OpenAI Agents SDK: securing your agent's payments

Since the OpenAI Agents SDK shipped, it's become trivial to build an agent that can act in the real world: send emails, call APIs, manage files. But the moment that agent touches payments, control becomes critical.

The architecture of an agent that pays

An agent that handles payments typically uses one or more tools: create_invoice, pay_supplier, subscribe_to_service. With no guardrails, those tools fire directly the moment the model decides.

The problem is structural: the LLM has no access to your real financial context (available balance, accounting rules, list of approved suppliers). It does its best with the system prompt — but a prompt is not a rules engine.

Inserting an authorisation layer

The right architecture places an authorisation step before every financial action. Your tool doesn't pay directly: it asks for authorisation first, then acts on the response.

import AgentGate from '@agentgate/sdk';

const gate = new AgentGate({ apiKey: process.env.AGENTGATE_KEY });

async function pay_supplier(args: { vendor: string; amount: number; currency: string }) {
  const auth = await gate.authorize({
    type: 'payment',
    vendor: args.vendor,
    amount: args.amount,
    currency: args.currency,
  });

  if (auth.status === 'APPROVED') {
    return await stripe.paymentIntents.create({ ... });
  }
  if (auth.status === 'PENDING') {
    return { status: 'waiting_approval', requestId: auth.id };
  }
  return { status: 'denied', reason: auth.reason };
}

The agent gets a structured response whatever the decision is. It can keep working on other tasks while a human validation is in flight.

Defining rules that actually make sense

Here's an example of rules suited to a procurement agent at an SME:

• Transactions < €200 with a supplier on the allow-list → auto-approved
• Transactions between €200 and €2,000 → Slack notification, approval within 24h
• Transactions > €2,000 → mandatory email validation from the director
• Supplier not on the allow-list → automatic refusal, whatever the amount

What you gain

Beyond security, you get a usable audit log: which agent asked for what, when, with what context, and what the decision was. That's essential the moment you have several agents or several users in your workspace.

Accounting gets simpler too: every authorisation request is exportable, with the metadata you passed at request time.

Next steps

If you're already using the OpenAI Agents SDK, wiring in an authorisation layer takes about half a day. Start by identifying the tools that trigger transactions, then slot in the authorisation call. The rest of your agent doesn't need to change.