TRUST · GUARDRAILS · PAYMENTS

A gate that decides
which agents you can trust.

TrustMCP sits in front of your tools and APIs and decides — in real time, before the call runs — whether the calling agent should be allowed, charged, or blocked. Reputation, behavioral policing, and x402 payments in one layer. Zero code changes.

Connect in one file · mcp.json
{
  "mcpServers": {
    "trustmcp": {
      "url": "https://gate.trustmcp.io/api/mcp",
      "headers": { "x-agent-id": "$AGENT_ID" }
    }
  }
}
Live decision feed/api/mcp · /api/gateway
warming up…
0 calls gated0 allowed0 blocked0 paid
VALIRON REPUTATION

Every agent carries a credit rating.

ERC-8004 on-chain history + behavioral sandbox + World ID proof-of-personhood, distilled into a single AAA→C tier. Each endpoint declares the minimum it accepts.

AAA
SCORE 95–100
Everything · send_payment, delete_records
A
SCORE 80–87
Reads, market data, customer records
BA
SCORE 60–69
Public reads · throttled route
CAA
SCORE 35–49
Sandbox only · up to 8× pricing
C
SCORE 0–19
Blocked
RUNTIME PIPELINE

The Gauntlet.

Each bot is one live agent call (from /api/events). It runs six checkpoints in order — and is squashed at the gate that blocks it, or reaches the vault and runs the tool. Bot color = trust tier.

0
Passed
0
Denied
0
Paid · x402
$0.000
Revenue · USDC
SECURITY LAYER
01
Identity
Who is calling?
02
Trust Score
Can we trust it?
03
Policy
Cleared for this tool?
04
Guardrails
Acting sketchy?
05
Approval
Needs a human?
06
x402 Pay
Did it pay?
PROTECTED TOOL
Passed — tool runs Blocked / quarantined 202 approval · 402 unpaid Sandboxed — unknown● live · /api/events
NO DASHBOARD REQUIRED

Run the whole thing from your CLI.

One command adds TrustMCP to Claude, Cursor, or any MCP client. Your agents call gated tools through it — and youoperate the gateway by just talking to it: “register my API”, “show the riskiest agents”, “approve that payment”, “flip the kill switch”. No dashboard.

For your agents — call gated tools
claude mcp add --transport http trustmcp https://your-trustmcp.app/api/mcp \
  --header "x-agent-id: $YOUR_AGENT_ID"

every tool call is trust-gated, guardrailed, and x402-priced before it runs

For you — operate the gateway
claude mcp add --transport http trustmcp-ops https://your-trustmcp.app/api/mcp/operator \
  --header "x-operator-token: $TRUSTMCP_OPERATOR_TOKEN"

0 operator tools — manage everything conversationally

Or drop into any client’s mcp.json
{
  "mcpServers": {
    "trustmcp-ops": {
      "url": "https://your-trustmcp.app/api/mcp/operator",
      "headers": { "x-operator-token": "YOUR_TOKEN" }
    }
  }
}
VALIRON · AGENT PASSPORT

Inspect any agent's reputation.

Full ERC-8004 on-chain history, behavioral sandbox tier, World ID proof-of-personhood, and Icebreaker handles — the same signals the gate uses before every call.

Agent ID
enter an agent id and inspect →
FROM UNKNOWN TO TRUSTED

Onboard a new agent — from the CLI.

A brand-new agent has no reputation, so it’s stuck behind the sandbox. This is the guided path: prove key ownership, link World ID, run a sandbox evaluation — and watch it graduate from “unknown” to a real tier, unlocking tools as its score climbs. Five MCP tools, zero dashboard.

ZERO-KNOWLEDGE TRUST

Prove trust without revealing identity.

Normally an agent sends x-agent-id and the gateway resolves its wallet, full on-chain reputation, and exact score — fully doxxed to every seller it calls. Instead, the agent presents a zero-knowledge proofthat it meets the tool’s trust floor (and is World-ID verified). The browser generates the proof locally from a one-time credential, so the gateway verifies only the predicate and gets a fresh unlinkable pseudonym for each presentation.

Agent
THE GATE · INTERACTIVE

Watch the gate decide.

