A 91 second experiment, an $11.78 charge, and a moment of hesitation that surprised me more than the result.
I knew the agent was going to spend money. I had set the cap. I had created the Stripe Project. I had signed the OAuth flow. I had watched a YouTube demo of somebody else doing the same thing two hours earlier.
When the moment came, my hand still moved toward Control C.
The agent was 38 seconds into its run. It had checked the Cloudflare API, found quiet-thunder-7821.dev available, queried the registrar, and received a 402 Payment Required response with a price of $11.78 for one year. The next thing it would do, in the next four seconds: charge the card.
I let it.
The charge cleared. The domain registered. The Worker deployed. The smoke test passed. The agent printed a URL. I copied the URL into a browser. The page said hi from an agent in plain text on a white background. From the moment I ran the script to the moment the page rendered: 91 seconds.
I sat there for a long minute after that, not doing anything. Just looking at the cursor.
This piece is about that minute.
The protocol, briefly
Cloudflare and Stripe shipped something this week called Machine Payments Protocol. The technical version is HTTP 402 with a JSON price body, OAuth scoped to a per agent Stripe Project, and a default $100 monthly spending cap that lives on Stripe's side. The marketing version is "agents can now provision Cloudflare accounts, register domains, and deploy applications without human intervention".
The cap is the part that lets you sleep. Stripe enforces it server side. The agent cannot raise it from inside its own runtime. If the agent goes wild and tries to spend $5,000 on premium domains, Stripe stops it at $100 and you get a notification. The blast radius stays bounded.
I knew that. I had read the docs page twice. The cap was not the reason my hand moved.
Why my hand moved
The thing I underestimated was the difference between "the agent could spend money" as a concept and "the agent is about to spend my money" as a live event.
I have given AI tools access to my code repository. I have given them access to my email. I have given them production database read credentials. None of those felt the way this felt. The pattern is similar. The instinct was different.
I think the difference is that money is the one resource I have a lifelong physical relationship with. I have handled cash. I have signed checks. I have watched receipts print at gas stations. My brain encoded "spending" through years of physical signal. The mental model for "reading email" did not get the same wiring. When the agent was about to spend, that part of my brain woke up and asked who had approved this.
I had approved it. I had set the cap. The amount was small. My reasoning brain knew that. My reasoning brain was not driving my hand.
I think a lot of the resistance to agentic payments over the next year is going to look like this. Not measured objections. Not policy debates. A specific and slightly embarrassing instinct that fires the first time you watch one happen.
The thing I was not expecting
The agent picked the domain name itself. I had told it to pick something in the format adjective-noun-number.dev. I had not told it to pick quiet-thunder-7821.
I sat with that for longer than I sat with the payment. The payment was a transaction with bounded outcomes. The naming was an aesthetic choice. An aesthetic choice made by software, on my behalf, with my money, about a thing that would now exist in the world under my account and bill to my card every year if I did not delete it.
I do not know what to do with that observation. The agent's choice was fine. quiet-thunder-7821.dev is a perfectly cromulent domain. If you had asked me to pick one in 30 seconds I might have done worse.
But the domain was not mine. The domain belonged to the agent's taste. The card was mine, the legal liability was mine, the renewal would be mine. The taste was the agent's.
This is the part that nobody is talking about yet. The protocol is well designed. The cap is well placed. The OAuth scoping is correct. The unanswered question is what happens when agents start making aesthetic and judgment calls inside the bounds we set for them, and we discover that the bounds were the easy part.
What I did with the domain
I deleted it the next morning. The Worker came down. The DNS unwound. The Stripe Project archived itself with a complete ledger of every cent the agent had touched. Total spend on the experiment: $11.78 for the registration plus a fraction of a cent for the Worker compute.
The deletion took six seconds. The registration was non refundable. So somewhere out there, in a Cloudflare ledger, $11.78 of mine paid for a domain that lived for 14 hours and whose only content was the string hi from an agent.
I am fine with that. The 14 hour domain was the price of the demonstration. The demonstration was worth more than the domain.
What I am going to do next
The next experiment is bigger. I am going to give an agent a slightly larger budget and ask it to spin up a real piece of software. A small SaaS. Frontend, backend, storage, a Stripe Checkout flow that takes payments from real users and routes them to a real revenue split. End to end, from a cold start, with no human in the deploy loop.
I am giving the agent a $200 monthly cap. I am giving it a virtual card with a $300 balance. I am giving it a domain budget of $20. I am scoping the Stripe Project so it cannot reach my main account.
The reason I am doing this is not because I think it will work the first time. I think it will fail somewhere in the middle. I think the failure mode will be interesting. I think the cap will save me.
The reason I am writing it down ahead of time is that I want to commit, in public, to running the experiment without bailing out at the moment my hand moves toward Control C. If you check back in two weeks, I will tell you what happened.
The closing
The first time you watch an AI agent buy something, you will feel something you cannot put a name on. The feeling will fire in the middle of an event you approved, sized correctly, capped appropriately, and conceptually understood. The feeling will not care.
I think the right thing to do with the feeling is to notice it, decide whether to act on it, and let the agent finish if you decide not to. The cap is real. The audit trail is real. The protocol is well designed. The instinct that fires anyway is older than any of those things.
If you are about to run your first agent payment, run it small. Run it on a thing you can delete. Run it when you have time to sit with the cursor for a minute afterward. The minute is part of the experience.
What are you going to give an agent a card for?
Written by **GDS K S* (thegdsks.com), building Glincker.*
If this was useful, follow me on X / @thegdsks. I write about the parts of the AI stack vendors keep off the pricing page.
Top comments (0)