Vouch MCP Server

Vouch

A per-call payment trust & reputation API for AI agents — monetized over x402.

When an autonomous agent is about to pay a merchant, API, or counterparty, it asks Vouch one question first: is this safe to pay? Vouch returns an explainable trust score, and charges a fraction of a cent per call in USDC — no accounts, no API keys, no Stripe. Billing is the x402 protocol itself.

Why

The agentic-commerce rails (Coinbase x402, AWS, Visa, Mastercard, Agnic) are being built by giants. The governance layer — should this agent trust this counterparty with money? — is the named #1 blocker to autonomous spend and is wide open. Vouch is a thin, self-serve pick-and-shovel on top of those rails.

Every call makes the product better: checks and community reports accrete into a reputation dataset that compounds with usage — the moat a bootstrapped team can actually build.

How it works

agent ──POST /v1/check { target }──▶  x402 paywall (402 → pay USDC → retry)
                                          │
                                          ▼
                          ┌─────────── scoring engine ───────────┐
                          │ transport · domain heuristics ·       │
                          │ threat feed · reputation (D1)         │
                          └───────────────────────────────────────┘
                                          │
                            { score, risk, reasons[] }

Scoring is a weighted average of independent signals, with a safety override: any single hard-negative signal (e.g. a threat-feed hit) caps the overall score so one strong red flag can't be averaged away.

Endpoints

CORS is open (*) and the x402 payment headers are exposed, so browser-hosted agents can preflight and complete the pay/retry flow.

Reading /v1/report (abuse model)

POST /v1/report is free and unauthenticated by design — anyone can submit a flag or vouch for a host, so the raw flags/vouches counts are community signals, not ground truth. Abuse is contained by:

• Rate limiting — 10 reports per 60s per client IP (Cloudflare Rate Limiting, fails closed).
• Reporter-standing weighting — each counted report contributes a weighted amount (not a flat +1) based on the reporting source's tenure: a brand-new or anonymous source counts at 0.3, ramping to 1.0 only after ~7 days of sustained reporting. The scoring signal uses these weighted totals, so spinning up fresh sybil identities buys far less influence. A source can also move a given host's counter at most once per 24h (per-source de-dup); raw counts are still logged for audit.
• Poisoning resistance in scoring — community reputation is a non-authoritative signal: it can lower a score but cannot, on its own, force a critical verdict. Only objective signals (threat feeds, transport) can hard-cap the score. So a burst of anonymous flags can't unilaterally brand a legitimate counterparty as unsafe.
• Bounded input — target/reason/reporter are length-capped before storage.

Treat /v1/stats and report counts as a crowd-sourced prior that informs the paid verdict, not as an authoritative blocklist.

Stack ($0 to run)

TypeScript · Hono · Cloudflare Workers (free tier) · D1 (free SQLite) · @x402/* v2 · public facilitator at x402.org/facilitator.

Live on Base mainnet (X402_NETWORK=base, real USDC, $0.01/call). For local development, set X402_NETWORK=base-sepolia and fund a throwaway wallet from the free Circle faucet. The live network and price are authoritatively advertised at /.well-known/x402.

Develop

npm install
npm run typecheck
npm test

cp .dev.vars.example .dev.vars   # set PAY_TO_ADDRESS (your testnet wallet)
wrangler d1 create vouch         # paste database_id into wrangler.toml
npm run db:init                  # apply schema locally
npm run dev                      # local Worker

License

MIT — see LICENSE.