Almega MCP
OfficialProvides real Stripe Issuing test-mode Cardholders and virtual Cards for agents, with every approved payment creating a test-mode Stripe authorization. Allows monitoring of wallet decisions on the Stripe dashboard.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Almega MCPOpen a wallet for agent 'helper' with $100 monthly limit."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
🛡️ Almega — the immutable delegation frame for AI agents
Delegate everything to your agents — within limits they can't cross.
Set the boundaries once. Your agent runs free inside them. Anything sensitive — spending money, deleting a file, deploying to prod, sending an email — pauses for a one-click human OK. Everything is logged. An MCP server, open source.
The problem: you want to delegate, not babysit
The whole point of an agent is to hand it the work and walk away. But the moment it acts on its own, it can spend money, touch production, delete data, call tools — and you have no real control over what it actually does.
The tempting fix is to put the rules in the prompt: "don't spend over $50, don't touch prod." This does not hold. A model honors an instruction right up until it's task-motivated not to — or until a prompt injection from a webpage overrides it, or a loop bug ignores it entirely. An instruction is a wish.
The boundary has to live outside the agent — where a bug, an attack, or the agent itself can never talk its way past it. That's Almega.
Related MCP server: BotWallet MCP Server
How it works
A human sets the frame once (the agent has no tool to change it):
set_frame(
"ops-bot",
allow=["read", "search"], # runs free
require_approval=["payment", "deploy", "file.delete"], # pauses for you
block=["shell.exec"], # never
default="approval", # unknown action → ask you (fail-safe)
monthly_limit=200, allow_categories=["api", "saas"], approve_above=50, # payment sub-frame
)Then the agent asks before anything sensitive — and Almega decides, outside it:
request("ops-bot", "read", "read config.yaml") # → ALLOWED (runs free)
request("ops-bot", "deploy", "deploy build #418 to prod") # → AWAITING_YOU
request("ops-bot", "shell.exec", "rm -rf /") # → BLOCKED
pay("ops-bot", "openai.com", 12, "api") # → ALLOWED (under your cap)
pay("ops-bot", "vendor.io", 800, "retail") # → BLOCKED (off-frame)Held actions wait for your one click:
approve("act_0002") # deploy → cleared to run
reject("act_0003", "not that database")Every attempt — allowed, blocked, or held — lands in an append-only audit ledger.
Payments are just one kind of guarded action
Almega started as a wallet for agents — per-agent spend limits + human approval, with a real Stripe Issuing test-mode backend (no real money). That wallet is still here: run almega-wallet. In the gate, pay() is built in as the flagship action — same gate, same approval flow. The point is that it guards anything you'd want a human in the loop for before it happens, not just money.
The tools
Tool | What it does |
| Define an agent's immutable boundaries (operator only) |
| The gate — agent asks before a sensitive action → |
| Flagship payment example (sugar over |
| Human resolves a held action |
| The approval inbox |
| The full audit log |
| Inspect a frame + spend so far |
Plus resources: almega://ledger, almega://frames, almega://pending.
Gate your own tools
Wrap any tool with @gated and its real code can't run outside the frame — the action is gated, not just the response:
from almega_gateway import gated, approve_and_run
@gated("file.delete")
def delete_file(path): ... # the dangerous part
delete_file("customers.db") # → held; the file is NOT deleted
# ...you review and approve, then:
approve_and_run(action_id) # → only now does it actually runA blocked or unapproved call's side effect simply never happens. The transparent Gateway — drop Almega in front of any MCP server and auto-gate every tool, zero instrumentation — builds on this, and is next.
Install
pip install almega-mcp # or: uvx almega-mcpListed in the official MCP registry as io.github.almega-ai/almega-mcp. MIT.
Why Almega, not the big players' stack
Stripe, Rain and AWS are building agent payment controls — closed, payment-only, locked to their platform. Almega is the opposite, on purpose:
Open-source & MCP-native — your agent gets the gate as native tools, no glue.
Guards everything, not just money — payments, tool calls, deletes, deploys, emails.
No vendor lock-in — your control layer sits above any rail; swap the rail, keep Almega.
The thing that decides whether an agent should act shouldn't be owned by a single payment vendor.
What's next (roadmap)
The Almega Gateway — drop it in front of your other MCP tools and every sensitive call is auto-gated, no instrumentation. (This is the magic; the tools above are the foundation.)
Persistence, an approval dashboard, team policies, audit export, SSO — the governance layer teams pay for.
Today it's a demonstrator (in-memory). The point is to make the model obvious in five minutes.
Building agents that actually do things? I'd love feedback on the frame model and the MCP surface — what would you want to gate, and what's missing?
(Founding members get the hosted version — gateway + approval dashboard — at a founder rate locked for life: alemgaai.netlify.app. The server above is free and yours to keep.)
This server cannot be installed
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/almega-ai/almega-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server