Vouch Docs

Deterministic preflight governance for AI agent plans. One evaluation between plan and execution.

What Vouch is

Vouch evaluates AI agent plans before they execute. Your agent proposes a plan. Vouch tells it whether to proceed.

One API call. Deterministic. No LLM in the loop. Every verdict is cryptographically signed.

The agent gets a verdict: ACCEPTED, RESTRICTED, or BLOCKED. Vouch does not modify the plan. It evaluates and returns.

Where it sits

Vouch sits between the agent and execution. Always after the agent proposes, always before anything runs.

User asks the agent to do something | v Agent formulates a plan | v Vouch evaluates the plan (~2ms) | +---> ACCEPTED --> execute +---> RESTRICTED --> agent gets guidance on what to fix +---> BLOCKED --> stop, do not execute

Three integration paths. Pick the one that fits your stack:

MCP

vouch-mcp

Works with any MCP-compatible agent. Zero signup — auto-provisions a free API key on first call.

npx -y vouch-mcp

NPM

vouch-guard

Wraps Claude Managed Agents. Evaluates every tool call before execution.

npm install vouch-guard

Direct

POST /api/v1/vouch

Call the API directly from your orchestrator, proxy, or backend.

curl -X POST /api/v1/vouch

Why not just model guardrails?

Frontier agents like Claude and GPT-4 already have safety guardrails. Those guardrails protect what the model says — they prevent it from generating harmful text.

Vouch protects what the agent does. A model will happily generate a plan to rotate your API key and send it to an external address. That's a structurally valid request. The model has no reason to refuse it.

Vouch catches the governance gap: the space between "the model is willing to do this" and "this should actually be done." It's deterministic, runs in your stack, and can't be jailbroken.

Quick start

MCP (fastest)

If your agent supports MCP, this is the fastest path. No signup. No API key to manage.

Add Vouch to your Claude Desktop config:

{
  "mcpServers": {
    "vouch": {
      "command": "npx",
      "args": ["-y", "vouch-mcp"]
    }
  }
}

That's it. Your agent can now call vouch_evaluate before executing plans. A free API key is auto-provisioned on first use — 10,000 evaluations per month, no credit card.

API key

export VOUCH_API_KEY="vk_..."

Then pass it in your agent's configuration or orchestrator code. The agent handles the rest — it generates a plan, sends it to Vouch, and acts on the verdict.

Authentication

Pass your API key as a header on every request:

x-api-key: YOUR_API_KEY

Your key is issued at signup or auto-provisioned for MCP users. The key belongs in your backend, orchestrator, or agent config — not in browser code or exposed to end users.

What your agent sends

Your agent already generates plans before it acts. Send us that plan.

Minimum: a description and steps. That's what every agent already produces.

{
  "description": "Rotate the API signing key for the payments service",
  "steps": [
    { "action": "generate new signing key", "target": "payments-service" },
    { "action": "update key reference in config", "target": "payments-service config" },
    { "action": "revoke old key", "target": "previous API key" }
  ]
}

Steps can be whatever shape your agent uses. We read the full text, not specific field names.

Richer plans get better evals

If your agent generates any of these, include them. Plans with more context get more accurate verdicts:

Field	Why it helps
`rollback_steps`	Shows the plan has a recovery path
`success_criteria`	Shows bounded, verifiable intent
`execution_environment`	Distinguishes staging from production
`risk_justification`	Shows the agent considered risk

None of these are required. The agent sends what it has.

What you get back

Clean, minimal responses. The agent gets exactly what it needs.

ACCEPTED

{
  "verdict": "ACCEPTED",
  "request_id": "v-a1b2c3d4e5f60718"
}

The plan is safe. Proceed.

RESTRICTED

{
  "verdict": "RESTRICTED",
  "request_id": "v-9f8e7d6c5b4a3021",
  "guidance": "This plan modifies a security control. Add a change ticket or scope to a specific environment."
}

Something needs attention. The guidance field tells the agent what to fix or why the plan was held.

