P
PAGAS_DOCS/v1.0.4

Pagas Agent Treasury

The policy and audit layer that approves or blocks AI agent payments before any funds move.

Version: v1.0 • Updated Dec 2025

Policy Engine

Per-agent per-tx + daily limits, USDC-only, optional address whitelist, kill switch.

Agents API

Create/list/update agents; attach policies; toggle enable/disable instantly.

Audit Trail

Every authorization attempt is logged with decision + reason codes; queryable via API or dashboard.

Who it’s for

  • Developers shipping autonomous agents that control crypto balances.
  • Small teams that need guardrails (limits, whitelists) without building their own policy engine.
  • Operators who want an audit trail and emergency kill switch for agent spend.

What Pagas does

  • Enforces per-transaction and daily spend limits per agent.
  • Checks USDC amount, EVM address format, and optional address whitelist.
  • Blocks disabled agents instantly (kill switch) and logs every decision.
  • Provides a dashboard to manage agents, policies, transactions, and API keys.

What Pagas doesn’t do

  • No custody or transaction signing — your app/wallet sends the on-chain tx.
  • Single token/chain for v1 (USDC on supported EVM chains; expansion on roadmap).
  • No enterprise RBAC/SSO yet (planned later).

How it works

  1. Agent calls /v1/payments/authorize with amount, currency, and to_address.
  2. API checks: agent ownership, enabled status, policy exists, USDC-only, EVM address, >0 amount, per-tx limit, daily limit, whitelist.
  3. Decision returned: { allowed, decision_id, reason_code? } and recorded in payment_requests.
  4. If allowed, your app broadcasts the on-chain transaction (Pagas is non-custodial).

Sample authorization

curl -X POST https://api.pagas.link/v1/payments/authorize \
  -H "Authorization: Bearer at_live_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id": "ag_123",
    "amount": 5,
    "currency": "USDC",
    "to_address": "0xabc123abc123abc123abc123abc123abc123abcd",
    "reason": "payout to creator"
  }'

Success returns { allowed: true, decision_id, policy_snapshot }. Blocks include reason_code (e.g., PER_TX_LIMIT_EXCEEDED, ADDRESS_NOT_WHITELISTED).

Data & privacy

  • Stored in D1: agents, policies, API key hashes (SHA-256), payment request logs with decision + reason code, optional metadata JSON.
  • Not stored: private keys, on-chain signatures, full API keys after creation (only hash + prefix kept).
  • Sessions: dashboard uses BetterAuth with Google/GitHub; cookies scoped to app.pagas.link.

Deploy (Cloudflare)

  • Set secrets: BETTER_AUTH_SECRET, GOOGLE_CLIENT_ID/SECRET, GITHUB_CLIENT_ID/SECRET (optionally SES keys for alerts).
  • Run migrations: wrangler d1 execute pagas-db --remote --file=schema.sql.
  • Deploy: bun run deploy. Domains: api.pagas.link (API), app.pagas.link (dashboard), docs.pagas.link (this site).

Build: Cloudflare Workers + Hono; DB: D1; Auth: API keys for /v1, BetterAuth (Google/GitHub) for dashboard.

Roadmap (public)

  • Q1 2026: Email/webhook alerts live; IP allowlists per project.
  • Q2 2026: Multi-token + multi-chain support; SDK snippets for AgentKit/LangChain.
  • Later: Team roles, audit exports, configurable risk scoring.

Support

Need help or found a bug? Email hello@pagas.link with your decision_id or request payload (no secrets).

System status: ONLINE

Last update: Dec 7, 2025