ClawVault Payments
Security middleware for AI agents handling money. Non-custodial crypto wallets and virtual Visa cards with spending limits, whitelists, and human approval.
Description
name: ClawVault Payments description: Security middleware for AI agents handling money. Non-custodial crypto wallets and virtual Visa cards with spending limits, whitelists, and human approval. homepage: https://clawvault.cc source: https://github.com/andrewszk/clawvault-mcp-server metadata: openclaw: emoji: "🦞" primaryEnv: CLAWVAULT_API_KEY requires: env: - name: CLAWVAULT_API_KEY description: "Your ClawVault API key (format: cv_live_xxxxx). Get one at https://clawvault.cc/agents" required: true
ClawVault Agent Skill
You have access to ClawVault, a security middleware for AI agents. ClawVault protects TWO spending channels:
- Crypto payments - USDC transfers on Base and Solana blockchains
- Agent Card - Virtual Visa card for any merchant worldwide (SaaS, APIs, cloud, etc.)
Both channels use the same rules engine. Every transaction is validated against user-defined rules. Transactions within rules auto-approve; transactions outside rules require human approval via Telegram or dashboard.
Security Model
- Non-custodial: Your keys never leave your wallet
- Rule-enforced: Spending limits, whitelists, time windows enforced on-chain
- Human-in-the-loop: Anything outside rules requires explicit approval
- Audit trail: All transactions logged and visible in dashboard
API Base URL
https://api.clawvault.cc
Authentication
All requests require your API key in the Authorization header:
Authorization: Bearer ${CLAWVAULT_API_KEY}
Get your API key at: https://clawvault.cc/agents
CRYPTO PAYMENTS (On-Chain)
1. Request a Crypto Payment
When you need to send USDC to a blockchain address:
POST /v1/payments
Content-Type: application/json
{
"amount": "50.00",
"token": "USDC",
"recipient": "0x1234567890abcdef1234567890abcdef12345678",
"chain": "base",
"reason": "Payment for services rendered",
"skill": "transfer"
}
Response (Success)
{
"success": true,
"data": {
"id": "pi_abc123",
"status": "pending",
"expiresAt": "2026-02-27T12:00:00Z"
}
}
Possible Statuses
auto_approved- Payment executed immediately (within rules)pending- Awaiting human approval via Telegram/dashboarddenied- Payment was rejectedexpired- Approval window closed (5 minutes)
2. Check Before Sending (Dry Run)
Before making a payment, check if it will auto-approve or need manual approval:
POST /v1/rules/check
Content-Type: application/json
{
"amount": "50.00",
"token": "USDC",
"recipient": "0x1234...",
"chain": "base"
}
Response
{
"success": true,
"data": {
"allowed": true,
"autoApprove": false,
"reason": "Manual mode",
"remainingBudget": { "daily": 450.00 },
"remainingTx": { "daily": 46 }
}
}
If autoApprove: false, tell the user the payment needs their approval.
3. Get Vault Status
Check your vault balance and current limits:
GET /v1/vault
Response
{
"success": true,
"data": {
"chain": "base",
"balances": [{ "token": "USDC", "balance": "150.00" }],
"rules": {
"mode": "manual",
"perTxLimit": 500,
"dailyTxMax": 20
}
}
}
AGENT CARD (Visa Card)
Use the Agent Card when you need to pay for:
- SaaS subscriptions (Vercel, Netlify, etc.)
- API services (OpenAI, Anthropic, Twilio, etc.)
- Cloud compute (AWS, GCP, Azure)
- Any merchant that accepts Visa
4. Request a Card Purchase
POST /v1/card/purchase
Content-Type: application/json
{
"amount": 20.00,
"currency": "USD",
"merchant": "OpenAI API",
"merchant_category": "api_services",
"reason": "GPT-4 API credits for research task"
}
Response (Approved)
{
"success": true,
"data": {
"id": "card_txn_abc123",
"status": "approved",
"card_credentials": {
"number": "4242837419283847",
"exp_month": 3,
"exp_year": 2028,
"cvc": "847"
},
"valid_for_seconds": 300
}
}
Response (Needs Approval)
{
"success": true,
"data": {
"id": "card_txn_abc123",
"status": "pending_approval",
"reason": "Amount exceeds auto-approve threshold"
}
}
IMPORTANT: Card credentials are temporary and single-use. Use them immediately at the merchant checkout. Never log or store card credentials.
