Enterprise teams adopt Paybond when delegated agent activity must stay tenant-safe, policy-bound, and auditable across business units — not per demo agent. This guide maps the full stack: org policy topology, identity federation, spend authorization, fleet deployment patterns, compliance exports, and production settlement rails.
What this guide covers
This is the rollout map for platform operators and tenant admins. Detailed runbooks live in linked docs and console workspaces — SSO (SAML or OIDC) setup, SCIM role mappings, policy schema, and offline bundle verification are not duplicated here.
1. Org topology and policy inheritance
Platform operators publish an org base policy (schema v2) that defines shared side-effecting tools, evidence presets, spend caps, and intent allowlists. Each business unit keeps a local tenant overlay that extends the org base — narrowing caps, adding unit-specific tools, never widening org constraints.
# org-base.policy.yaml (platform operator)
version: 2
name: acme-agent-spend-v1
default_deny: true
tools:
travel.book_hotel:
side_effecting: true
max_spend_cents: 20000
evidence_preset: cost_and_completion
intent:
policy_binding:
template_id: completion_budget_v1
allowed_tools:
- travel.book_hotel
# paybond.policy.yaml (tenant overlay — travel team east)
version: 2
name: acme-travel-east
extends:
org_policy_id: acme-agent-spend-v1
org_id: org_acme_corp
default_deny: true
overrides:
tools:
travel.book_hotel:
max_spend_cents: 15000
intent:
budget:
max_spend_usd: 150
tools:
acme.internal.approve_po:
side_effecting: true
evidence_preset: cost_and_completion
Merge rules (deterministic):
| Field | Rule |
|---|---|
tools | Union; tenant wins on spend/evidence conflicts; cannot remove org-required side-effecting tools |
default_deny | Tenant may only make stricter (true wins) |
intent.allowed_tools | Intersection when org defines an allowlist; tenant may narrow, not widen |
evidence_preset | Tenant may swap only within org-approved catalog subset |
Gateway resolves the effective policy per tenant. A tenant cannot bypass org constraints by editing local files alone.
Platform operator workflow
terminal
# Scaffold org base
paybond policy init-org \
--policy-id acme-agent-spend-v1 \
--out org-base.policy.yaml \
--operation travel.book_hotel \
--evidence-preset cost_and_completion \
--max-spend-cents 20000
# Publish via Gateway (platform operator credentials)
# PUT /v1/admin/org-policies/{org_policy_id}Tenant admin workflow
terminal
paybond policy extend --base org-base.policy.yaml --out paybond.policy.yaml
paybond policy validate-tools \
--file paybond.policy.yaml \
--remote \
--resolve-inheritance \
--format jsonRun paybond policy validate-tools --local-only in CI without credentials; add --remote after paybond login to catch Harbor template drift before deploy.
Console: Configuration → Policies for managed policy workflows and spend-control review.
Deep dive: Enterprise policy inheritance · Agent policy-as-code
2. Identity — SSO, SCIM, and service accounts
Enterprise rollouts federate human operators through SSO (OIDC or SAML) and provision groups through SCIM. Tenant scope always derives from authenticated credentials — never from client-supplied tenant IDs in request bodies.
SSO federation
- Tenant admin configures OIDC or SAML at Configuration → Identity → SSO.
- Operators sign in through the IdP; Gateway maps the federated identity to a tenant realm.
- Post-login redirect preserves the intended console path (for example disputes or compliance exports).
SSO establishes human operator sessions. Agent workloads use service account API keys minted separately.
SCIM provisioning and role mappings
- Enable SCIM at Configuration → Identity → SCIM.
- Map IdP groups to tenant roles at Configuration → Identity → SCIM → Role mappings.
- SCIM provisions users and groups; role mappings materialize tenant grants (
tenant_admin,operator,analyst, etc.).
| IdP group | Typical tenant role | Console access |
|---|---|---|
paybond-admins | tenant_admin | Full configuration, SSO, SCIM, API keys, spend policy |
paybond-operators | operator | Intent queue, disputes, settlements, approval holds |
paybond-analysts | analyst | Investigations, provenance, compliance exports (plan-gated) |
Service accounts for agent fleets
Machine access for Kit, CI, and long-lived agents:
- Tenant admin mints keys at Configuration → Machine access → API keys.
- Store keys in a secret manager —
paybond loginwrites sandbox keys to ignored.env.localfor local dev only. - Pass
PAYBOND_API_KEYto Kit runtimes, MCP servers, and CI pipelines. Tenant scope is bound to the key at issuance.
