For agent builders

Signed intent the agent stack can't bypass.

IntentGuard turns agent constraints into onchain enforcement. Prompt injection, malicious tools, and policy drift cannot override what was signed.

MCP-compatible. Drops into MetaMask Delegation (ERC-7710/7715), CoinFello, and other agentic-execution stacks.

Read the SDK guide →Architecture overview
Where agents lose control

Three failure modes the Execution Gap creates for autonomous execution.

Prompt injection

Tool-level guards run inside the trust boundary

Allowlists, output validators, and policy engines that live inside the agent process can be reasoned around by a successfully injected prompt. The model decides what the policy means in context. The chain does not.

Mempool window

Signed but unbroadcast is the attack surface

Between agent decision, signature, and inclusion, transactions sit exposed to public mempool inspection, MEV searchers, and sandwich bots. The constraints the agent reasoned over no longer hold.

Policy / execution drift

A correct policy is not a correct outcome

The agent's policy declares what the transaction should achieve. Execution clears at whatever the chain state allows. The two diverge silently, and the agent's logs say everything went fine.

Drops into your agent stack

Four steps. Zero replacement of orchestration, planning, or memory layers.

01

Sign

Agent signer · session key · ERC-7710 delegation

The agent signs the transaction with whatever signer authority it already holds. No new key material. No replacement of the delegation framework.

02

Submit

IntentGuard RPC

Route through the IntentGuard RPC instead of a generic provider. The transaction is held privately, off the public mempool, until a Protection Transaction is matched.

03

Constrain

Protection Transaction · MCP tool · ERC-7715 policy

Declare the outcome the transaction must satisfy: recipient set, output bounds, balance deltas, allowed call targets. The constraint is signed by the same authority as the original transaction.

04

Settle

Onchain enforcement

Execution is validated atomically against the declared constraints. If the outcome diverges, neither transaction is included. No partial fill, no consumed nonce, no broadcast trail.

Scenario

Injected prompt redirects a swap to an attacker address.

Without IntentGuard
  1. Injection rewrites the swap parameters during tool selection.
  2. Tool-level allowlist passes — recipient is in the allowed-contract set.
  3. Transaction signs and broadcasts to public mempool.
  4. Settles. Funds go to the attacker. Policy log reads "ok."
With IntentGuard
  1. Agent signs both the swap and a Protection Transaction declaring valid recipients and minimum output.
  2. Injection still rewrites the swap parameters at tool-call time.
  3. Validation diverges from the declared constraint set.
  4. Neither transaction is included. No broadcast, no funds moved, nonce reusable.
Access

Public RPC. SDK. MCP server.

Standard
$0no fee from IntentGuard

Public IntentGuard RPC. SDK for transaction construction and constraint declaration. MCP server reference implementation. Suitable for prototype agents and individual builders.

Read the SDK guide →
Builder
Contactscaling terms

Dedicated RPC endpoints. Higher throughput. Custom constraint templates. Policy-library integration with delegation frameworks. Co-engineering for agent platforms shipping at production scale.

Talk to engineering →

Drop chain-level enforcement into your agent.

The SDK and MCP server are public. The RPC is live on mainnet. Build today.

Read the SDK guide →Talk to engineering on Telegram