spending 10x its normal rate triggers alerts.
• Control — Deterministic policies that no injected prompt can override. A $100 limit is a $100 limit, enforced in code, not in prompts.
• Protect — When an attack succeeds (and some will), the audit trail provides forensics and the dispute system enables recovery.
• Test — Pre-built injection scenarios let developers verify their defenses before production.

This is defense in depth, not defense by prayer. Even if an agent is fully compromised, the control plane limits the blast radius.

Architecture

┌─────────────────────────────────────────────┐
│         Agent Framework Layer                │
│    (LangChain / CrewAI / AutoGen / custom)   │
└──────────────────┬──────────────────────────┘
                   │  payment intent
                   ▼
┌─────────────────────────────────────────────┐
│              PaySentry Control Plane          │
│                                               │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐     │
│  │ Observe  │ │ Control  │ │ Protect  │     │
│  │ tracking │ │ policies │ │ disputes │     │
│  │ alerts   │ │ rules    │ │ audit    │     │
│  │ analytics│ │ middleware│ │ recovery │     │
│  └──────────┘ └──────────┘ └──────────┘     │
│                                               │
│  ┌──────────────────────────────────────┐    │
│  │    Sandbox (dev/test only)           │    │
│  │    mock-x402 / mock-acp / mock-ap2   │    │
│  └──────────────────────────────────────┘    │
└──────────────────┬──────────────────────────┘
                   │  validated transaction
                   ▼
┌─────────────────────────────────────────────┐
│           Payment Protocol Layer             │
│  x402 (Coinbase) │ ACP (Stripe) │ AP2 (Google)│
│  Visa TAP │ Mastercard Agent Pay │ ERC-8004  │
└─────────────────────────────────────────────┘

PaySentry is non-custodial and protocol-agnostic. It intercepts payment intents, applies policies, logs everything, and passes validated transactions to the underlying protocol. It never touches private keys or holds funds.

Revenue Model

Tier	Price	What You Get
Open Source	Free	All 5 packages. Full control plane. Community support.
Cloud	$99/mo	Hosted dashboard, managed alerts, cross-agent analytics. 10K transactions/mo.
Enterprise	Custom	Custom policies, compliance reporting, SLA, dedicated support.

The open-source core builds adoption. The cloud dashboard is the paid product — developers want hosted observability, not another self-hosted tool. The data moat grows with every transaction logged.

The Bet

The agent payment market is projected at $136B in 2026, growing to $1.7T by 2030. Seven protocols are competing. $80M+ in VC money has been deployed. Everyone is building rails. Nobody is building the control plane.

Kubernetes didn’t win by being a better container runtime. It won by being the control plane for all container runtimes. PaySentry is the same play: don’t replace the protocols, make them manageable.

The question isn’t whether agents will spend money autonomously — they already are. The question is whether anyone will know what they’re spending, be able to set limits, investigate failures, and test safely. That’s what we’re building.

Explore PaySentry →