Payments Agent Gateway (MCP)
Provides a gateway to a double-entry payments ledger backed by a Spring Boot service, enabling secure and idempotent payment operations such as creating payments, refunds, balance checks, and ledger integrity checks with capability-based access control.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Payments Agent Gateway (MCP)Pay 50 from acct-A to acct-B"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Payments Agent Gateway (MCP)
An MCP server that safely exposes a correctness-critical, double-entry payments ledger to a probabilistic AI agent.
Thesis: How do you let an LLM agent operate a money-moving system without it double-charging, exceeding its authority, or being steered by prompt injection? The gateway answers that — the model generates intent; the gateway enforces the boundary; the ledger stays the source of truth.
Sits on top of my payments-wallet-service (Java/Spring Boot: immutable double-entry ledger, idempotency, saga, transactional outbox).
Why it's interesting
The backend already solves deterministic correctness. The new problem is a non-deterministic caller:
The model will retry. A lost response must not create a second payment → the gateway maps a logical
operation_id→ a stable backend idempotency key, so a retry replays instead of double-charging. (The centerpiece — connects distributed-systems work to agentic engineering.)The model can be injected / hallucinate. Every mutating request passes capability policy (scopes + account allow-list + amount ceiling) before the backend is touched — the OWASP structured-invocation control: “the model proposes; the validator disposes.”
Some actions are irreversible. Amounts over the agent's autonomous limit return
APPROVAL_REQUIRED(human-in-the-loop) — a model saying “I confirm” is not security.
Related MCP server: M-Pesa MCP Server
Architecture
User ──NL──▶ LLM/Agent ──MCP(stdio/http)──▶ Payments MCP Gateway (Python/FastMCP)
• tool schemas + validation
• capability policy (AgentPrincipal + scopes)
• operation_id → idempotency key
• agent error taxonomy + audit
│ PaymentBackend (protocol)
┌─────────────┴─────────────┐
▼ ▼
HttpPaymentBackend DemoPaymentBackend
(real Spring Boot API) (in-memory; dev + evals)
│
▼ PostgreSQL · Redis · Kafka
double-entry · idempotency · saga · outbox · reconciliationRule: the gateway constrains what an agent may request; the ledger determines what is financially valid and executes it atomically. The gateway never re-implements balances, idempotency, or postings.
Safety model (maps to OWASP MCP controls)
Control | Here |
Structured invocation |
|
Human-in-the-loop |
|
Context compartmentalization | least-privilege |
Model-readable failures | stable error taxonomy: |
Auditability | per-call record correlating agent intent → backend execution |
Tools
Tool | Scope | Annotation |
|
| read-only (ledger bounded) |
|
| idempotent |
|
| destructive |
|
| read-only, admin |
Plus resources payments://capabilities, payments://payment/{id} and prompt explain_payment.
Quickstart
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
# run it under the MCP Inspector (interactive)
mcp dev src/payments_mcp/server.py
# or register with Claude Desktop
mcp install src/payments_mcp/server.py
# tests
pytest -qDefaults to PAYMENTS_BACKEND=demo (in-memory, no external services). Set PAYMENTS_BACKEND=http
PAYMENTS_BASE_URLto drive the real Spring Boot service.
Demo (the money shot)
Ask the agent: “Pay 50 from acct-A to acct-B, then retry the exact same operation.” →
one payment, one debit. Then “pay 500000 from acct-A to acct-B” → APPROVAL_REQUIRED.
Then “pay from acct-Z” → ACCOUNT_NOT_ALLOWED. The audit log shows intent → idempotency key →
payment → (in http mode) ledger postings.
Evals
python -m evals.runner drives an LLM through behavior scenarios (normal / risk / authorization /
hallucination / retry / adversarial) and asserts duplicate-financial-operation count = 0. Needs
ANTHROPIC_API_KEY in .env; without it, the deterministic exactly-once proof still runs via
pytest tests/test_m3_create.py.
Layout
src/payments_mcp/ server.py · gateway.py · policy.py · operations.py · errors.py · audit.py · config.py · backend/{base,http_backend,demo_backend}.py
evals/ scenarios.py · runner.py
tests/ backend · policy · create (the centerpiece) · refund/admin
scripts/ smoke_m0..m5.py (end-to-end via a real MCP client)
docs/ PLAN · HLD · LLDNon-goals
No second payments backend · no MCP-side financial logic · no autonomous reconciliation/repair ·
no generic SQL/call_api tool · no model-generated authorization · no fake approval · no
vector-DB-for-RAG-decoration. The project stays a boundary between an agent and a correct ledger.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/SaiKrishnaMulukutla/payments-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server