Every IteraTools API key carries a policy: allow/deny lists, rate-class quotas, daily spend caps, and an immutable audit trail of every call. The control plane your CISO already asked for.
An OAuth 2.1 token says this agent is allowed to call my API. It does not say which tools, how many times, with what budget, and with what trace. When an agent goes rogue โ a bad prompt, a poisoned doc, a runaway loop โ the only thing standing between it and your wallet is your authorization layer.
IteraTools ships that layer in front of every endpoint. No SDK, no infra to run.
Per-key whitelist or blacklist of tool IDs. Denies hit before billing โ a blocked call costs you nothing.
Cap calls/minute per light, medium, heavy class. Stops bursty cost spikes when the LLM goes loop-crazy.
Hard ceiling per key per day. Returns 429 with reset time once exceeded โ no "$10k surprise" Monday morning.
Every call (allowed, denied, quota-hit) lands in tool_metrics + transactions. Replay any agent's last 24 h in seconds.
Global defaults in policies.json, per-key overrides in DB. Fail-open by default; opt into strictness key-by-key.
In-memory sliding-window for quotas, prepared statements for policy reads. Sub-millisecond on the hot path.
This policy lets the agent run sales tools but only the safe ones, blocks code execution entirely, and caps heavy compute at 5 calls/min:
A blocked call returns 403 immediately, before the tool runs and before billing:
Quota hits return 403 with reset window:
Successful calls return the tool result โ and an X-Policy-Allowed: true header so your audit dashboard can chart allows vs. denies.
OAuth handles authentication and broad scopes. The Authorization Layer handles fine-grained, per-call governance.
| Capability | OAuth 2.1 | IteraTools Authorization Layer |
|---|---|---|
| Verifies agent identity | Yes | Yes (api-key or x402 wallet) |
| Coarse scopes (read/write) | Yes | Yes |
| Per-tool allow/deny | Custom scopes only | Built-in |
| Rate-class quotas | No | light / medium / heavy |
| Daily spend cap | No | Per-key ceiling |
| Per-call audit log | Provider-dependent | tool_metrics + transactions |
| Block before billing | N/A | 403 pre-execution |
| Works without OAuth dance | No | Single api-key or x402 header |
Layer them: use OAuth 2.1 for human-to-agent delegation, then point the resulting key at our policy engine for per-call governance.
Whitelist extract/structured, web/search, scrape. Deny everything outbound (email, WhatsApp, code execution). Daily cap $5. Result: an analyst-bot that cannot message customers or move money โ even with a prompt-injected document.
Allow email/draft, whatsapp/draft, vector/query. Deny email/send, whatsapp/send. Drafts always go to a human review queue. heavy-class quota set to 0 โ no LLM-fanout loops.
Allow everything in pack/devops. heavy quota: 10/min. Daily cap $20. Audit log shipped nightly to S3 for SOC 2 evidence. When an agent looped on a flaky CI status check, the quota stopped it at $0.34, not $34.
No api-key โ wallet pays per call via @x402/fetch. Global policy in policies.json denies code_execute for unknown wallets, capping abuse without forcing signup.
A single endpoint exposes the current policy and last-minute quota state for any key. Drop it into your internal admin UI:
Default is permissive โ your existing keys keep working. Add a policy when you're ready, key-by-key.
Read the docs Rate-limit details