Getting Started
Quick Start How it Works
Configuration
Config file Changing agent name Environment variables Re-running init Removing Troxy
Auth Model
How auth works
CLI Reference
troxy init troxy update troxy restart troxy uninstall troxy login / logout troxy status troxy policies troxy mcps troxy pause / resume troxy activity troxy insights troxy pay troxy rotate-key
Policy Examples
Block by amount Block by category Notify on spend Escalate for approval Per-agent policies Tiered by amount
MCP Server
Connecting evaluate_payment Auto-start on reboot
Troubleshooting
Common Issues

Documentation

Everything you need to connect your AI agent to Troxy and control its payments.

Quick Start

Get up and running in under 2 minutes.

Prerequisites, Node.js 18+

The Troxy CLI requires Node.js. Run node -v, if you see a version number, skip ahead to Install the CLI below.

Don't have Node.js? Install it (per OS)

Pick your OS below. After installing, run node -v to confirm it worked.

Amazon Linux / RHEL / CentOS

curl -fsSL https://rpm.nodesource.com/setup_20.x | sudo bash -
sudo yum install -y nodejs

Ubuntu / Debian

curl -fsSL https://deb.nodesource.com/setup_20.x | sudo bash -
sudo apt-get install -y nodejs

macOS

brew install node

Any system (nvm)

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
source ~/.bashrc
nvm install --lts

1. Install the CLI

sudo npm install -g troxy-cli

This makes the troxy command available globally. All examples below use troxy directly.

Already installed? Run troxy update to upgrade, or troxy --version to check what you have. If the update fails, see Update errors in Troubleshooting.

2. Get your API key

Log in to the Troxy dashboard, go to API Keys, and copy your API key. It starts with txy-.

3. Connect the MCP (once per machine)

troxy init --key txy-your-key-here

This will:

You'll see a green dot next to your agent's name in the dashboard within 60 seconds. You only need to run this once per machine.

4. Log in for CLI commands (12-hour session)

troxy login

This opens your browser with a Troxy login page that displays a short code. Copy the code and paste it back into the terminal. You're then authenticated for 12 hours. This is separate from the MCP key and required to run any CLI inspection or management commands (activity, mcps, policies, insights, etc.).

Two separate things: troxy init connects the MCP (one-time setup, key saved forever). troxy login starts a 12-hour CLI session for running commands. Think of it like SSH keys vs. AWS console login, they serve different purposes.

5. Create your first policy

Open the dashboard and go to Policies → New policy. Add a condition and choose an action. Example: set amount ≥ 500 with action BLOCK, any payment over $500 will be blocked automatically.

How it Works

Troxy sits between your AI agent and payments as an MCP tool. Before making any payment, the agent calls evaluate_payment. Troxy checks your policies in priority order and returns one of four decisions:

ALLOW, approved, agent proceeds
BLOCK, rejected, agent stops
NOTIFY, approved, but you get notified
ESCALATE, held until you manually approve it in the dashboard

The MCP server also sends a heartbeat every 60 seconds so the dashboard shows real-time connection status.

What "connecting the MCP" actually does
Running troxy init starts a background MCP server process. This server does two things:
1. It exposes the evaluate_payment tool to your AI client (Claude, Cursor, etc.) so the agent can call it before any payment.
2. It sends a heartbeat to Troxy every 60 seconds, this is what makes the green dot appear in your dashboard.

The MCP connection itself does not intercept payments automatically. Your agent must explicitly call evaluate_payment. Payments only go through Troxy when the agent is programmed to check first.

Config file

Troxy stores its local config at ~/.troxy/config.json. You can view or edit it directly:

cat ~/.troxy/config.json

A typical config looks like this:

{
  "apiKey": "txy-your-key-here",
  "agentName": "Shopping Bot"
}
FieldDescription
apiKeyYour Troxy API key (starts with txy-). Set during troxy init. Never needs to be passed again after that.
agentNameThe display name shown in your dashboard. Also sent with every payment evaluation so you can write per-agent policies.

Changing the agent name

Edit the config file directly, then restart the service:

nano ~/.troxy/config.json

# After saving, restart:
sudo systemctl restart troxy-mcp        # Linux
launchctl unload ~/Library/LaunchAgents/ai.troxy.mcp.plist   # macOS
launchctl load  ~/Library/LaunchAgents/ai.troxy.mcp.plist

The dashboard will show the updated name within 60 seconds.

