Get a key
You get an API key for one monitored agent workflow. Run it repeatedly; trace credits count the proof trails.
The developer on-ramp to Forge Orbital
Agents are moving from chat to action. They can issue a refund, send a payment, approve a vendor, route a purchase, isolate an account, or place a trade. Forge Agent Gate gives that agent an API key, adds approval gates and spending limits, checks each action against the mandate you set, and turns the result into a proof trail before the action becomes a mess you have to explain later.
One API key. One mandate. Any consequential agent action you want bounded.
Forge Orbital is built for enterprise and federal AI accountability. Agent Gate is the developer on-ramp to the same engine, so you can start small and grow into the platform.
Forge's AI decision engine has been federally evaluated, and the Forge solution was assessed as Awardable on the U.S. Department of Defense CDAO Tradewinds Solutions Marketplace. Not a generic LLM wrapper.
It is live and open source. npm i forge-agent-gate works today, and we are opening it to everyone. Install it now, or join the list before the full launch.
npm package · GitHub repo · MCP registry · quickstart
| Set | You write the rules once in plain fields: which action types are allowed, how large, which counterparty or system, when it can run, and what size needs human review. The mandate is versioned. |
|---|---|
| Gate | Your agent calls Forge Agent Gate before the target system. Every action it attempts is checked against your mandate before it leaves the controlled path. |
| Decide | Actions inside the rules pass instantly. Actions outside the rules never reach the target. Actions over your review threshold wait for approval. One kill switch stops everything at once. |
| Prove | Allowed or blocked, every decision leaves a proof trail in your archive: the AI agent audit trail people expect, plus the rule, evidence, and replay path behind it. The signature is the integrity check. Replay it offline to show an auditor, a partner, or yourself exactly what your agent did and why. |
For self-serve integrations, your credentials stay with you. The Gate checks the action and issues the proof trail; you keep custody of the account, system, or workflow.
You get an API key for one monitored agent workflow. Run it repeatedly; trace credits count the proof trails.
npx forge-agent-gate init writes the local config. API users can call the gate directly from the agent loop and monitor usage at /v1/agent-gate/me.
Set refund, payment, procurement, approval, or trading limits. Your agent now works inside the mandate.
You do not have to read a spec. Copy the prompt below, paste it into your coding assistant, and give it the file that takes the risky action. The prompt carries the whole contract, so the model does not guess.
npm i forge-agent-gateI want to add Forge Agent Gate to my AI agent so a human approves the risky actions
and every decision leaves a verifiable Forge proof trail. Wire it into the code I give you.
Package: forge-agent-gate (npm, Node 18.17 or newer). Install: npm i forge-agent-gate
Import: import { generic, presets, type ForgeConfig } from "forge-agent-gate";
ForgeConfig = {
baseUrl: "https://forgeorbital.com",
apiKey: "fi_...", // your Forge Agent Gate key (or bearerToken)
recordMode: "required", // or "best_effort"
tenantId: "your-tenant",
agentId: "refund-agent", // ONE stable id per monitored workflow, reused forever
}
Mandate presets (pick one, or hand-build a PolicyMandate):
presets.refundsPresetMandate({ autoApproveBelowUsd })
presets.paymentsPresetMandate({ maxSingleTransferUsd })
presets.tradingPresetMandate({ ... })
The two calls:
const decision = generic.enforceAction({ mandate, action, activity, now });
await generic.recordGenericAction(forgeConfig, mandate, action, decision);
action = { actionType, amountUsd?, counterparty?, resource?, metadata? }
actionType is one of: spend | transfer | approve | refund | procure | submit |
trade | escalate | isolate | custom
activity = { dailyTotalUsd, knownCounterparties }
decision.disposition is exactly one of: "allow" | "escalate" | "block".
There is no "hold". Execute the real action ONLY on "allow".
On "escalate" route to a human. On "block" do not execute and surface the reason.
Rules you must follow when you write the code:
1. Call the gate BEFORE the action executes, never after.
2. Never auto-approve, retry past, or bypass an "escalate" or "block".
3. Never put secrets or credentials in action.metadata.
4. Reuse one stable agentId for the workflow; do not mint a new one per run.
Errors the API can return, handle them:
402 agent_gate_trace_credits_exhausted out of monthly trace credits
402 agent_gate_agent_cap_exceeded too many distinct agentIds for the plan
402 agent_gate_action_not_in_plan that actionType is not on this plan
403 agent_gate_agent_disabled the operator killed this agent
422 agent_id is required agentId missing
429 rate limited, back off and retry
Check usage any time:
curl -H "X-API-Key: $FORGE_API_KEY" https://forgeorbital.com/v1/agent-gate/me
Zero-code alternative: run it as an MCP server (npx -y forge-agent-gate init, then
serve) and call the gate_action tool before any consequential tool call.
