· Published 2026-07-17 · Last updated 2026-07-17

Template

Merchant allowlist and blocklist template

Control which vendors your agents can pay by configuring allowlists and blocklists. This template covers the three strategies: open-with-exceptions, closed-with-exceptions, and tiered access.

Strategy 1: Open with exceptions (blocklist)

Allow all merchants except specific ones. Best for internal tools where you trust the agent but want to block known-bad vendors.

# Block specific merchants
curl -X POST https://sipi.bot/api/rules \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"rule_type":"merchant_block","params":{"merchants":["unknown-gpu.ru","cheap-tokens.xyz","shadow-vps.io"]},"action":"BLOCKED","label":"blocklist"}'

Strategy 2: Closed with exceptions (allowlist)

Block everything except approved merchants. Best for production agents where you want explicit control over every vendor.

# Allow only approved merchants
curl -X POST https://sipi.bot/api/rules \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"rule_type":"merchant_block","params":{"block_all":true,"allowed":["openai.com","anthropic.com","runpod.io","modal.com","stripe.com"]},"action":"BLOCKED","label":"allowlist"}'

Strategy 3: Tiered access

Allow small spends anywhere, restrict large spends to approved vendors.

# Tier 1: any merchant up to $50
curl -X POST https://sipi.bot/api/rules \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -d '{"rule_type":"per_transaction","params":{"max_amount":50},"action":"BLOCKED","label":"tier1-cap"}'

# Tier 2: approved merchants up to $500
curl -X POST https://sipi.bot/api/rules \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -d '{"rule_type":"per_transaction","params":{"max_amount":500,"allowed_merchants":["openai.com","runpod.io"]},"action":"BLOCKED","label":"tier2-cap"}'

# Tier 3: requires approval for anything above
curl -X POST https://sipi.bot/api/rules \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -d '{"rule_type":"approval_threshold","params":{"min_amount":500.01},"action":"FLAGGED","label":"tier3-approval"}'

Frequently asked

Should I use an allowlist or a blocklist?

Allowlists (closed-by-default) are safer for production agents where you want complete control. Blocklists (open-with-exceptions) are practical for internal tools where you trust the agent and only need to block known-bad vendors.

How do I add a merchant to the allowlist later?

Use the dashboard or PUT /api/rules/<id> to update the allowed_merchants list. The change takes effect immediately — no restart required.

Does the merchant name need to be exact?

Yes — the merchant field in the evaluate call must match the configured name exactly. For fuzzy matching, add multiple entries or use a prefix convention (e.g., 'google-*' if you implement custom matching).

Get started — $99/mo Framework integrations