Environment variables

Environment variables take precedence over the config file, useful for containers or CI:

VariableDescription
TROXY_API_KEYAPI key. Overrides apiKey in config.
TROXY_AGENT_NAMEAgent name. Overrides agentName in config.
TROXY_API_KEY=txy-your-key TROXY_AGENT_NAME="Prod Agent" npx troxy mcp

Re-running init

To start fresh (e.g. to swap API keys or rename the agent), uninstall first then re-run:

troxy uninstall
troxy init --key txy-your-new-key-here

Removing Troxy

There are two separate things you can do, and they're often confused, make sure you understand both:

ActionWhat it doesWhat it doesn't do
Remove in the dashboard Revokes the API key immediately. Any future evaluate_payment call from that machine returns an auth error, payments are blocked at the Troxy level. Does not stop the MCP server process on the machine. The process keeps running, it just gets errors. Claude / Cursor / Windsurf configs are untouched.
troxy uninstall on the machine Stops the background MCP service, removes the MCP entry from Claude / Cursor / Windsurf configs, and deletes ~/.troxy. Does not revoke the API key in the dashboard. If someone has a copy of the key they can still use it until you revoke it.
Fully removing Troxy from a machine requires both steps:
  1. Click Remove in the dashboard → revokes the API key immediately
  2. Run troxy uninstall on the machine → stops the service and cleans up MCP configs
Doing only the dashboard step leaves a running process that errors. Doing only the machine step leaves an active API key in your account.

After uninstalling, restart your AI client (Claude Desktop, Cursor, etc.) to fully stop the MCP server process.

MCP key vs login session, what requires what

troxy init connects this machine as an MCP, that's it. The API key it saves is used exclusively by the background MCP server to evaluate payments and send heartbeats. It cannot read policies, list MCPs, view activity, or do anything else.

troxy login gives you a 12-hour human session for everything else, all management and inspection commands go through this session, not the API key.

CommandNeedsWhy
troxy init --key txy-...API key (passed directly)One-time machine setup
troxy statusNothing, works alwaysAPI health + local MCP state
troxy pause / resumeLogin sessionPause or resume this MCP
troxy mcps listLogin sessionSee all MCP connections
troxy mcps renameLogin sessionRename this machine's MCP
troxy payLogin sessionSimulate a payment evaluation
troxy policies list / describeLogin sessionRead your policies
troxy policies create / set-priority / enable / disable / deleteLogin sessionManage policies
troxy activityLogin sessionView payment decisions
troxy insightsLogin sessionView spending summary
troxy rotate-keyLogin sessionRotate MCP key (revokes old automatically)
troxy restartNoneRestart the MCP background service

Bottom line: run troxy init once per machine to connect the MCP, then run troxy login whenever you want to manage your account from the CLI. Sessions last 12 hours.

troxy init

Run once per machine. Validates the key, asks for an agent name, patches MCP client configs, and installs the background service.

troxy init --key txy-your-key-here

After init, your key is saved to ~/.troxy/config.json, no need to pass --key to any other command.

troxy update

Updates the Troxy CLI to the latest version from npm.

troxy update

If you installed with sudo npm install -g, you'll need sudo troxy update. After updating, run troxy restart to apply the new version to the background service.

sudo troxy update
troxy restart

troxy restart

Restarts the Troxy background service. Use this after updating or after manually editing ~/.troxy/config.json.

troxy restart

troxy uninstall

Fully removes Troxy from the current machine.

troxy uninstall

This command does the following:

  1. Stops and removes the background MCP service
  2. Removes the troxy-mcp entry from all detected client configs (Claude Desktop, Cursor, Windsurf)
  3. Deletes ~/.troxy (your local config and saved API key)

After running: restart your AI client (Claude Desktop, Cursor, etc.) so the MCP server process fully stops. Until you restart, the client may still try to connect.

This only removes Troxy from this machine. It does not revoke the API key in your dashboard. To fully cut off access, for example if the machine is being decommissioned, also revoke the key in the dashboard: go to API Keys → find the key → Revoke.

