pop-pay
Project Point One Percent - Agent Pay \[pop-pay] is a payment guardrail and one-time flow protocol specifically designed for Agentic AI (e.g., Claude Code, OpenClaw). It enables agents to handle financial transactions safely without risking unlimited exposure of human-controlled credit cards.
README
<p align="center"> <picture> <img src="https://raw.githubusercontent.com/100xPercent/pop-pay-python/main/project_banner.png" alt="Point One Percent (AgentPay)" width="800"> </picture> </p>
Point One Percent — pop-pay
<p align="left"><i>it only takes <b>0.1%</b> of Hallucination to drain <b>100%</b> of your wallet.</i></p>
The runtime security layer for AI agent commerce. Drop-in CLI + MCP server. Card credentials are injected directly into the browser DOM via CDP — they never enter the agent's context window. One hallucinated prompt can't drain a wallet it can't see.
<p align="center"> <img src="https://raw.githubusercontent.com/100xPercent/pop-pay-python/main/assets/runtime_demo.gif" alt="Point One Percent — live CDP injection demo" width="800"> </p>
Install
Choose your preferred method:
<details> <summary>pipx — isolated global CLI</summary>
pipx install "pop-pay[mcp]"
</details>
<details> <summary>pip</summary>
pip install "pop-pay[mcp]"
</details>
<details> <summary>uv (isolated tool install)</summary>
uv tool install "pop-pay[mcp]"
</details>
<details> <summary>Extras matrix — feature flags</summary>
pip install "pop-pay" # core (keyword guardrail + mock provider)
pip install "pop-pay[mcp,browser]" # CDP injection (browser automation)
pip install "pop-pay[mcp,llm]" # LLM guardrails (OpenAI, Ollama, vLLM, OpenRouter)
pip install "pop-pay[stripe]" # Stripe virtual card issuing
pip install "pop-pay[langchain]" # LangChain integration
pip install "pop-pay[all]" # everything
</details>
All install paths expose the CLI binaries: pop-launch, pop-init-vault, pop-unlock, and pop-pay (dashboard launcher).
Using Node.js / JavaScript? Check out pop-pay (npm) —
npm i -g pop-payorbrew install 100xpercent/tap/pop-pay. Same security model, same vault format, independent release cycle — safe to switch between runtimes.
Quick Start (CLI)
1. Initialize the encrypted credential vault
pop-init-vault
This encrypts your card credentials into ~/.config/pop-pay/vault.enc (AES-256-GCM). For stronger protection (blocks agents with shell access):
pop-init-vault --passphrase # one-time setup
pop-unlock # run once per session
2. Launch Chrome with CDP remote debugging
pop-launch
Opens a Chromium instance on http://localhost:9222 that pop-pay injects credentials into. Your agent (via MCP, browser automation, or x402) then drives the checkout flow — card details never leave the browser process.
3. Open the monitoring dashboard (optional)
pop-pay
Real-time view of agent payment activity, budget utilization, and rejection logs.
4. Plug into your agent
Two supported integration paths:
- MCP server — add pop-pay to any MCP-compatible client (Claude Code, OpenClaw). See MCP Server below.
- Python SDK / LangChain — see Python SDK below.
MCP Server (optional)
The MCP server is invoked as a Python module and decrypts the vault at startup.
Add to your MCP client
{
"mcpServers": {
"pop-pay": {
"command": "python3",
"args": ["-m", "pop_pay.mcp_server"],
"env": {
"POP_CDP_URL": "http://localhost:9222"
}
}
}
}
<details> <summary>Claude Code</summary>
claude mcp add pop-pay -- python3 -m pop_pay.mcp_server
With environment variables:
claude mcp add pop-pay \
-e POP_CDP_URL=http://localhost:9222 \
-e POP_ALLOWED_CATEGORIES='["aws","cloudflare"]' \
-e POP_MAX_PER_TX=100.0 \
-e POP_MAX_DAILY=500.0 \
-e POP_GUARDRAIL_ENGINE=keyword \
-- python3 -m pop_pay.mcp_server
</details>
<details> <summary>OpenClaw / NemoClaw</summary>
Compatible with any MCP host. See the Integration Guide for setup instructions and System Prompt templates.
</details>
<details> <summary>Docker</summary>
docker-compose up -d
Runs the MCP server + headless Chromium with CDP. Mount your encrypted vault from the host. See docker-compose.yml for configuration.
