Most AI agent frameworks tell you to "give your agent a wallet." So you generate a key pair, fund it with ETH for gas and USDC for payments, and hope nothing goes wrong.
Now imagine you have 50 agents. That's 50 wallets, 50 private keys, 50 gas balances to monitor. One compromised key and an agent drains everything it holds.
This is the wrong model.
Agents should sign, not hold
The mental shift: agents don't need wallets. They need permission to request payments from a vault they don't control.
Here's the pattern:
- Owner deploys a vault (a smart contract they control)
- Owner registers agent public keys with spending limits
- Agent signs a payment intent (EIP-712 typed data) when it needs to pay for something
- Relayer validates the signature, checks policies, submits on-chain
- Vault verifies the agent is authorized and the amount is within limits
The agent never holds funds. Never pays gas. Never has withdrawal access.
What a payment intent looks like
// Agent-side code
import { AxonClient } from '@axonfi/sdk';
const axon = new AxonClient({
relayerUrl: 'https://relay.axonfi.xyz',
botPrivateKey: process.env.BOT_KEY,
vaultAddress: '0x...',
chainId: 8453, // Base
});
const result = await axon.pay({
to: '0xvendor...',
token: '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913', // USDC on Base
amount: '5.00', // 5 USDC
memo: 'API subscription renewal',
});
console.log(result.txHash);
Under the hood, the SDK signs an EIP-712 PaymentIntent struct and POSTs it to the relayer. The agent's private key never touches funds - it only proves "I am authorized to request this payment."
Spending policies
The vault owner sets per-agent limits:
- Per-transaction cap - enforced on-chain, can't be bypassed
- Daily/weekly/monthly limits - enforced by the relayer
- Destination whitelist - agent can only pay approved addresses
- Destination blacklist - blocked addresses (always wins over whitelist)
- AI verification threshold - payments above X trigger a 3-agent AI review
All configurable from a dashboard. No code changes, no redeployment.
What if an agent key is compromised?
Worst case: the attacker can sign payment intents. But:
- They're capped by
maxPerTxAmount(on-chain, immutable per bot) - Daily limits stop runaway spending
- Whitelist restricts where funds can go
- Owner can pause the bot instantly
- The attacker can't withdraw, can't change limits, can't add new bots
Compare this to a compromised wallet: attacker drains everything, no limits, no recourse.
The infrastructure gap
Every agent framework (LangChain, CrewAI, AutoGen, ElizaOS) gives you tool calling, memory, and planning. None of them solve the money problem properly.
"Just use an MPC wallet" still means your agent holds funds. "Use a multisig" means your agent can't transact autonomously. "Use a custodial API" means trusting a third party with your money.
Non-custodial vaults with scoped permissions is the missing piece.
Try it
npm install @axonfi/sdk
# or
pip install axonfi
Open source: github.com/axonfi
Building with AI agents and need payment infrastructure? The TypeScript SDK and Python SDK are on npm/PyPI. LangChain integration available.
Top comments (0)