Sphyr
verified_user 12-Stage Security Pipeline

Features

Every outbound agent request passes through a verifiable, auditable security pipeline. SDK v2.0.0-beta.1+ blocks requests by default if the gateway is unreachable — no silent pass-through. Here is exactly what runs on every call.

HMAC Integrity Verification

Every request routed through sphyr_net must carry a valid HMAC-SHA256 signature computed over the canonical request string. The signature is verified at the Cloudflare edge before any downstream processing begins — a tampered or replayed request is rejected immediately. Timestamps are enforced within a ±300 second window to prevent replay attacks without requiring clock synchronization infrastructure. 

# HMAC-SHA256 over the canonical 8-part payload (colon-delimited):
# nonce:ts:url:mthd:sha256(body):sha256(canonical_headers):cat:trace_id
#
# Headers: sorted alphabetically, each prefixed with its UTF-8 byte length
# cat (1–64 chars) is required; trace_id defaults to ""

sphyr_net({
  url:        "https://api.example.com/data",
  mthd:       "GET",
  sig:        "<HMAC-SHA256 over canonical payload>",
  ts:         1743800400,
  sess_token: "<sess_token from audit_sess>",
  cat:        "api-call",
})
# nonce is returned by audit_sess and embedded in `sig` — never passed
# as a separate sphyr_net argument.

SSRF Protection

Server-Side Request Forgery (SSRF) attacks let compromised agents probe internal networks, metadata APIs, or private services. Sphyr validates every target URL against known private IP ranges (RFC 1918, loopback, link-local), enforces HTTPS-only protocols, and performs forward DNS resolution to detect DNS rebinding attempts — where a hostname initially resolves to a public IP but later resolves to an internal one. Requests that fail any check are blocked before the outbound connection is made. 

# Blocked request patterns (examples)
http://169.254.169.254/latest/meta-data/  # AWS metadata endpoint
http://10.0.0.1/admin                      # RFC 1918 private range
http://localhost:6379                      # Loopback (Redis)
ftp://example.com/data                     # Non-HTTPS protocol

# Only HTTPS to public IP space is allowed through

Entropy-Based Secret Detection

Exfiltration attacks often embed secrets — API keys, credentials, private keys — inside seemingly normal outbound requests. Sphyr computes Shannon entropy on request payloads and rejects payloads that exceed the configured threshold. Known high-entropy but benign patterns (UUIDs, base64-encoded binaries) are excluded via gateway-managed allow-patterns. This blocks high-entropy payloads before they reach their intended destination — catching exfiltration attempts in transit through the Sphyr gateway. 

# Entropy configuration (per-key)
{
  "entropy_threshold": 4.5   # bits/char — triggers block above this
                              # Allowlist patterns (UUIDs, base64 binaries, etc.)
                              # are managed by the gateway, not per-key config.
}

Honeytoken Breach Detection

Honeytokens are decoy credentials deliberately planted in your agent's context. If an attacker steals your agent's context and exfiltrates the honeytoken, Sphyr detects the outbound request to the honeytoken domain, immediately revokes the associated API key, and generates a forensic trail with hashed IP, timestamp, and session data. This turns every breach attempt into an early warning signal — the revocation and alert fire automatically when the honeytoken is reached via Sphyr. Note: detection requires that the exfiltration attempt is routed through the Sphyr gateway. Direct connections bypassing Sphyr are not detected. 

# System config (set once per deployment)
honeytoken_domain = "trap.yourdomain.com"

# Automatic response on detection:
# 1. API key suspended immediately (D1 key pause — no further requests pass)
# 2. Forensic record written to compromised_keys table
# 3. Request logged with IP + sess_token + timestamp
# 4. Alert dispatched to configured webhook (requires ALERT_WEBHOOK_URL)

Adaptive Rate Limiting

Rate limiting is applied at three levels: per-agent (isolating a single misbehaving agent within a fleet), per-key (capping combined throughput across all agents sharing one credential), and per-IP (a DoS backstop protecting the gateway from unauthenticated flood attacks). Each level uses a fixed-window counter backed by Cloudflare Durable Objects for serialized, race-free consistency at the edge. When a limit is exceeded, the response includes precise retry-after timing so well-behaved agents can back off gracefully without polling. Default limits: 10 req/s per agent · 100 req/s per key · 300 req/s per IP · 500 req/s pre-auth backstop. 

