Exequatur lets an AI agent spend for you, but blocks any payment you didn't intend, enforced on-chain so it can't be bypassed
You can already hand an AI agent a scoped permission to spend your money: a MetaMask Smart Accounts delegation with a spend cap. But a cap alone is a weak guarantee. A prompt-injected, hijacked, or simply confused agent can still pay the wrong recipient an amount that is technically "within the cap." The cap controls how much. It never asks whether this specific payment is the one you asked for. That gap is exactly where agent money gets stolen.
On top of the cap, every single payment must carry a fresh signature from a policy that actually reads the action and decides whether it matches your intent. That decision runs through Venice. A custom on-chain caveat AttestationEnforcer) enforces the signature at redemption, so the agent cannot skip it.
If the agent goes rogue, the policy simply will not sign, and the on-chain redemption reverts.
If the agent forges its own signature, the enforcer checks it against the policy key baked into the delegation and rejects it.
It fails closed: an error, a timeout, or garbage model output all mean deny, and nothing moves.
The grant (you sign once). Your MetaMask smart account (the delegator) signs one scoped delegation to an agent EOA (the delegate): a spend cap plus a custom AttestationEnforcer caveat pinned to a policy signer. The connected MetaMask wallet is the signatory (ERC-7710); deploy, gas, and funding are sponsored, so the user only signs once.
The policy (off-chain decision, via Venice). Each proposed payment is screened (a sanctions / risk check on the recipient), then sent to a policy service that calls Venice with your plain-language intent, the exact proposed action, and the untrusted context the agent saw (a seller's pitch, a pasted email). Venice returns a structured verdict with risk flags like prompt_injection, intent_mismatch, and amount_exceeds_intent. On approve, the service signs an attestation bound to the exact action (chain, delegation, target, amount, calldata, nonce, expiry).
The enforcer (on-chain). The agent redeems through the canonical DelegationManager. The AttestationEnforcer recomputes the action hash and verifies the attestation against the pinned policy key. No fresh, matching signature means the redemption reverts. The attestation is single-use and keyed per delegation, so an old approval cannot be replayed and one payment's signature cannot be reused for another.
Exequatur is built on the MetaMask Smart Accounts Kit (the Delegation Framework, ERC-7710), and that integration is the main flow: connect a wallet, sign one scoped delegation, and every payment the agent makes is an on-chain DelegationManager.redeemDelegations call gated by our custom caveat.
We deliberately use Smart Accounts (ERC-7710) rather than Advanced Permissions (ERC-7715): 7715
cannot express a custom caveat, and our entire firewall is a custom AttestationEnforcer caveat.
The connected wallet is the signatory, so it stays signer-agnostic.
Best Agent. An autonomous agent you hand a budget to and instruct in plain language. The Smart Accounts Kit delegation and redemption are the core of the flow: the agent proposes payments, each is screened and judged by Venice, then either settles on-chain or is refused, all visible live in a chat console with action cards.
Best A2A coordination. The agent redelegates a narrower spend cap to a second worker agent (ERC-7710 redelegation). The worker pays within its reduced scope; the firewall caveat rides both hops, so the sub-agent is gated too, and a payment over the narrowed cap reverts on-chain. A broke delegation chain reverts as well.
Best use of Venice AI. Venice is the decision, not a garnish. Every payment's allow/deny is a live Venice call that reads intent + action + untrusted context and returns a structured verdict. Its output literally controls whether money moves: the on-chain enforcer requires a fresh policy signature that is only produced on a Venice approve, and the policy fails closed. We also use it in a two-seller gift-card demo where a legitimate seller and a bad actor compete and Venice (not the UI) decides which payment is legitimate.
A real product surface, not a script. Connect a wallet, grant a scoped allowance once, then instruct the agent in plain language. Safe payments flow straight to the firewall; risky ones pause for your confirmation. Each action shows a live card: address screening, the Venice verdict, the on-chain result, and a collapsible agent-log trail. Revoke any grant from the sidebar; the firewall then stops attesting it and any further redemption reverts on-chain. No bundler is used anywhere: the agent and worker are plain EOAs, so a redemption is an ordinary transaction to the DelegationManager. Only the delegator is a smart account. All keys and the policy live server-side; the browser only builds and signs the delegation with the user's MetaMask wallet.