BLOCKED

{
  "verdict": "BLOCKED",
  "request_id": "v-1a2b3c4d5e6f7890",
  "risk": "credential_exfiltration"
}

The plan is dangerous. Stop. Do not execute. The risk field indicates the category.

The signed receipt — `vouch_attestation`

Every response also includes a signed attestation. It's the cryptographic proof of what Vouch decided, verifiable independently:

{
  "verdict": "ACCEPTED",
  "request_id": "v-4b4cf0b970b30a94",
  "vouch_attestation": {
    "kind": "vouch_attestation",
    "version": "1",
    "attestation_id": "vch_3f6a243e5f3a3abf_mo6ahraj",
    "issued_at": "2026-04-19T21:40:07.915Z",
    "contract_version": "5.1.0",
    "key_fingerprint": "4b8a7c78c13909f8",
    "plan_hash": "3f6a243e5f3a3abf279fcc76b5732149e7b0bbcfe1c4f3d470d94a76c5d34113",
    "vouched": true,
    "vouch_status": "vouched",
    "zone": "accepted",
    "rule_id": "R17_low_fouls_unresolved",
    "coherence_rungs_fired": [],
    "signature": "EKmAS+vhR01PS5D0q54tzxZ+o62Oj+FV7YccUQ04cQwsbXM/5I23DXt/DM/wJfuOEAn02BdNby/lPtVfFC30Ag=="
  }
}

What each field means:

attestation_id — unique per-request ID you can log and reference.
plan_hash — SHA-256 of the canonical plan. If someone later claims "but the plan said X," the hash proves what was actually submitted.
vouch_status — four states: vouched (clean), review_required (accepted-with-review), refused_restricted, refused_blocked.
coherence_rungs_fired — which of the eight coherence layers detected mismatch. Empty array means clean vouch.
contract_version — which rule-set version produced this verdict. Rules evolve; the attestation is pinned to what was in play at the moment of decision.
key_fingerprint — first 16 hex chars of SHA-256(public key). Tells verifiers which Ed25519 key to use.
signature — base64 Ed25519 signature over the rest of the attestation. Verify with Node's crypto.verify or any Ed25519 library.

This is the part your compliance team, auditor, or insurer cares about. The signed receipt makes decisions provable after the fact — discovery-ready, non-repudiable, deterministic.

Verdicts

ACCEPTED

The plan can proceed. Vouch found no governance concerns. Continue with execution.

RESTRICTED

Vouch found a specific concern. The guidance field explains what needs attention. The agent can replan, or a human can review.

BLOCKED

The plan is dangerous and should not proceed. Stop execution and log the event.

PII & data privacy

Vouch reads your agent's plan to classify risk. It never stores the plan text.

Plans can describe customer systems, credentials, or sensitive operations. The pipeline must read plan text to evaluate it — but logging that text would create a PII liability. So we don't.

What we store

Plan hash (16-char, no content recovery)
Step count
Action verbs (labels only)
Description length
Boolean flags (has destination, has rollback)
Verdict + timestamp
Ed25519 signature

What we never store

Raw plan descriptions
Step-by-step details
Destination addresses
Target system names
User or customer content
Request headers or metadata

Guidance messages are pre-defined templates, not generated from your plan content. The verdict log is append-only and structurally PII-safe by design.

EU AI Act: Every verdict is signed with Ed25519 for tamper-evident auditability. Your customer dashboard shows the full signed audit trail — verdict, guidance, timestamp, and cryptographic signature — without exposing plan content.

Cost savings

Every plan Vouch catches is a downstream LLM call your system doesn't make.

When a plan is RESTRICTED or BLOCKED, Vouch stops it before it reaches your downstream model. No tokens consumed. No GPU time. No tool execution costs.

Example

10,000 agent plans per month. Your downstream model is Claude Haiku at $0.25/MTok input + $1.25/MTok output. Average plan generates ~2,000 tokens downstream.

If Vouch catches 15% of plans as RESTRICTED or BLOCKED, that's 1,500 avoided downstream calls — roughly $3–5/month in direct token savings on the cheapest model. On GPT-4o or Claude Sonnet, multiply by 10–30x.

