Securing AI Agents with Parse
AI agents are risky because they convert text into action. A prompt, document, browser page, API response, or peer-agent message can become a tool call, memory write, payment, code execution, or user-visible answer.
Parse gives agents a machine-readable screening decision at those trust boundaries.
Core rule
Screen text when both conditions are true:
- The text was not generated by the agent's own model in this turn.
- The text will influence an LLM prompt, tool action, memory write, credential use, payment, code execution, external message, or user-visible output.
Generated output is handled separately: use POST /v1/screen-output before forwarding it.
Trust boundaries
| Boundary | Endpoint | Default behavior |
|---|---|---|
| User input | POST /v1/parse | Block high-risk input |
| RAG documents | POST /v1/parse | Drop blocked chunks |
| Browser/email/file/tool output | POST /v1/parse | Screen before inserting into context |
| Peer-agent message | POST /v1/agent/trust/verify | Reject suspicious delegation |
| Generated response | POST /v1/screen-output | Screen before forwarding |
| Unknown auth context | GET /v1/pricing then x402 flow | Pay per call or provision key |
Minimal integration
async function guardedToolBoundary(text: string, source: string) {
const res = await fetch("https://parsethis.ai/v1/parse", {
method: "POST",
headers: {
Authorization: `Bearer ${process.env.PARSE_API_KEY}`,
"Content-Type": "application/json",
},
body: JSON.stringify({ prompt: text, metadata: { source } }),
});
if (!res.ok) {
// High-impact paths should fail closed.
throw new Error(`Parse unavailable: ${res.status}`);
}
const decision = await res.json();
if (decision.suggested_action === "block" || decision.risk_score >= 7) {
throw new Error("Blocked by Parse");
}
return decision;
}High-impact actions
Fail closed or require human review before:
- sending messages or email
- making payments
- changing production data
- running shell commands
- editing files
- calling privileged APIs
- writing long-term memory
- accepting instructions from another agent
Low-impact drafts and summaries can fail open only when the operator explicitly accepts the risk and logs the bypass.
MCP integration
The hosted MCP endpoint is POST /mcp. It exposes:
screen_promptscreen_outputverify_agent_trustget_pricing
The manifest is available at /mcp.json.
x402 integration
For agents with wallets, x402 removes signup friction:
- Call a billable endpoint with no bearer key.
- Receive
402 Payment Required. - Sign the advertised USDC payment on Base mainnet.
- Retry with
payment-signature.
Use x402 for autonomous first calls and metered workflows. Use bearer keys for sustained production volume.
Operational checklist
- Keep one Parse key per environment.
- Do not commit keys or wallet private keys.
- Scope HTTP auth headers to
parsethis.ai. - Log screening decisions without storing unnecessary prompt content.
- Use idempotency keys for paid retries around non-idempotent workflows.
- Test monthly with your own attack corpus.
- Keep least-privilege tool permissions even when screening is enabled.
Limitations
Parse reduces risk but does not guarantee protection. It is not a substitute for scoped credentials, allowlisted tools, output validation, human review for high-impact actions, or incident response.