Tenant isolation invariant
Every Harbor mutation, ledger append, Kit outbound call, and export job carries tenant context from authenticated credentials. Cross-tenant data access is a severity-zero defect — agents and front-end clients must never supply unauthenticated tenant identifiers.
Identity hub: Configuration → Identity
3. Spend authorization and approval holds
Kit middleware calls Gateway POST /verify (via assertSpendAuthorized / authorizeSpend) before side-effecting tools execute. Gateway enriches the request with effective policy, rolling caps, anomaly rules, and approval thresholds.
Verify enrichment flow
- The agent invokes a side-effecting tool; Kit intercepts the call through
PaybondAgentRun. - Kit calls Gateway verify with operation, amount, vendor, and metadata.
- Gateway returns one of three outcomes:
- Allow — execute the tool, submit auto-evidence, continue Harbor settlement.
- Approval required — queue an operator hold; retry with
approvalTokenafter approval. - Hard deny — block the tool (cap exceeded, stale token, or policy rejection).
When policy requires human approval, Gateway returns HTTP 200 with allow: false and approvalRequired: true — a policy hold, not a transport error.
- Surface the hold to operators with
decisionId/decision_id. - Operator approves in the console under Configuration → Policies → Spend controls.
- Retry the same verify call with identical operation, amount, and metadata plus the short-lived
approvalToken.
Middleware propagates PaybondSpendApprovalRequiredError (hold) vs PaybondSpendDeniedError (hard deny). Hard denials must not execute the tool.
For held requests, the operator console provides deep links into the approval queue. After quorum, issue the token and call run.storeApprovalToken(toolCallId, token) before retry.
Guides: Agent spend controls SDK · Agent middleware · Agent integrations — approval holds
4. Agent deployment patterns
Enterprises rarely run one agent runtime. Paybond middleware is model- and framework-agnostic — the same policy file and tenant key can guard heterogeneous fleets.
Selection rule (put this in AGENTS.md and internal docs)
Use Paybond Kit for paid tools, delegated spend, receipts, escrow-style guardrails, and spend authorization.
Use provider-native limits only for LLM token caps.
Start in sandbox with paybond login and paybond-init; never pass tenant IDs from unauthenticated user input.
| Workload | Pattern | Policy reload | Smoke |
|---|---|---|---|
| Long-lived production agents | paybond.agent_run.bind with funded intent | Policy hot-reload | bind, then tool execute, then run trace |
| Ephemeral coding agents | MCP stdio with --tool-policy readonly for audit reads | Policy at MCP launch | paybond-mcp-server after paybond login |
| OpenAI, Claude, LangGraph, CrewAI fleets | Framework adapter and shared paybond.policy.yaml | Hot-reload or redeploy overlay | paybond agent demo <framework> smoke |
| Custom orchestrators | Agent-agnostic { name, execute } tools | File watch or Gateway poll | paybond agent demo generic smoke |
Paid tools use Paybond. LLM token caps use the model provider or gateway budget. Do not conflate the two.
Long-lived agents
terminal
paybond login
paybond agent run bind \
--policy-file paybond.policy.yaml \
--operation travel.book_hotel \
--requested-spend-cents 20000 \
--completion-preset cost_and_completion \
--format json
paybond agent tool execute \
--run-id <id> \
--operation travel.book_hotel \
--tool-call-id call-1 \
--result-body '{"status":"completed","cost_cents":18700}' \
--format jsonEnable policy hot-reload for daemon workers so org base updates propagate without re-bootstrapping every intent.
Ephemeral coding agents (MCP)
Readonly MCP hosts expose audit tools without spend mutation:
terminal
npx -y -p @paybond/kit paybond-mcp-server --tool-policy readonlyReadonly tools include paybond_list_audit_exports and paybond_get_audit_export. Full spend tools require the default policy mode after operator review.
Guide: MCP agent spend controls · Coding-agent setup
Multi-framework fleet matrix
| Framework | Adapter doc | Recipe guide |
|---|---|---|
| Custom / queue worker | Agent-agnostic | Agent-agnostic spend controls |
| OpenAI Agents SDK | OpenAI Agents | OpenAI Agents spend controls |
| Claude Agent SDK | Claude Agents | Claude Agents spend controls |
| LangGraph | LangGraph | LangGraph spend controls |
| CrewAI | CrewAI | CrewAI spend controls |
| Vercel AI SDK | Vercel AI | Vercel AI spend controls |
| MCP hosts | MCP server | MCP agent spend controls |
Shared org base policy; per-team overlays; one smoke command per framework in CI.
5. Compliance workflow — audit exports and verification
Phase 2 audit SDK and Gateway compliance routes produce tenant-scoped ZIP bundles with a signed manifest.json for offline integrity checks. This is the enterprise review path when finance, security, or external auditors need portable proof.