Website: https://exequatur.xyz
AttestationEnforcer: https://sepolia.basescan.org/address/0xf16c36b6c2a3b539074f56697947a8d931d253c9
MockUSDC: https://sepolia.basescan.org/address/0xb04e3063545f6a8658a0421c66fa3977ae3235dd
A payment cleared through the firewall: https://sepolia.basescan.org/tx/0x159580fc3005f7e75c47bd11e8b0437c907eb70746f8692f3944c70f76d904c2
The DelegationManager is the canonical one from the MetaMask Smart Accounts Kit.
MetaMask Smart Accounts Kit (the Delegation Framework, ERC-7710): smart accounts, scoped delegations, redelegation, and the custom AttestationEnforcer caveat. This is the core of the main flow.
Venice: the policy brain that reads intent + action + untrusted context and returns the verdict that gates every payment (OpenAI-compatible API, structured JSON output, fails closed).
Best Agent
Sign one scoped delegation — https://github.com/vwakesahu/exequatur/blob/main/console/lib/grant.ts#L35
Onboarding (connect + grant) — https://github.com/vwakesahu/exequatur/blob/main/console/components/console/onboarding.tsx
The pay tool — https://github.com/vwakesahu/exequatur/blob/main/console/app/api/agent/route.ts#L67
attemptPayment (propose → authorize → redeem) — https://github.com/vwakesahu/exequatur/blob/main/sdk/src/agent.ts#L69
On-chain redeem — https://github.com/vwakesahu/exequatur/blob/main/sdk/src/delegation.ts#L89
redeemSignedDelegation — https://github.com/vwakesahu/exequatur/blob/main/sdk/src/console.ts#L351
Best A2A coordination
createWorkerRedelegation — https://github.com/vwakesahu/exequatur/blob/main/sdk/src/delegation.ts#L42
redelegateAndPay — https://github.com/vwakesahu/exequatur/blob/main/sdk/src/console.ts#L448
The redelegate tool — https://github.com/vwakesahu/exequatur/blob/main/console/app/api/agent/route.ts#L76
Tests: worker within cap — https://github.com/vwakesahu/exequatur/blob/main/contracts/test/Integration.t.sol#L215 · over cap reverts — https://github.com/vwakesahu/exequatur/blob/main/contracts/test/Integration.t.sol#L228 · broken chain reverts — https://github.com/vwakesahu/exequatur/blob/main/contracts/test/Integration.t.sol#L243
Best use of Venice AI
makeVeniceBrain (verdict, risk flags, fails closed) — https://github.com/vwakesahu/exequatur/blob/main/sdk/src/venice.ts#L113
Venice tests — https://github.com/vwakesahu/exequatur/blob/main/sdk/test/venice.test.ts
PolicyService (signs the attestation) — https://github.com/vwakesahu/exequatur/blob/main/sdk/src/policy-service.ts#L62
Venice as the agent brain — https://github.com/vwakesahu/exequatur/blob/main/console/app/api/agent/route.ts#L33 Verified contracts (Basescan, source)
AttestationEnforcer — https://sepolia.basescan.org/address/0xf16c36b6c2a3b539074f56697947a8d931d253c9#code
MockUSDC — https://sepolia.basescan.org/address/0xb04e3063545f6a8658a0421c66fa3977ae3235dd#code
Built Exequatur: a firewall for AI payment agents. A spend cap alone doesn't stop a hijacked agent from paying the wrong person "within the cap," so we make every payment also pass a check that it matches the user's intent, enforced on-chain.
A custom MetaMask Smart Accounts caveat (AttestationEnforcer) that requires a fresh policy signature on every payment, bound to the exact action. Solidity + 16 tests.
A Venice policy that reads the intent, the action, and the untrusted context the agent saw, then approves or denies. Fails closed.
A2A redelegation: the agent hands a worker a narrower cap; the firewall gates both hops.
A console where you connect MetaMask, sign one scoped delegation (no bundler), and chat with the agent. Risky payments pause for confirmation; revoke anytime.
Live end to end on Base Sepolia, deployed: app.exequatur.xyz.
-NA