A firewall for outbound agent requests.

Signed requests. Receipts on every call.

Sphyr enforces cryptographic, financial, and behavioral boundaries on every request your agent makes. Inline at the edge of Cloudflare's network.

Get Started Free View Docs

// npm install @sphyr/sdk
import { SphyrClient } from '@sphyr/sdk';

const guard = new SphyrClient({
  apiKey: process.env.SPHYR_API_KEY,
  hmacSecret: process.env.SPHYR_HMAC_SECRET,
});

const result = await guard.agentGuard.call({
  url:  'https://api.example.com/data',
  mthd: 'GET',
  cat:  'api-call',
});

Built on real infrastructure

npm @sphyr/sdk PyPI sphyr-sdk GitHub calahansphyr/Sphyr Built on Cloudflare Keys by Unkey Billing by Stripe 32 documented error codes →

What Sphyr enforces

Security you can show your auditor.

Four capabilities that move agent security from promise to receipt.

Prove what was blocked

Every call returns a structured outcome with the policy code, request_id, and docs URL. Successful responses also carry a cryptographic safety signature your auditor can verify.

Stop SSRF-class attacks

Agents reach for the unexpected: metadata endpoints, private IPs, payment APIs. Sphyr enforces network, DNS, and domain policy before the request leaves.

Budget guardrails, per-agent

Spend, rate, and call-count limits enforced at the gateway — not inferred from logs. Agents hit their cap and stop. No surprise bills, ever.

Stop credential exposure before your keys hit a hostile endpoint.

Entropy detection scans every outbound request for high-entropy strings — keys, tokens, secrets — and blocks the call before sensitive material reaches an unintended destination.

Route any MCP agent through Sphyr without changing agent code.

Add one entry to your MCP client config. Sphyr intercepts, re-signs, and enforces policy on every tool call — before it leaves your environment.

// claude_desktop_config.json
{
  "mcpServers": {
    "sphyr": {
      "command": "npx",
      "args": ["-y", "-p", "@sphyr/sdk", "sphyr-proxy"]
    }
  }
}

Read the MCP guide →

How it works

From npm install to signed receipts in three steps.

Sphyr ships as an SDK and a gateway. Install, route, audit — no infrastructure to run.

Install the SDK

Add @sphyr/sdk to your Node or Python app. Point it at your API key and HMAC secret.

# Node.js
npm install @sphyr/sdk

# Python
pip install sphyr-sdk

Route outbound requests

Wrap any outbound call in agentGuard.call. Sphyr runs the 12-phase pipeline — HMAC, SSRF, entropy, credits — before the request leaves.

const result = await guard.agentGuard.call({
  url:  "https://api.example.com/data",
  mthd: "GET",
  cat:  "api-call",
});

Audit every call

Every request emits structured telemetry with the outcome, policy code, and request_id. Successful responses also carry a cryptographic safety signature. Filter the full trail from the admin console.

# Open the admin console
open https://console.sphyr.io

# Or query the usage summary
guard.usageSummary({ window: "7d" });

Pricing

Start free. Scale when you see traffic.

No credit card to start. Pay-as-you-go with prepaid credits — no recurring fees, no surprise overage.

Free Trial

$0 no card required

For trying Sphyr on a side project or proof of concept. No time limit on the grant.

✓1,000 free requests (one-time signup grant)
✓HMAC signature verification
✓SSRF protection
✓Basic entropy scanning
✓Community support

Start for free

Prepaid Credits

$5 / pack

Prepaid top-up. No recurring fees. Credits burn oldest-first with 12-month validity.

✓$0.0001 per request
✓Everything in Free Trial
✓Credits valid for 12 months
✓Preflight / dry-run mode
✓Admin dashboard access
✓Priority support

Top up credits

Ship agents with receipts, not hope.

1,000 free requests. No credit card. near-zero latency overhead on Cloudflare's global network. Sign up, wire the SDK, and ship.

Start for free