A Self Protocol product

Give your agent a card it can't leak.

Your real payment details stay with us. Your agent gets mock tokens that work at checkout. Credit cards never enter the agent context, logs, or memory.

shopping-agent.ts
// agent context
card: SAPu7x2kc1000000
name: u7x2k_first_name
zip: u7x2k_bill_zip
> page.click('#pay')
Shopping Agent
$142 / $200 weekly
SAP
4242 .... .... 4242
VISA
Checkout - example.com
awaiting agent
Card number
-
Cardholder name
-
Billing zip
-
CVV
-
Never
Card in agent context
15 min
Mock token expiry
Per card
Spending limits + allowlists
1 import
To switch from Playwright
The problem

The problem in 30 seconds.

An agent browses a product page. The page contains injected instructions. The agent dumps its context to an attacker-controlled endpoint. If your card number was in that context, it's gone.

Before Self Agent Pay
Agent context
{
"card_number": "4242 4242 4242 4242",
"cardholder": "Taylor Chen",
"cvv": "823",
"billing_zip": "94105"
}
After Self Agent Pay
Agent context
{
"card_number": "SAPu7x2kc1000000",
"cardholder": "u7x2k_first_name u7x2k_last_name",
"cvv": "SAPu7x2kc1cvv",
"billing_zip": "u7x2k_bill_zip"
}

If the agent is compromised, the attacker gets mock tokens. They are single-use, session-scoped, and expire in 15 minutes. They cannot make a purchase anywhere except through our proxy.

How it works

Four steps. Change one import.

If your agent uses Playwright, it works with Self Agent Pay. The rest is config in the dashboard.

01

Store your card once, in the dashboard

Cards and addresses sit in an encrypted vault. Nothing leaves until a proxy session needs it.

// dashboard.selfagent.pay
Card added
  brand: Visa
  last4: 4242
  exp:   09/28
02

Create an agent card with spending limits for each agent

Each agent card has its own caps and its own kill switch. API keys are issued separately.

POST /v1/virtual_cards
{
  "name": "Shopping Agent",
  "card_id": "card_1",
  "weekly_limit": 200,
  "per_txn_cap": 75
}
03

Your agent uses mock tokens when filling forms

Tokens look like real fields but carry no monetary value. A compromised agent can leak them all day.

await page.fill('#cc',   'SAPu7x2kc1000000');
await page.fill('#name', 'u7x2k_first_name');
await page.fill('#zip',  'u7x2k_bill_zip');
await page.click('#pay');
04

Our proxy swaps tokens for real values, at the last moment

The real values are injected inside an isolated session the agent cannot observe. The merchant sees a normal transaction.

// inside the proxy (you never see this)
const real = await vault.resolve(session, token);
request.form.cc = real.cardNumber;
await submit(request);
// merchant sees: 4242 4242 4242 4242
Security model

What the agent can't reach, it can't leak.

Three independent controls. The agent is isolated from real values, from other sessions, and from its own spending ceiling.

The agent never sees the card

Mock tokens in the agent's context, real numbers in ours. Substitution happens inside a proxy the agent cannot observe or script.

Per-card spending limits

Agent cards have daily, weekly, monthly, and per-transaction caps. Optional merchant allowlists. Auto-pause on any limit exceeded.

Session isolation

Each agent session runs in its own browser context. Cookies, storage, and cache do not cross between sessions. Tokens are single-use and expire in 15 minutes.

Three layers. The agent only ever touches the top.
Use cases

Built for agents that need to transact.

Any workflow that ends in a checkout form works. You decide which agent gets which card, and how much it can spend.

Shopping Agent
$142 / $200 this week
SAP
.... 0742
VISA
Research Agent
$28 / $100 this week
SAP
.... 1183
VISA
Procurement Agent
$86 / $500 this week
SAP
.... 5520
VISA
Personal shopping agents
"Book me a flight under $400." Keep the agent to a weekly cap.
Research agents
Buy reports, data access, or paywalled papers on demand.
Dev tools
Purchase API credits when a rate limit is hit mid-pipeline.
Procurement agents
Small teams that let an assistant handle recurring orders.
Pricing

Start free.