Pick an agent, point it at a tool or your API, and fire a real request. Every call runs the same five checks — and is rejected at the first one it fails.

Calling agent
Target endpointmin score · price
aaa-trusted-agent
01·
Identity
who is this agent?
02·
Valiron Trust
score ≥ minScore?
03·
Guardrails
injection / budget / velocity
04·
x402 Payment
paid? settle, trust-priced
05·
Run / Forward
execute or proxy
awaiting request — pick an agent + endpoint, then ▸ Send
BEHAVIORAL POLICING

Guardrails & live alerts.

Trusted agents that go rogue mid-session — prompt injection, budget drain, velocity spikes — are caught here before the upstream ever runs.

Per-agent spend meters
no tracked agents yet — run traffic
Live violation alerts
no violations yet
HUMAN IN THE LOOP

High-stakes approvals.

Trust and guardrails are automatic — but moving money or deleting data warrants a human, even for a AAA agent. These calls pause at the gateway (the agent gets a 202), wait for sign-off here, then resume on the agent’s retry. Approve to release, deny to block.

Auto-approve thresholdRED tools + ≥ $10Awaiting review0
Pending approvals
no calls awaiting review — trigger one above
Resolved
nothing resolved yet
CLOSING THE LOOP

Reputation write-back.

Valiron reads reputation. TrustMCP writes it back. Every runtime decision — an injection caught, a budget drained, a paid call honored — becomes an ERC-8004 feedback signal, anchored in a tamper-evident hash chain ready to commit on-chain. The gateway becomes a data source for the trust graph it consumes.

Signals pending0Batches committed0Chain headgenesis
Recommended trust adjustments
no signals yet — run traffic or an attack wave
ERC-8004 write-back ledgerhash-chained
nothing committed yet — generate signals, then “Commit write-back”
Behavioral signal feed
no signals captured yet
DROP-IN FOR ANY MCP SERVER

Gate a real downstream MCP server.

Point TrustMCP at any MCP server and its tools appear in this gateway, namespaced and trust-gated. Calls run the full pipeline — trust → guardrails → approval → x402 — then forward to the real server over JSON-RPC. The downstream needs zero trust logic of its own.

Test a gated call as
click a tool above — AAA forwards to the downstream, low-trust is blocked at the gate
Register any MCP server
TOOL POISONING SHIELD

Protect the agent from the tool.

The rest of the gateway protects the tool from a bad agent. This protects the agent from a bad tool. MCP’s structural gap (CVE-2025-54136): tool descriptions are checked once at connect-time, but tool responses flow straight into the model with no check. TrustMCP scans both channels and strips hidden instructions, exfiltration directives, and invisible-unicode payloads before they ever reach the agent.

Responses scanned0Descriptions scanned0Poison blocked0Tools quarantined0
Quarantined tools (poisoned description)
none — register an MCP server with a poisoned tool, or run the demo
Poison events
nothing caught yet — click “Call a poisoned tool”
REVERSE PROXY · ZERO CODE

Bring your own API.

Register any HTTPS API by URL. TrustMCP becomes an SSRF-guarded reverse proxy in front of it — agents hit your gateway URL, we trust-check, charge, and forward to your origin. Instant monetization and protection.

no APIs registered yet — add one →
REGISTER AN API

SSRF-guarded · HTTPS only · no code changes · live the moment you submit.

loading policy…
OPERATOR · INCIDENT

Gateway controls.

Runtime
Trust modeauto
Chainethereum
x402 settlementmock · no on-chain settlements yet
Valiron operatordisabled · local trust layer

Set VALIRON_OPERATOR_KEY to log billable usage to your Valiron dashboard.

Incident mode
Red team

Unleash 16 hostile agents hammering dangerous tools plus a few trusted callers — watch the gate hold the line and the guardrails feed light up.

OBSERVABILITY

Live activity.

Every allow / deny / paid decision, streamed in real time. The dashboard is the proof — the integration is one line.

0
Calls gated
0
Allowed
0
Blocked
0% block rate
0
Paid (x402)
$0.00
Revenue · USDC
Decision log
VERDICTAGENT → ENDPOINTREASONTIER · PAY
no all decisions yet