<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Emil Dabrowski</title>
    <description>The latest articles on DEV Community by Emil Dabrowski (@griffnode).</description>
    <link>https://dev.to/griffnode</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4033577%2F929dfbdc-fa4a-4da3-8004-21ac5e23774c.jpg</url>
      <title>DEV Community: Emil Dabrowski</title>
      <link>https://dev.to/griffnode</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/griffnode"/>
    <language>en</language>
    <item>
      <title>I put my crypto payment gateway behind an MCP server so an AI can run it but never spend from it</title>
      <dc:creator>Emil Dabrowski</dc:creator>
      <pubDate>Fri, 17 Jul 2026 09:59:50 +0000</pubDate>
      <link>https://dev.to/griffnode/i-put-my-crypto-payment-gateway-behind-an-mcp-server-so-an-ai-can-run-it-but-never-spend-from-it-51c4</link>
      <guid>https://dev.to/griffnode/i-put-my-crypto-payment-gateway-behind-an-mcp-server-so-an-ai-can-run-it-but-never-spend-from-it-51c4</guid>
      <description>&lt;p&gt;Giving an AI agent access to real money is the part everyone flinches at. And they should. If your payment stack has a "move funds" capability, then any agent you wire into it has a "drain the account" capability too. Tighter permissions do not fix that. They just make the drain slightly harder.&lt;/p&gt;

&lt;p&gt;I build a crypto payment gateway called &lt;a href="https://griffnode.com" rel="noopener noreferrer"&gt;GriffNode&lt;/a&gt;, and we shipped an MCP server for it. A merchant can run the entire gateway from Claude, Cursor, or any MCP client, in plain language, with their own API key. Check payments, spin up a payment link, read the balance, upgrade the plan. All of it.&lt;/p&gt;

&lt;p&gt;And the agent still cannot spend a cent. Not because we sandboxed it well. Because there is structurally nothing to spend.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why that is safe by construction, not by policy
&lt;/h2&gt;

&lt;p&gt;GriffNode is non-custodial. Merchants connect an xPub (an extended public key), and we derive a fresh receiving address for every payment. Funds go from the customer straight into the merchant's own wallet. We never hold a balance, and an xPub can only receive, it cannot authorize a spend.&lt;/p&gt;

&lt;p&gt;So when you expose that gateway over MCP, the worst an agent can do with the money tools is read state and generate receive addresses. There is no &lt;code&gt;send_funds&lt;/code&gt; tool because there is no send capability anywhere in the system, for a human or an AI. The dangerous verb does not exist.&lt;/p&gt;

&lt;p&gt;This is the part I think agentic-commerce discussions get backwards. The answer is not a smarter permission model bolted onto a custodial rail. It is a rail where the account the agent operates and the funds themselves are two different things, and the agent can only touch the first.&lt;/p&gt;

&lt;h2&gt;
  
  
  What the MCP server actually exposes
&lt;/h2&gt;

&lt;p&gt;The tools map to the safe half of the API:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;list_payments&lt;/code&gt; / &lt;code&gt;get_payment&lt;/code&gt; reads payment and invoice state&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;create_payment_link&lt;/code&gt; generates a hosted checkout for an amount&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;get_supported_coins&lt;/code&gt; returns BTC, ETH, LTC, DOGE, DASH, plus USDT/USDC/DAI&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;get_balance&lt;/code&gt; is read-only, derived from on-chain data&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;get_plan&lt;/code&gt; / &lt;code&gt;upgrade_plan&lt;/code&gt; for account management&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Every call is authenticated with the merchant's own API key. The server is a thin, stateless proxy in front of the same REST API our SDKs use. Nothing in the tool surface can move a coin, because the underlying API has no endpoint that can either.&lt;/p&gt;

&lt;h2&gt;
  
  
  The mental model
&lt;/h2&gt;

&lt;p&gt;If you are building anything that lets an AI act on money, ask one question before you argue about permission scopes: can the underlying system move funds at all? If yes, you are one prompt injection away from a bad day, no matter how careful your allow-list is. If no, the whole class of "the agent drained it" failures is off the table.&lt;/p&gt;

&lt;p&gt;Non-custodial plus MCP is a clean demonstration of that. The account is fully operable by an AI, and the money is untouchable by design. Docs and the live MCP endpoint are at &lt;a href="https://docs.griffnode.com" rel="noopener noreferrer"&gt;docs.griffnode.com&lt;/a&gt; if you want to poke at it.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>crypto</category>
      <category>mcp</category>
      <category>showdev</category>
    </item>
  </channel>
</rss>