Plus and Pro are in development. Only Free is available today. The comparison below is what each tier will include at launch.

Free
$0/month

Everything you need to give one agent a card with sensible defaults.

Get started
Plus
Coming soon
$10/month

More volume, daily spend limits, and webhook notifications.

Pro
$20/month

Unlimited volume and merchant allowlists for every agent card.

FeatureFreePlusPro
Payments per week220Unlimited
Agent cards15Unlimited
Daily spend limitsYesYes
Merchant allowlistsYes
Webhook notificationsYesYes
Email supportYesYes
Priority supportYes
Compatibility

If it uses Playwright, it works.

Change one import. Keep the rest of your agent code.

1
import { chromium } from '@selfxyz/agent-pay-playwright';
one import change
 
3
const browser = await chromium.launch();
4
const page = await browser.newPage();
5
await page.goto('checkout.example.com');
 
7
await page.fill('#card', 'SAPu7x2kc1000000');
mock card token
8
await page.fill('#name', 'u7x2k_first_name');
mock identity token
9
await page.fill('#zip', 'u7x2k_bill_zip');
mock address token
10
await page.click('#pay');
proxy substitutes ->
Before
Playwright
import { chromium } from 'playwright';

const browser = await chromium.launch();
const page = await browser.newPage();
await page.goto(url);
await page.fill('#card',  CARD_NUMBER);
await page.fill('#name',  CARDHOLDER);
await page.click('#pay');
After
Self Agent Pay
import { chromium } from '@selfxyz/agent-pay-playwright';

const browser = await chromium.launch();
const page = await browser.newPage();
await page.goto(url);
await page.fill('#card',  'SAPu7x2kc1000000');
await page.fill('#name',  'u7x2k_first_name');
await page.click('#pay');
Tested agent frameworks
Claude Code
Anthropic's CLI agent
OpenClaw
Open-source agent runtime
Playwright scripts
Plain Node + browser
Computer Use
Anthropic's browser tool
New

Now your agents can log in, too.

Agent Pay now supports login credentials as well as cards. Save a username and password once, and your agent signs in with mock tokens — your real credentials never enter the agent's context, so a prompt injection can't leak them.

LoginsWhat the agent sees when it fills a sign-in form

The proxy swaps each token for the real value inside an isolated session, at the moment of submit. Add your logins from the Logins tab in the dashboard.

Questions

Things people ask.

If something is missing, write to us. We answer honestly, including about what we don't have yet.

It gets a mock token it can leak all day. The real card number was never in the room. Mock tokens expire in 15 minutes and only work through our proxy, so they have no value outside a short window and a specific session.
Not today. The current preview stores encrypted card data in our own database for iteration speed. Production will use a certified vault provider with a proper attestation. We are not overselling this. Do not use the preview with cards you rely on.
A normal transaction with a real card number and a real billing address. They do not know a proxy was involved. There is nothing unusual for their fraud detection to flag.
Yes. Pause an agent card on its detail page or hit the kill switch on the Overview. Pending proxy sessions fail their next substitution attempt. Unpause when you want the agent back.
Set a per-transaction cap and a weekly limit when you create the agent card. You can require confirmation above a threshold. If the agent goes over, the card auto-pauses and you get a notification.
Yes. The Playwright drop-in works identically in headless mode. CI credentials live in env vars alongside your existing secrets.
Bank virtual cards stop fraudulent charges. This stops the card number from ever entering the agent's context. If your agent is compromised, a bank virtual card still leaks the number. A mock token does not.
In the preview, yes, encrypted, for development purposes. In production, card numbers will live in a certified vault provider and we will hold only tokenized references. We will document the provider and the attestation publicly.