But the real savings aren't tokens. One blocked credential exfiltration or data leak is worth more than a year of token costs. Governance earns its keep on the incidents that don't happen.

vouch-mcp

MCP integration for any MCP-compatible agent. Zero signup — a free API key is provisioned automatically on first call.

Claude Desktop

{
  "mcpServers": {
    "vouch": {
      "command": "npx",
      "args": ["-y", "vouch-mcp"]
    }
  }
}

The agent gets a vouch_evaluate tool. Call it with a plan before executing any action.

With your own API key

{
  "mcpServers": {
    "vouch": {
      "command": "npx",
      "args": ["-y", "vouch-mcp"],
      "env": {
        "VOUCH_API_KEY": "vk_..."
      }
    }
  }
}

10,000 evaluations per month on the free tier. No credit card required.

vouch-guard

NPM package for Claude Managed Agents. Evaluates every tool call before execution.

npm install vouch-guard

import { guardSession } from "vouch-guard";

// Wrap your agent session — every tool call is evaluated before execution
const session = await guardSession({
  apiKey: process.env.VOUCH_API_KEY,
});

See github.com/atlas-with-iris/vouch-guard for full documentation.

Direct API

Call Vouch directly from your orchestrator or backend.

Python

import requests

resp = requests.post(
    "https://YOUR_ENDPOINT/api/v1/vouch",
    headers={"x-api-key": VOUCH_API_KEY},
    json={"description": plan.description, "steps": plan.steps},
    timeout=5,
)
result = resp.json()

if result["verdict"] == "ACCEPTED":
    execute(plan)
elif result["verdict"] == "RESTRICTED":
    log(result["guidance"])
else:
    block(plan)

Node.js

const res = await fetch(`${VOUCH_ENDPOINT}/api/v1/vouch`, {
  method: "POST",
  headers: { "Content-Type": "application/json", "x-api-key": VOUCH_API_KEY },
  body: JSON.stringify({ description: plan.description, steps: plan.steps }),
});
const result = await res.json();

if (result.verdict === "ACCEPTED") {
  await execute(plan);
} else if (result.verdict === "RESTRICTED") {
  console.log(result.guidance);
} else {
  await block(plan);
}

Error responses

Status	Code	Meaning
400	—	Missing plan. Provide `description` and `steps`.
401	`AUTH_001`	API key not provided.
403	`AUTH_002`	Invalid API key.
403	`AUTH_003`	API key has been revoked.
429	`AUTH_006`	Too many authentication failures.
429	`QUOTA_001`	Monthly evaluation quota exceeded.
500	—	Pipeline error. Vouch fails closed — plans are not silently passed.

Fail-closed behavior

Vouch fails closed. If the pipeline encounters an internal error, the response is a 500 — it does not silently return ACCEPTED.

What this means for your integration

If Vouch returns a non-200 status, treat the plan as not evaluated. Do not send it downstream.

# If Vouch is unreachable or returns an error,
# do NOT proceed with the plan.
if response.status_code != 200:
    return block_plan("governance layer unreachable")

# Only proceed on an explicit ACCEPTED verdict
result = response.json()
if result["verdict"] != "ACCEPTED":
    return handle_non_accepted(result)

Health check

GET /api/v1/status

Returns {"status": "ok"} when the service is running. No authentication required.

Support

For onboarding help, integration questions, or dedicated instance inquiries:

Email: jordan@atlaswithiris.com

Vouch Docs

What Vouch is

Where it sits

Why not just model guardrails?

Quick start

MCP (fastest)

API key

Authentication

What your agent sends

Richer plans get better evals

What you get back

ACCEPTED

RESTRICTED

BLOCKED

The signed receipt — vouch_attestation

Verdicts

PII & data privacy

Cost savings

vouch-mcp

Claude Desktop

With your own API key

vouch-guard

Direct API

Python

Node.js

Error responses

Fail-closed behavior

Health check

Support

The signed receipt — `vouch_attestation`