Pay.sh Adds MCP Elicitations, Requiring Human Approval Before AI Agents Spend USDC

The Solana Foundation's pay.sh command-line tool now pauses before spending. Version 0.19.0, released June 16 from the Foundation's GitHub, adds Elicitations: when an AI agent attempts a paid API call through the Model Context Protocol, pay.sh fires an approval request back through the MCP connection before any USDC moves.

Pay.sh is a CLI and MCP server, launched with Google Cloud in early June, that lets AI agents call paid APIs (Google Cloud's Gemini, BigQuery, and Vertex AI among them, plus 72 community providers including Helius hSOL$84.37+5.1% Helius) using USDC micropayments on Solana. No accounts or API keys required; the agent's wallet is the credential, and each request settles as an on-chain stablecoin payment.

How the Elicitation Gate Works

The implementation, built by Ludo Galabru (@lgalabru on GitHub), introduces ElicitationAuth as a fallback authentication layer. When a signing request comes in, pay.sh first checks for platform biometrics (Touch ID on macOS, Windows Hello, polkit on Linux). If biometrics are available, they handle the approval as they always have. If not, the system routes the request through MCP's elicitation/create message, prompting the connected AI client (Claude Desktop, Codex, or any MCP-compatible host) to surface an explicit approval dialog to the human operator.

The gate is designed to fail closed: even when the MCP client returns an acceptance response, pay.sh verifies the payload doesn't contain a contradicting approved=false before it will sign. A timeout or transport failure also prevents signing.

Developers running pay.sh in remote environments or wanting to enforce the elicitation path regardless of biometric availability can set PAY_FORCE_ELICITATION=1.

Why Protocol-Level Approval Matters for Agentic Spending

The shift is architectural. Prior implementations relied on wallet-level biometric approval, which works when a human is sitting in front of the machine. Elicitations extend that gate to remote MCP sessions and AI-hosted environments where biometrics aren't reachable. The human approval requirement now travels with the MCP connection itself, not contingent on what's available at the machine running pay.sh.

As AWS CloudFront added x402-based per-request billing for AI bots in USDC on Solana two days after this release, the broader pattern is clear: AI agents are becoming paying customers at scale, and the tooling to govern that spending is maturing alongside it. Elicitations are one answer to how much autonomous spending humans should delegate, choosing explicit sign-off before each transaction.

Pay.sh v0.20.0 followed on June 18 with a separate change: when agents have pre-funded credits, the tool now prefers spending those credits over generating a new payment transaction, reducing on-chain overhead for repeat callers.

The Solana Foundation maintains the repo, which has collected 1.7k stars and 575 forks. The pay-skills companion repository catalogs the API providers whose endpoints pay.sh can authenticate against autonomously.