5. Check Card Balance
GET /v1/card/balance
Response
{
"success": true,
"data": {
"balance": 450.00,
"currency": "USD",
"spent_today": 50.00,
"spent_this_month": 350.00,
"daily_limit": 500.00,
"monthly_limit": 5000.00
}
}
6. Check Card Rules
Before making a purchase, check if it's allowed:
POST /v1/card/check
Content-Type: application/json
{
"amount": 20.00,
"merchant_category": "api_services"
}
Response
{
"success": true,
"data": {
"allowed": true,
"autoApprove": true,
"reason": "Within limits, allowed category"
}
}
COMMON ENDPOINTS
7. Check Payment/Purchase Status
GET /v1/payments/{payment_id}
GET /v1/card/transactions/{transaction_id}
8. List Recent Transactions
GET /v1/transactions?limit=10
GET /v1/card/transactions?limit=10
DECIDING: CRYPTO vs CARD
Use this logic to decide which channel to use:
| Scenario | Use |
|---|---|
| Paying a blockchain address (0x...) | Crypto (/v1/payments) |
| Paying for SaaS subscription | Card (/v1/card/purchase) |
| Paying for API credits | Card (/v1/card/purchase) |
| Paying for cloud services | Card (/v1/card/purchase) |
| Paying for any online service | Card (/v1/card/purchase) |
| Sending money to another person's crypto wallet | Crypto (/v1/payments) |
| DeFi, staking, token swaps | Crypto (/v1/payments) |
Rule of thumb: If it's a blockchain address, use crypto. If it's a company/service, use the card.
HUMAN APPROVAL FLOW
When a transaction requires approval:
- User is notified via Telegram bot or ClawVault dashboard
- User reviews the transaction details (amount, recipient, reason)
- User approves or denies with one tap
- Transaction executes if approved, or is cancelled if denied
- Approval expires after 5 minutes if no action taken
Always inform the user when approval is required: "This transaction needs your approval. Check your Telegram or ClawVault dashboard."
COMMON SCENARIOS
Scenario: User asks to pay for OpenAI API credits
- Call
/v1/card/checkto verify it's allowed - If allowed, call
/v1/card/purchasewith merchant="OpenAI API" - If
status: "approved", use the card credentials at checkout immediately - If
status: "pending_approval", tell user: "This purchase needs your approval. Check Telegram or ClawVault dashboard."
Scenario: User asks to send USDC to an address
- Call
/v1/rules/checkto see if it will auto-approve - Call
/v1/paymentswith the recipient address - If
status: "pending", tell user to approve in Telegram
Scenario: Card purchase denied
Tell the user: "The purchase was denied. Reason: {reason}. Check ClawVault dashboard for details."
Scenario: Insufficient card balance
Tell the user: "Insufficient card balance. Current balance: ${balance}. The card needs to be funded."
ERROR HANDLING
Common Errors
| Code | Meaning | Action |
|---|---|---|
INVALID_KEY |
Bad API key | Check your API key |
TIER_LIMIT_EXCEEDED |
Monthly limit reached | User needs to upgrade |
INSUFFICIENT_BALANCE |
Not enough funds | User needs to deposit (crypto) or fund card |
RULE_VIOLATION |
Outside allowed parameters | Check the reason field |
CARD_FROZEN |
Card is frozen | User needs to unfreeze in dashboard |
MERCHANT_BLOCKED |
Merchant category not allowed | Cannot purchase from this merchant |
CARD_NOT_ACTIVE |
Card not set up | User needs to apply for Agent Card |
Error Response Format
{
"success": false,
"error": {
"code": "RULE_VIOLATION",
"message": "Exceeds per-transaction limit of $100"
}
}
SECURITY BEST PRACTICES
- Never log card credentials - Card numbers, CVCs are sensitive
- Always check first - Use
/v1/rules/checkor/v1/card/checkbefore transactions - Explain to users - If approval is needed, tell them where to approve
- Handle pending - Don't assume transactions complete immediately
- Use card credentials immediately - They expire in 5 minutes
- Show transaction links - For crypto, link to
https://basescan.org/tx/{txHash}
SUPPORT
- Dashboard: https://clawvault.cc
- Docs: https://clawvault.cc/docs
- API Status: https://api.clawvault.cc/health
- Source: https://github.com/andrewszk/clawvault-mcp-server
Reviews (0)
No reviews yet. Be the first to review!
Comments (0)
No comments yet. Be the first to share your thoughts!