</details>
MCP Tools
| Tool | Description |
|---|---|
request_virtual_card |
Issue a virtual card and inject credentials into the checkout page via CDP. |
request_purchaser_info |
Auto-fill billing/contact info (name, address, email, phone). |
request_x402_payment |
Pay for API calls via the x402 HTTP payment protocol. |
page_snapshot |
Scan a checkout page for hidden prompt injections or anomalies. |
Configuration
Core variables in ~/.config/pop-pay/.env. See ENV_REFERENCE.md for the full list.
| Variable | Default | Description |
|---|---|---|
POP_ALLOWED_CATEGORIES |
["aws","cloudflare"] |
Approved vendor categories — see Categories Cookbook |
POP_MAX_PER_TX |
100.0 |
Max USD per transaction |
POP_MAX_DAILY |
500.0 |
Max USD per day |
POP_BLOCK_LOOPS |
true |
Block hallucination/retry loops |
POP_AUTO_INJECT |
true |
Enable CDP card injection |
POP_GUARDRAIL_ENGINE |
keyword |
keyword (zero-cost) or llm (semantic) |
Guardrail Mode
keyword (default) |
llm |
|
|---|---|---|
| Mechanism | Keyword matching on reasoning string | Semantic analysis via LLM |
| Cost | Zero — no API calls | One LLM call per request |
| Best for | Development, low-risk workflows | Production, high-value transactions |
To enable LLM mode, see Integration Guide §1.
Providers
| Provider | Description |
|---|---|
| BYOC (default) | Bring Your Own Card — encrypted vault credentials, local CDP injection. |
| Stripe Issuing | Real virtual cards via Stripe API. Requires POP_STRIPE_KEY. |
| Lithic | Multi-issuer adapter (Stripe Issuing / Lithic). |
| Mock | Test mode with generated card numbers for development. |
Priority: Stripe Issuing → BYOC Local → Mock.
Python SDK
Integrate pop-pay into custom Python or LangChain workflows:
from pop_pay.client import PopClient
from pop_pay.providers.stripe_mock import MockStripeProvider
from pop_pay.core.models import GuardrailPolicy
client = PopClient(
provider=MockStripeProvider(),
policy=GuardrailPolicy(
allowed_categories=["API", "Cloud"],
max_amount_per_tx=50.0,
max_daily_budget=200.0,
),
)
# LangChain integration
from pop_pay.tools.langchain import PopPaymentTool
tool = PopPaymentTool(client=client, agent_id="agent-01")
See Integration Guide §2 for the full SDK and provider reference.
Security
| Layer | Defense |
|---|---|
| Context Isolation | Card credentials never enter the agent's context window or logs |
| Encrypted Vault | AES-256-GCM with PBKDF2 key derivation and OS keyring integration |
| TOCTOU Guard | Domain verified at the moment of CDP injection — blocks redirect attacks |
| Repr Redaction | Automatic masking (****-4242) in all MCP responses, logs, and tracebacks |
See THREAT_MODEL.md for the full STRIDE analysis and COMPLIANCE_FAQ.md for enterprise details.
Architecture
- Python — Core engine, MCP server, guardrail logic, CLI
- Cython — Performance-critical vault operations and memory protection
- Chrome DevTools Protocol — Direct DOM injection via raw WebSocket
- SQLite — Local transaction auditing and state management
Documentation
- Threat Model — STRIDE analysis, 5 security primitives, 10 attack scenarios
- Guardrail Benchmark — 95% accuracy across 20 test scenarios
- Compliance FAQ — PCI DSS, SOC 2, GDPR details
- Environment Reference — All POP_* environment variables
- Integration Guide — Setup for Claude Code, Python SDK, and browser agents
- Categories Cookbook — POP_ALLOWED_CATEGORIES patterns and examples
License
MIT
推荐服务器
Baidu Map
百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。
Playwright MCP Server
一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。
Magic Component Platform (MCP)
一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。
Audiense Insights MCP Server
通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。
VeyraX
一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。
graphlit-mcp-server
模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。
Kagi MCP Server
一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。
e2b-mcp-server
使用 MCP 通过 e2b 运行代码。
Neon MCP Server
用于与 Neon 管理 API 和数据库交互的 MCP 服务器
Exa MCP Server
模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。