GateSolutionsAssuranceProtocolProofDocsPricingRequest pilot
EMILIA Gate solution profile · MCP and agent tool calls

One line of code between your agent and a catastrophe.

Your AI agent can move money, delete production data, send email, and sign contracts. Agent Guard puts EMILIA Gate before the configured tool or executor, then requires the evidence your policy names. It protects only the paths actually mediated by that integration.

Add Receipt Required to MCP →Watch an agent get stopped

Run the rail now: FAST=1 node examples/mcp/payment-server.mjs  ·  no account needed

The integration

Wrap the dangerous action. Ship the same day.

No proxy to deploy. No data path to reroute. You call the gate at the decision point; EMILIA answers allow, require signoff, or deny — decided by a policy engine with 26 machine-checked theorems behind it.

The HTTP call below is live with your API key (signup is free). The wrapper below it ships today on npm and PyPI. Exact signatures in the docs.

# Ask EMILIA whether this exact action may proceed — before it runs.
curl -s https://www.emiliaprotocol.ai/api/trust/gate \
  -H 'authorization: Bearer ep_live_…' \
  -H 'content-type: application/json' \
  -d '{
    "entity_id": "agent_invoice_bot",
    "action":    "payment.release",
    "context":   { "amount": 50000, "destination": "acct_9f12" }
  }'

# → { "decision": "allow" | "deny", "reasons": [ … ] }
# Signoff-grade decisions (allow_with_signoff) come from the
# /api/v1 precheck adapters — the full ceremony is on /finguard.
import { withGuard } from '@emilia-protocol/langchain';

// Wrap anything irreversible. One wrapper.
const guarded = withGuard(wireMoney, {
  action:  'payment.release',
  context: (input) => ({ amount: input.amount, destination: input.to }),
  // Resolve once a named human approves — otherwise signoff throws:
  onSignoff: async (decision) => waitForApproval(decision.raw),
});

// Give `guarded` to your agent instead of `wireMoney`.
await guarded.invoke({ amount: 50000, to: 'acct_9f12' });
// → throws "EMILIA requires human signoff" until a human approves.
// Python: pip install langchain-emilia → guard_tools([…]) does the same.
import { requireEmiliaReceipt } from '@emilia-protocol/require-receipt';

// Refuse the irreversible action unless a valid, action-bound receipt
// from a trusted issuer rides with the request.
app.post('/release-payment', requireEmiliaReceipt({
  trustedKeys: [process.env.EMILIA_ISSUER_PUBKEY],
  action:      'payment.release',
  statusCode:  428,
  manifestUrl: '/.well-known/agent-actions.json',
  maxAgeSec:   900,
}), handler);

// No receipt? The caller gets 428 Receipt Required with a
// challenge; a well-behaved agent obtains one and retries. Verified
// offline — no EMILIA backend. Run: FAST=1 node examples/mcp/payment-server.mjs
The demand side

No receipt, no irreversible action.

The flip side of the gate: make your own endpoint require proof. An irreversible call with no valid receipt gets a 428 describing exactly what to bring — a well-behaved agent obtains one and retries, and you verify it offline. The agent self-serves authorization, no human in the support loop.

Add Receipt Required to an MCP server →
What happens on every call

Intercept, decide, prove.

01
Intercept

Your agent is about to do something it can’t take back. One withGuard() wrapper routes the exact action — actor, intent, parameters — to EMILIA before it touches the real world.

02
Decide

The configured policy returns allow, require signoff, or deny. Allow means the stated policy was satisfied; it is not a claim that the action is wise, safe, or lawful.

03
Prove

Every protected decision emits signed authorization evidence bound to the action hash. A relying party can verify it offline with @emilia-protocol/verify under explicitly pinned trust inputs.

Drop into any stack

If your agent calls tools, EMILIA can guard them.

Agent Guard is framework-agnostic middleware, not a lock-in. It sits at the action boundary, wherever that is in your loop — and it doesn’t care whose model your agent runs on.

LangChain
Wrap any tool before .invoke()
CrewAI
Gate a crew’s high-risk tasks
AutoGPT
Guard the action execution step
LlamaIndex
Approve tool-calling agents
Vercel AI SDK
Guard inside tool() handlers
Model Context Protocol
Native MCP server · 36 tools
The agent that tried to

Four things you never want an agent to do unsupervised.

Run it live →
TREASURYPolicy-enforced

Agent tries to wire $50K

An invoice-paying agent attempts a payment to a new account. Blocked. A named human signs off. Wire proceeds with a receipt.

INFRAIllustrative

Agent tries to drop prod

A coding agent runs a destructive migration on the production database. The action is gated before it executes.

BENEFITSPolicy-enforced

Agent redirects a benefit

An agent changes the bank account on a benefits case. Blocked pending an accountable caseworker signoff — due process, proven.

DATAIllustrative

Agent exfiltrates PII

An agent attempts to export a table of personal records to an external destination. The high-risk write is intercepted.

Don’t ship an agent without a kill switch.

The Protocol, verifier, vectors, SDK, and MCP packages are open. Add EMILIA Gate when you need managed policy, approval routing, enforcement operations, and continuous evidence.

See pricingRead the docsHow it works
Agent Guard — EMILIA Gate for Tool Calls | EMILIA