Safeguard
AI Security

Agents Can Now Procure Safeguard Through MCP

AI agents can browse regional pricing, compare tiers, start a Stripe checkout, and verify activation — the entire Safeguard procurement journey now runs through the MCP server.

Hritik Kumar Sharma
Founder & CEO
6 min read

Until today, an AI agent connected to Safeguard's MCP server could scan your repositories, triage vulnerabilities, generate remediation plans, and merge fix PRs — but the moment a team needed to buy a plan, upgrade a tier, or recharge after hitting a usage limit, a human had to leave the assistant, open a browser, find the billing page, and click through checkout. That gap is now closed — starting from zero. Safeguard's MCP server ships twelve new tools that let any connected agent — Claude, ChatGPT, Copilot, Cursor, or anything else that speaks the Model Context Protocol — run the entire journey: create the Safeguard account itself (no browser, no OAuth dance), sign the session in, discover the plans offered to the workspace with correct regional pricing, compare tiers and what each unlocks, start a Stripe Checkout session, hand back the secure payment link, verify that the paid invoice landed and the tier's features actually activated — and then keep up with the user's notification inbox as scans and findings start flowing.

Starting from nothing: agent-native account creation

New customers don't need to exist in Safeguard before their agent connects. A dedicated pre-auth endpoint — mcp.safeguard.sh/mcp/onboarding — exposes exactly four account tools to unauthenticated sessions: safeguard_create_account registers the user and provisions a workspace for their email domain (or joins the team's existing one), safeguard_login signs the very same MCP session in — server-side, from the returned token, with no browser round-trip — and safeguard_verify_email / safeguard_resend_verification complete email verification in-band when the platform requires it. The regular /mcp endpoint keeps its standard OAuth behavior for humans with existing accounts. Passwords and tokens never appear in logs or responses, and signup writes the same account-created audit row the web form does.

The full purchase journey, as tools

The billing tools mirror exactly what a human does on the billing page, using the same public self-serve payment APIs behind it:

  • safeguard_list_pricing_plans — the plans your tenant may purchase, grouped by product, with monthly and yearly prices, tier, audience category, and the feature list each tier unlocks.
  • safeguard_purchase_plan — creates a Stripe Checkout session for a chosen plan and returns the hosted payment URL.
  • safeguard_list_billing_invoices — your paid and open invoices, each with a hosted payment link and a PDF receipt.
  • safeguard_get_subscription_entitlements — the feature flags currently enabled for your workspace, so an agent can confirm a purchased tier's features are live.

A typical conversation now looks like: "We hit our scan limit — find the cheapest plan that raises it, and get me a payment link." The agent pulls the offered plans, picks by price and quota, starts checkout, and returns a link. After payment, ask "did it go through?" and the agent checks the invoice status and reads back the entitlements that switched on.

Regional pricing that meets the agent where the user is

Safeguard prices plans per region, and the plan listing tool was built for how agents actually work: instead of demanding a clean ISO country code, it accepts every location signal the agent knows about its user — an explicit country code, a country name, a BCP-47 locale like en-IN, an IANA timezone like Asia/Kolkata, a continent or country group, a city or district, a preferred currency, even an IP address. The server folds those signals into the single best pricing region, entirely offline, and explains its reasoning in the response: which signal decided the region, which signals were ignored and why, and when nothing resolves safely, it falls back to global pricing rather than guessing. No location data ever leaves the MCP server, and only the resolved country code reaches the pricing API.

Tiers, audiences, and what your plan actually includes

Plans carry two orthogonal dimensions. Tier — PRO, MAX, 5X, 20X, ENTERPRISE — determines depth: quotas, limits, and the feature set that gets flag-enabled on activation. Audience — INDIVIDUAL for single users, TEAM, ENTERPRISE, and SHARED plans offered to everyone — determines fit. An agent can filter by audience ("show me team plans"), compare per-tier feature lists side by side, and after purchase, call the entitlements tool to see precisely which feature flags the new tier enabled. "What does my plan include?" is now a question an agent answers from live flag state, not a pricing page screenshot.

What we deliberately did not automate

Payment card data never passes through the MCP server, the agent, or the model. safeguard_purchase_plan returns a Stripe-hosted checkout URL — the same hardened payment page the web app uses — and the payment itself is completed there. For workspaces with a saved payment method, that's effectively one click; for new customers it's a normal card entry on Stripe's page. The agent automates everything around the payment: discovery, comparison, region resolution, session creation, receipt verification, and entitlement confirmation.

Tenant isolation is structural, not conventional. The purchase, invoice, and entitlement tools take the tenant from the authenticated session context — there is no tenant argument to pass — so an agent can only ever buy for, and see the invoices of, the workspace it's signed into.

Governed and audited, like everything else in the registry

The new tools follow the same per-tool feature-flag model as the rest of Safeguard's 650+ MCP tools — and because zero-touch onboarding only works if a brand-new workspace can act immediately, the self-serve set (account, billing, and the user's notification inbox) ships enabled by default, with every tool individually disable-able per tenant. A workspace that wants agents to browse pricing but never initiate checkout simply switches safeguard_purchase_plan off.

Every billing call — including read-only plan pulls, invoice pulls, and entitlement pulls — emits a structured audit record carrying the tenant, organization, user, action, parameters, and outcome. The durable money-event trail stays where it has always lived: subscription activation, product license grants, and failures are written to the auth service's audit log by the payment webhook flow, giving compliance teams a complete, two-layer picture of what an agent looked at and what actually changed hands.

Why this matters

Agentic procurement is coming to every SaaS category, and security platforms should be first, not last — the moment an agent discovers your scans are paused on a usage limit is exactly the moment it should be able to fix that, end to end, without a context switch. This release makes Safeguard one of the first security platforms where the same assistant that finds the risk can also procure the capacity to fix it — governed by per-tenant flags, scoped to its own tenant, and audited at every step.

The tools are live in the MCP server today. Connection guides for every major assistant are in our MCP documentation, and the new agent procurement guide walks through the full flow.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.