Want to reinstall later? Just run troxy init --key txy-your-key again. Your policies and dashboard data are untouched.

troxy login / logout

Authenticates you as a human for 12 hours. Required for every command except troxy init and troxy status, policies, activity, MCPs, insights, pause/resume, rotate-key, all of it.

troxy login
troxy logout

After running troxy login:

  1. Your browser opens to the Troxy login page
  2. Log in, and the page shows you a short code
  3. Copy the code and paste it back into the terminal
  4. You're authenticated for 12 hours
Note: troxy login is your session as a human, it is completely separate from the MCP connection. The MCP server runs on its own API key (set by troxy init) and does not need you to be logged in.

troxy status

Shows API health and connection status. Works without login. If you're logged in, also shows your account overview (policies count, MCP connections, etc.).

troxy status

troxy policies

Read (login required):

troxy policies list
troxy policies describe --name 'Block Amazon'

Write (login required):

troxy policies create --name "Block large" --action BLOCK --field amount --operator gte --value 500
troxy policies create --name "Cap spend" --action BLOCK --mcp "My Laptop" --field amount --operator gte --value 200
troxy policies create --name "Allow Wiki" --action ALLOW --priority 5 --field merchant_name --operator contains --value Wiki
troxy policies set-priority --name "Block large" --priority 10
troxy policies resume --name "Block large"
troxy policies pause  --name "Block large"
troxy policies delete  --name "Block large"
Tip: Policy names containing special characters like $ should be wrapped in single quotes to prevent shell interpretation:
troxy policies describe --name 'Allow under $100'
Help: Run troxy policies <subcommand> --help to see all options without entering any required fields. For example: troxy policies create --help
OptionValues
--actionALLOW, BLOCK, NOTIFY, ESCALATE
--fieldamount, merchant_name, merchant_category, merchant_country, currency, agent_name, hour, day_of_week
--operatoreq, neq, gt, gte, lt, lte, contains, between
--valueComparison value (e.g. 500, amazon, Monday)
--value2Upper bound for between operator
--priorityPriority number for create. Lower = evaluated first. Defaults to max+10 if omitted.
--mcpScope policy to a specific MCP only (default: all MCPs). Use the MCP name from troxy mcps list.

troxy mcps

Lists all MCP connections on your account, which are connected, last seen, and their agent names. Requires a login session.

troxy mcps list

A means the MCP server is actively connected (heartbeat received recently). A means offline or the key exists but no MCP server is running with it.

To rename the MCP on this machine:

troxy mcps rename --name "my-agent"

The new name appears in your dashboard immediately and is used for all future heartbeats.

troxy pause / resume

Pauses or resumes payment evaluations on this machine's MCP. When paused, all payment requests return BLOCK immediately. Requires a login session.

troxy pause    # block all evaluations
troxy resume   # resume normal evaluation

The paused state is visible in your dashboard (amber dot next to the MCP name). You can also pause/resume from the dashboard by hovering over an MCP and clicking the menu.

troxy activity

Shows recent payment decisions across all your MCPs. Requires a login session.

troxy activity
troxy activity --limit 50      # show more rows (default: 20, max: 200)
troxy activity --mine          # show only decisions made by the MCP on this machine

--mine filters to decisions made by the MCP key configured on this machine via troxy init. Only works on a machine that has an MCP key configured.

troxy insights

Shows a spending and decision summary for a given period. Requires a login session.

troxy insights              # last 30 days
troxy insights --period 7   # last 7 days

Includes total requests, total spend, blocked amount, decision breakdown (ALLOW / BLOCK / ESCALATE / NOTIFY), and top merchants.

troxy pay, simulate a payment

Sends a payment evaluation request directly to Troxy, identical to what your AI agent does. Use this to test your policies. Requires a login session.

troxy pay --merchant "Amazon" --amount 50
troxy pay --merchant "Amazon" --amount 350 --card "Work"
troxy pay --merchant "Delta"  --amount 250 --card "Work" --category travel
OptionRequiredDescription
--merchantYesMerchant name
--amountYesPayment amount in USD
--cardNoCard alias (defaults to "Work")
--categoryNoMerchant category (e.g. software, travel)

The output shows the decision and which policy triggered it:

