The hard part of agentic commerce was never getting a model to decide to launch a campaign. It was being able to sleep at night after you let it. An autonomous operator that touches real ad budgets, real customer lists, and a live storefront is only an asset if it is contained by construction — not by hoping the prompt holds.
Today the PlatformDTC Agent Gateway is live in production, and with it the control plane that makes autonomy safe to ship. This is how it works — and how we proved it.
Defense in depth: four gates, every call
Authority is granted in layers, and a request must clear all of them. No single leak — a stolen key, a confused agent, a misconfigured host — is enough to do damage on its own.
1 · Network
The agent surface is reachable only from your own infrastructure. An IP allowlist rejects every other source before a request reaches the app — a leaked key is useless off your hosts.
2 · Credential
Every call carries a scoped sq_agt_* service-account key (or a first-party JWT). No anonymous path exists. Keys are admin-minted, hashed at rest, rate-limited, and revocable in one call.
3 · Scope
A key grants only the verbs you choose — analytics:read, marketing:send, store:publish. An out-of-scope call is rejected with FORBIDDEN_SCOPE before any service runs.
4 · Approval
Money-movement and customer-contact actions can require a human tap. The agent proposes; nothing spends until a person resolves it.
Least privilege is the default, not the upgrade
Each agent gets its own sq_agt_* key carrying exactly the scopes you grant. A read-only analyst key cannot create a campaign; a creative key cannot connect an ad account. The agent can always introspect what it’s allowed to do, so it never blindly probes:
GET /api/v1/agent/v1/whoami
{ "kind": "api_key",
"merchant_id": "57ec73b2…",
"scopes": ["analytics:read", "catalog:read", "orders:read"],
"requires_approval": false }Ask for something outside that set and the platform refuses before any business logic runs — and records the refusal:
POST /api/v1/agent/v1/campaigns # needs marketing:write
→ 403 { "error_code": "FORBIDDEN_SCOPE",
"errors": { "missing": ["marketing:write"] } }The spend gate, demonstrated
The single most important promise of an autonomous operator is that it will not spend money you didn’t approve. We don’t ask you to take that on faith. Mint a key with requires_approval, and any spend action parks instead of firing:
POST /campaigns/{id}/send # marketing:send, approval-gated key
→ 202 { "status": "pending_approval",
"job_id": "5544…",
"poll": "/api/v1/agent/v1/jobs/5544…" }
# The campaign has NOT been sent. A human resolves it:
POST /approvals/5544…/resolve { "decision": "deny" }
→ 200 job → "cancelled"That exact flow — gated key, campaign created, send parked, human deny — is part of our launch verification against live merchant data. The agent proposed a spend; the platform held it; a person decided. The autonomy dial goes from co-pilot to full autopilot, and the gate is what makes earning that trust gradual and safe.
Safe by mechanism, not by manners
Idempotent mutations
Every write takes an Idempotency-Key. A retried network call never double-charges or double-creates.
Total audit
Principal, tool, scopes, status, and latency are recorded for every call — the accountability trail an enterprise needs.
Async jobs
Long operations return a job with one poll surface — no held connections, no lost work on a dropped socket.
Typed tools, not a generic blob
Agents reach the platform through a hosted MCP server at https://api.platformdtc.com/mcp — 25 typed dtc_* tools, each advertising its real JSON input schema. An agent introspecting dtc_create_campaign sees its actual parameters and which are required, not an opaque kwargs bag. Correct calls become the path of least resistance — which is its own kind of safety.
The same surface, two ways in
Everything an agent does over MCP is plain HTTP underneath. Anything the autonomous operator can do, your engineers can reproduce and audit with curl — same key, same scopes, same gates:
curl -X POST https://api.platformdtc.com/api/v1/agent/v1/campaigns \
-H "X-Agent-Key: sq_agt_xxx" -H "Idempotency-Key: $(uuidgen)" \
-H "Content-Type: application/json" \
-d '{"name":"Spring Launch","type":"SMS","sms_message":"…"}'Why this is the moat
Anyone can wrap a model in a prompt. What turns a clever demo into an operator you’d hand a budget is the unglamorous part: scoped credentials, idempotency, durable approval queues, a complete audit trail, and a network you control. That harness is where most agent projects fail — and it’s exactly what shipped today, verified end-to-end on real data.
Put an agent to work — safely
Read the security model, mint a scoped key, set your approval gate.