Skip to main content

Policy System

The policy system is the core of Conto’s spending controls. Policies define rules that govern how AI agents can spend funds.

What is a Policy?

A policy is a set of rules that determine whether a payment should be:
  • APPROVED - Payment can proceed
  • DENIED - Payment is blocked
  • REQUIRES_APPROVAL - Manual approval needed

Policy Types

Spend Limit

Control maximum amounts per transaction, day, week, or month

Time Window

Restrict transactions to specific hours and days

Counterparty

Control which recipients are allowed based on trust

Geographic

Block transactions to sanctioned countries (OFAC)

Category

Allow or block specific spending categories

Approval Threshold

Require manual approval above certain amounts

Velocity

Limit transaction frequency to prevent rapid drain

Whitelist

Only allow specific pre-approved addresses

Policy Evaluation

Evaluation Order

Policies are evaluated in priority order (highest first): 
Priority 95: Block Sanctioned Countries (Always first)
Priority 50: Standard Spend Limits (Normal rules)
Priority 10: Default Allow (Catch-all)

Multi-Policy AND Logic

When multiple policies are assigned to an agent, all policies must pass for a payment to be approved. 
IF any policy returns DENY:
    Result = DENIED (evaluation stops immediately on first DENY)

ELSE IF any policy returns REQUIRES_APPROVAL:
    Result = REQUIRES_APPROVAL

ELSE IF all policies pass:
    Result = APPROVED
Due to early termination, when a payment is denied, only the first failing rule’s violation is returned — not all violations across all policies.

Creating Policies

Via Dashboard

1

Navigate to Policies

Go to Policies in the sidebar and click New Policy.
2

Configure Policy

FieldDescription
NameHuman-readable name
TypePolicy type (spend limit, time window, etc.)
Priority0-100 (higher = evaluated first)
DescriptionWhat this policy does
3

Add Rules

Define the specific rules for this policy.
4

Assign to Agents

Select which agents this policy applies to.

Via API

curl -X POST https://conto.finance/api/policies \
  -H "Authorization: Bearer $CONTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Daily Spend Limit",
    "description": "Limits daily spending to $1000",
    "policyType": "SPEND_LIMIT",
    "priority": 50,
    "isActive": true
  }'

Policy Properties

PropertyTypeDescription
namestringHuman-readable name
descriptionstringDetailed description
policyTypeenumType of policy
prioritynumberEvaluation order (0-100)
isActivebooleanWhether policy is enforced
rulesarraySpecific rules for this policy

Assigning Policies

Policies can be assigned to:
  • Agents - Apply to specific agents
  • Wallets - Apply to specific wallets
  • Organization - Apply to all agents (coming soon)

Assign to Agent

curl -X POST https://conto.finance/api/agents/{agentId}/policies \
  -H "Authorization: Bearer $CONTO_API_KEY" \
  -d '{
    "policyId": "policy_abc123"
  }'

Example: Standard Agent Setup

A typical agent configuration with multiple policies: 
[
  {
    "name": "Spend Limits",
    "policyType": "SPEND_LIMIT",
    "priority": 50,
    "rules": [
      { "type": "PER_TRANSACTION", "maxAmount": 200 },
      { "type": "DAILY", "maxAmount": 1000 },
      { "type": "MONTHLY", "maxAmount": 10000 }
    ]
  },
  {
    "name": "Business Hours",
    "policyType": "TIME_WINDOW",
    "priority": 50,
    "rules": [
      { "type": "HOURS", "startHour": 9, "endHour": 18 },
      { "type": "DAYS", "allowedDays": ["Mon","Tue","Wed","Thu","Fri"] }
    ]
  },
  {
    "name": "Trusted Vendors Only",
    "policyType": "COUNTERPARTY",
    "priority": 50,
    "rules": [
      { "type": "TRUST_MINIMUM", "minTrustScore": 60 }
    ]
  }
]

Best Practices

Create policies at different priority levels:
  • HIGH (90-100): Security/Compliance (sanctions, blocked addresses)
  • MEDIUM (40-60): Business Rules (limits, time windows)
  • LOW (0-20): Defaults (catch-all rules)
Begin with strict policies and relax based on operational needs:
  • Day 1: $100/day limit, 3 trusted vendors
  • Week 2: $500/day, add 5 more vendors
  • Month 2: $1000/day, category-based restrictions
Don’t block high-value transactions entirely - require approval:
{
  "policyType": "APPROVAL_THRESHOLD",
  "rules": [
    { "type": "AMOUNT_THRESHOLD", "threshold": 500 }
  ]
}
Use descriptions to explain policy intent:
{
  "name": "OFAC Compliance",
  "description": "Blocks transactions to OFAC-sanctioned countries. Required for regulatory compliance. Do not modify without legal approval."
}

Violation Details

When a payment is denied, detailed violation info is returned: 
{
  "status": "DENIED",
  "reasons": ["Would exceed daily limit"],
  "violations": [
    {
      "type": "DAILY_LIMIT",
      "policy": "Standard Spend Limits",
      "limit": 1000,
      "current": 1150,
      "message": "Would exceed daily limit: -$150 remaining"
    }
  ]
}

Next Steps

Spend Limits

Configure amount-based limits

Time Windows

Set up time-based restrictions