A firewall for outbound agent requests.

Intercepts, validates, and enforces policy on every API call — before it leaves your agent.

Signed requests. Cryptographic receipts on every call. Inline at the edge of Cloudflare's network.

# Production agents (Python or Node backend):
npm install @sphyr/sdk        # or: pip install sphyr-sdk

# Local IDE agents:
npx @sphyr/agent-guard-cli init

# → Every outbound request signed, scanned, and audited

Built on real infrastructure

npm @sphyr/sdk PyPI sphyr-sdk GitHub calahansphyr/Sphyr Built on Cloudflare Keys by Unkey Billing by Stripe 32 documented error codes →

What Sphyr enforces

Security you can show your auditor.

Four capabilities that move agent security from promise to receipt.

Prove what was blocked

Every call returns a structured result with the outcome code, request_id, and docs URL. Successful responses also carry a cryptographic safety signature your auditor can verify.

Stop SSRF-class attacks

Agents reach for the unexpected: metadata endpoints, private IPs, payment APIs. Sphyr enforces network, DNS, and domain policy before the request leaves.

Budget guardrails, per-agent

Spend, rate, and call-count limits enforced at the gateway — not inferred from logs. Agents hit their cap and stop. No surprise bills, ever.

Stop credential exposure before your keys hit a hostile endpoint.

Entropy detection scans every outbound request for high-entropy strings — keys, tokens, secrets — and blocks the call before sensitive material reaches an unintended destination.

How it works

From install to signed receipts in three steps.

Drop the SDK in, wrap your agent's calls, and every request flows through Sphyr's 12-phase security pipeline automatically.

Wrap a call

Replace fetch with sphyr.call. Same shape — args, response — plus HMAC signing, SSRF blocking, entropy scanning, and signed receipts on every request.

import { SphyrClient } from "@sphyr/sdk";

const sphyr = new SphyrClient({ apiKey: process.env.SPHYR_API_KEY });

const result = await sphyr.call({
  url:  "https://api.stripe.com/v1/charges",
  mthd: "POST",
});

Sphyr signs every call

The MCP proxy intercepts every outbound HTTPS request your agent makes — no SDK code to write. Sphyr runs the 12-phase pipeline — HMAC, SSRF, entropy, credits — before the request leaves.

# Your agent's tool call (handled automatically):
guard_net({
  url:  "https://api.example.com/data",
  mthd: "GET",
  cat:  "api-call",
})

Audit every call

Every request emits structured telemetry with the outcome code and request_id. Successful responses also carry a cryptographic safety signature. Filter the full trail from the admin console.

# Open the admin console
open https://console.sphyr.io

# Or query the usage summary
guard.usageSummary({ window: "7d" });

Pricing

Start free. Scale when you see traffic.

No credit card to start. Pay-as-you-go with prepaid credits — no recurring fees, no surprise overage.

Free Trial

$0 no card required

For trying Sphyr on a side project or proof of concept. Free grant valid for 12 months from signup.

✓1,000 free requests (one-time signup grant)
✓HMAC signature verification
✓SSRF protection
✓Basic entropy scanning
✓Community support

Start for free

Prepaid Credits

$5 / pack

Prepaid top-up. No recurring fees. Credits burn oldest-first with 12-month validity.

✓$0.0002 per request — flat, all-inclusive
✓Everything in Free Trial
✓Credits valid for 12 months
✓Preflight / dry-run mode
✓Admin dashboard access
✓Priority support

Top up credits

Ship agents with receipts, not hope.

1,000 free requests. No credit card. Near-zero latency overhead on Cloudflare's global network. Sign up, wire the SDK, and ship.

Start for free