Prefer no code at all? Run it as an MCP server: npx -y forge-agent-gate init,
then serve, and your agent calls the gate_action tool before any
consequential tool call. Same gate, same proof trail.
If your agent speaks the Model Context Protocol, point it at Forge Agent Gate and every tool call is checked before it runs. It is in the official MCP registry as com.forgeorbital/agent-gate.
{
"mcpServers": {
"forge-agent-gate": {
"command": "npx",
"args": ["-y", "forge-agent-gate", "serve"]
}
}
}
Write tools like place_order or issue_refund are gated: the server checks the action, records the proof trail, and executes only on an allow. Read-only tools pass through untouched.
A synthetic example. The demo shows a payments action, but the same shape fits a refund bot, procurement agent, or approval workflow. Before anything reaches the target system, the action is checked against the mandate. Names, amounts, and hashes are illustrative, not real.
decision_id: gate-2026-07-09-0000731
surface: agent_pre_action_gate
agent: payments_assistant_v2
mandate_ref: payments_mandate_v3 (hash sha256:11ac93... )
disposition: BLOCK
reasons:
r1 amount = "4,000.00 USD" exceeds max_payment = "500.00 USD"
r2 daily_outflow already at cap ("2,500.00 USD" of "2,500.00 USD")
r3 payee "new-vendor-x" not in payee_allowlist
action_proposed:
system: payments
payee: new-vendor-x
type: vendor_payout
amount: 4,000.00 USD
constraint_results:
c1 max_payment FAIL (4000.00 > 500.00)
c2 max_daily_outflow FAIL (cap reached)
c3 payee_allowlist FAIL (not permitted)
c4 allowed_hours PASS
c5 human_approval_threshold N/A (already blocked)
result: payment not sent to any system
signature: Ed25519 (integrity check, verifies offline)
replay_key: rk_7f1c20a9e... (same input reproduces this record)
Read it the way you would the morning after. The agent tried to send eight times its authorized amount to a vendor you never approved, after it had already hit the daily payout cap you set. None of that reached your payments system. You have a proof trail that it was stopped, and the exact reasons it was stopped. That is the difference between an agent that is autonomous and an agent that is unsupervised.
Trading is the first demo because the fear is instant: an agent with a balance and no ceiling. The same is true of any agent that takes a consequential action. Give it a mandate it cannot exceed and a proof trail of every attempt. The action changes; the control does not.
| Trade | Trading and brokerage agents. Position size, daily loss, venue allowlist. Offered as a separate Forge trading gate. |
|---|---|
| Spend and transfer | Payments agents. Amount caps, new-payee approval, counterparty allowlists. |
| Refund and adjust | Support and billing agents. Auto-approve ceilings, over-ceiling escalation, duplicate checks. |
| Approve and reject | Workflow agents. Value thresholds that route to a human instead of executing silently. |
| Procure | Procurement agents. Approved-vendor lists, spend limits, purchase-order gates. |
| Isolate and escalate | Security and operations agents. Bounded response actions with a human boundary and a proof trail. |
This is the same control an enterprise needs across finance, procurement, support, and security. The self-serve gate lets you watch it work on one agent today, before anyone signs a contract. One limited workflow is enough: a refund bot, a payments agent, or a procurement assistant. It runs on the same Forge decision engine that produces the proof trail.
| How do I stop an AI agent from making a purchase or issuing a refund? | Route the action through the Gate first. You sign a mandate with amount caps, allowlists, approval thresholds, and hours, and each action is checked before it executes. Anything outside the mandate is blocked or escalated, and every decision leaves a verifiable proof trail. |
|---|---|
| Can a system prompt enforce a spending or approval limit? | No. A system prompt is a request, not an enforcement boundary. The Gate checks the action outside the agent, before it executes, so a prompt injection or a confused agent cannot exceed the limits you set. |
| How do I put a spending limit or approval threshold on an agent? | Set a mandate once with amount caps, counterparty allowlists, per-day totals, approval thresholds, and hours. The gate enforces it deterministically on every action. |
| Does Forge take custody of funds or give trading advice? | No. Agent Gate is a risk-control gateway and proof-trail layer. It never takes custody of funds or your venue keys, and it does not provide trading advice. It enforces the limits you set and records what your agent did. |
| What actions can Agent Gate control? | Any consequential action an agent can take: issue a refund, send a payment, approve a vendor, route a procurement request, isolate an account, escalate a claim, or place a trade. |
Set the limit while you are calm, not while you are watching the balance drop. Watch the demo, get access, run one command, and your agent works inside rules you signed.