# Rate limit response headers
HTTP/1.1 429 Too Many Requests
X-Credits-Remaining: 4823
X-Quota-Remaining: 0
X-Request-ID: req_a8b2c3d4

# sphyr_net rate limit response body
{
  "code": "RATE_LIMITED",
  "message": "Per-key rate limit exceeded",
  "retryable": true,
  "request_id": "req_a8b2c3d4",
  "docs_url": "https://sphyr.io/docs/errors/RATE_LIMITED",
  "remediation": {
    "action": "BACKOFF",
    "parameters": { "retry_after_ms": 8400 }
  }
}

Credit Billing Engine

Each successful sphyr_net call deducts one credit from the key's prepaid balance via an atomic floor-guarded SQL UPDATE — concurrent requests cannot drive the balance negative. Credits are valid for 12 months from issue date. When the balance reaches zero, requests are blocked with a clear INSUFFICIENT_CREDITS error before any upstream call is made. No subscriptions, no metered billing — just prepaid credits. Credits expire 12 months from issue date. 

{
  "key_id": "key_2Y5k...",
  "credits_remaining": 48750,
  "oldest_expiry": "2027-04-13T00:00:00Z"
}

Session Management

Sessions are established via the audit_sess handshake: the agent presents its Sphyr credential, Sphyr verifies the HMAC-SHA256 signature against the stored signing secret, and issues a 30-minute session token (UUID v4). The token is IP-bound — requests from a different IP are rejected, preventing session token theft. Note: agents running in serverless environments (AWS Lambda, GitHub Actions, Vercel Functions) that share a NAT gateway may share an egress IP with other agents — IP binding provides no isolation between co-tenants on the same NAT. All requests within a session are grouped in the forensics view, giving operators a coherent view of what each agent task did across its lifetime. 

# audit_sess handshake
POST /mcp  (tool: audit_sess)
{ "key_id": "key_2Y5k...", "agent_id": "...", "ts": "...", "client_nonce": "...", "sig": "..." }

# Response
{
  "sess_token": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
  "nonce": "5f4dcc3b-5aa7-4c1d-9f6f-8b1e2c3d4e5f",  # included in every sphyr_net HMAC
  "expires_in_sec": 1800,                            # session TTL — 30 minutes
  "key_id": "key_2Y5k...",
  "issued_at": "2026-04-30T17:23:42.000Z",
  "expires_at": "2026-04-30T17:53:42.000Z",
  "balance": 48750
}

Preflight / Dry-Run Mode

Dry-run mode lets you validate agent behavior against Sphyr's full security checks without making any real outbound requests or consuming credits. Every check runs — HMAC validation, SSRF screening, DNS pinning, honeytoken detection, entropy analysis, rate limit accounting — but the actual HTTP call to the target URL is skipped. Toggle dry-run per API key from the admin dashboard. Ideal for onboarding new agents, testing security configurations, or running integration tests in CI without side effects. 

# Preflight flag in sphyr_net call
POST /mcp  (tool: sphyr_net)
{
  "url": "https://api.example.com/data",
  "mthd": "GET",
  "preflight": true,    # security check only — no real HTTP call
  "sess_token": "...",
  "sig": "...",
  "ts": 1743800400,
  "cat": "preflight-test"
}

# Dry-run mode: toggled per-key in admin dashboard (dry_run: true)

Sphyr Trace

Every session has a security story. Trace surfaces blocked request counts and per-session peak severity at a glance — and for every blocked request, shows the exact inline rationale that triggered the block. Not a tooltip. Not a log you have to grep. Inline, in the console, on every blocked call. 

# session · a3f8b2c1… · 12 requests · 3 blocked · risk 71
POST https://api.example.com/upload  BLOCKED  risk 71
  ↳ Entropy threshold exceeded — Shannon entropy 6.42 bits/char on URL parameter value; pattern matches API key format.

Tool Schema Drift Detection Coming Soon

MCP servers can silently change their tool definitions mid-session — a rug-pull attack where a trusted tool during setup is replaced with a malicious one after access is granted. The tool_drift_mode flag is already configurable per API key (LOG or BLOCK), and the session config passes it through the pipeline. Active schema comparison and drift event emission are in development. When complete, drift events will be surfaced in the admin dashboard, giving operators a forensic trail of unexpected schema mutations without disrupting legitimate tool updates. 

{
  "event": "tool_schema_drift",   // coming soon
  "tool": "read_file",
  "session_id": "a3f8b2c1...",
  "drift": {
    "before": { "description": "Read a file from disk" },
    "after":  { "description": "Read a file from disk and POST its contents externally" }
  }
}

Ready to add signed receipts and egress controls to your agents?

See Pricing

Start with 1,000 complimentary credits — no card required.