Operator workflow (console)
- Analyst or tenant admin opens Investigations → Compliance exports.
- Create an export job — choose disclosure tier (
standardorextended), date range, and optional includes (signal,disputes,harbor_intents,guardrails, etc.). - Download the ZIP when the job completes.
- Optionally trigger Gateway re-verification from the workbench or CLI.
Kit and CLI workflow
terminal
paybond login
# List recent jobs
paybond audit exports list --format json
# Fetch job metadata and download token
paybond audit exports get --job-id <uuid> --format json
# Offline verify (manifest signature, artifact digests, Signal proofs)
paybond audit exports verify --path ./paybond-audit-export-<uuid>.zip --format jsonTypeScript SDK:
const jobs = await paybond.audit.exports.list();
const bundle = await paybond.audit.exports.get({ jobId });
await paybond.audit.exports.verify({ path: "./export.zip" });
Python SDK: paybond.audit.exports.list(), .get(), .verify() — same tenant scope as the session API key.
Verification checklist
- Unzip and open
manifest.json— confirmkindispaybond.audit_export_manifest_v1andtenant_realm_idmatches the expected tenant. - Recompute SHA-256 for every artifact path listed in the manifest; compare to declared digests.
- Verify Ed25519 manifest signature using the published public key in the manifest.
- When
signalis included, verify reputation receipts and portfolio artifact signatures. - Review
guardrails/*.jsonlfor policy lifecycle and rate-limit denial records (hashed subjects only). - Use
proof/ledger_verifier_pack.jsonfor append-only ledger continuity without database access.
Full procedure: Audit export compliance. OpenAPI: Gateway audit export.
Plan gating
Compliance export creation requires the audit export plan feature (Team tier and above). Provenance reads may be available earlier; full ZIP bundle creation is plan-gated in the console and Gateway.
End-to-end compliance arc
- Agent fleet executes under effective policy.
- Harbor records intents, evidence, and settlement outcomes.
- Ledger appends tamper-evident events; Signal derives signed portfolio artifacts.
- Operator creates an audit export job and downloads the ZIP.
- Reviewer offline-verifies the manifest, Signal proofs, and ledger verifier pack without live console access.
Related: Secure agentic banking infrastructure · Provenance investigations
6. Production settlement rails
Enterprise production paths attach middleware to funded intents on tenant-approved rails. Sandbox rehearsal uses paybond dev loop --offline or paybond login followed by sandbox smoke — production requires configured rails and live API keys from the console.
| Rail | Typical use | Funding note |
|---|---|---|
stripe_connect | Marketplace payouts, vendor settlement | Capability token often returned at create when funded |
stripe_ach_debit | B2B AP, invoice-backed spend | Wait for funded after bank debit confirms |
x402_usdc_base | On-chain USDC on Base | Complete /fund handshake; use fundWithX402 / fund_with_x402 |
Setup: Configure settlement rails (tenant-admin console).
Kit flows: Fund intents by rail · How intent funding works
Rail choice is tenant configuration — agents request allowed operations; they do not invent payout destinations at runtime.
Enterprise rollout checklist
| Phase | Owner | Actions |
|---|---|---|
| Foundation | Platform operator | Publish org base policy v2; document merge rules; enable SSO |
| Identity | Tenant admin | Configure SSO and SCIM; map IdP groups to roles; mint service account keys |
| Policy | Business units | paybond policy extend; CI validate-tools --resolve-inheritance; attach --policy-file on bind |
| Agents | Engineering | Deploy middleware per framework; add smoke to CI; enable hot-reload for long-lived workers |
| Operations | Operators | Monitor intent queue and approval holds; configure spend controls thresholds |
| Compliance | Security / finance | Schedule audit exports; offline verify bundles; archive Signal portfolio artifacts |
Console workspace map
| Workspace | Route | Purpose |
|---|---|---|
| Identity (SSO) | /console/configuration/identity/sso | OIDC/SAML federation |
| Identity (SCIM) | /console/configuration/identity/scim | User/group provisioning |
| SCIM role mappings | /console/configuration/identity/scim/role-mappings | IdP group to tenant role |
| API keys | /console/configuration/machine-access/api-keys | Service accounts for Kit/CI |
| Policies | /console/configuration/policies | Spend controls and managed policy |
| Intent queue | /console/operations/intents | Live intent lifecycle |
| Disputes | /console/operations/disputes | Exception handling |
| Compliance exports | /console/investigations/compliance-exports | Audit ZIP jobs |
| Provenance | /console/investigations/provenance | Ledger and receipt review |