  ✓ ALLOW  ←  "Always Allow"
  ⏳ ESCALATE  ←  "Work card Amazon spending limits"

troxy rotate-key

Creates a new API key, saves it to ~/.troxy/config.json, and immediately revokes the old one. Requires login.

troxy rotate-key                    # rotate key (old is revoked automatically)
troxy rotate-key --name "new name"  # give the new key a custom name

After rotating, restart the MCP service to pick up the new key:

troxy restart

Example: Block payments over a limit

Block any payment at or above $1,000:

troxy policies create   --name 'Block over $1000'   --action BLOCK   --field amount   --operator gte   --value 1000

Example: Block specific merchant categories

Block payments to gambling sites:

troxy policies create   --name "Block gambling"   --action BLOCK   --field merchant_category   --operator eq   --value gambling

Block payments to a specific merchant:

troxy policies create   --name "Block Roblox"   --action BLOCK   --field merchant_name   --operator eq   --value roblox

Example: Get notified on large purchases

Allow but notify you for any transaction over $200:

troxy policies create   --name "Notify on big spend"   --action NOTIFY   --field amount   --operator gte   --value 200

Example: Require approval for international payments

Hold any non-USD payment until you approve it in the dashboard:

troxy policies create   --name "Escalate non-USD"   --action ESCALATE   --field currency   --operator neq   --value USD

Example: Different policies per agent

In the dashboard, go to Policies → New policy and add two conditions:

Set the match logic to ALL (AND) and action to BLOCK. This policy only fires when that specific agent tries to spend $50 or more, all other agents are unaffected.

The agent_name value must match exactly what you set during troxy init (or what the MCP sends in the heartbeat).

Tip: Policy priority matters. Policies are evaluated top-to-bottom, the first match wins. Drag to reorder them in the dashboard to control precedence.

Example: Tiered policies by amount

Use a single tiered policy instead of three separate ones. In the dashboard, go to Policies → New policy, set action to Tiered by amount, and define your thresholds:

Troxy evaluates thresholds top to bottom and fires the first match. Add as many tiers as needed and reorder freely.

Connecting via MCP

If your MCP client wasn't auto-detected during troxy init, add this manually to your client's config under mcpServers:

{
  "troxy": {
    "command": "npx",
    "args": ["troxy", "mcp"],
    "env": {
      "TROXY_API_KEY": "txy-your-key-here",
      "TROXY_AGENT_NAME": "My Agent"
    }
  }
}

Supported clients: Claude Desktop, Cursor, Windsurf, and any MCP-compatible client.

Config file locations:

evaluate_payment tool

Your agent calls this before initiating any payment. Required fields: card_alias, merchant_name, amount.

{
  "card_alias": "Work",            // a label for which card/budget context to use
  "merchant_name": "Amazon",
  "amount": 49.99,
  "merchant_category": "software", // optional, enables category-based policies
  "currency": "USD",               // optional, defaults to USD
  "agent": "Shopping Bot"          // optional, override the agent name for this call
}
What is card_alias? It's a label you assign to group payments, for example "Work", "Personal", or "Research". You don't need to pre-create it anywhere. Troxy uses it to scope policies and track per-card budgets if you set them up in the dashboard. If you're just getting started, use any consistent string like "Work".

Possible responses and what the agent should do:

DecisionAgent behavior
ALLOWProceed with the payment
BLOCKDo not proceed, inform the user the payment was blocked
NOTIFYProceed with the payment (notification sent to owner)
ESCALATEDo not proceed, wait for human approval in the dashboard, then retry

Auto-start on reboot

troxy init installs a background service that starts automatically at boot.

# Linux, manage the service
sudo systemctl status troxy-mcp
sudo systemctl restart troxy-mcp
sudo systemctl stop troxy-mcp

# View live logs
journalctl -u troxy-mcp -f

# macOS, manage the LaunchAgent
launchctl list | grep troxy
launchctl unload ~/Library/LaunchAgents/ai.troxy.mcp.plist
launchctl load  ~/Library/LaunchAgents/ai.troxy.mcp.plist
Note: On Linux (EC2, VPS), the service is a systemd unit enabled at boot. On macOS, it's a LaunchAgent that starts on login.

Troubleshooting

Dashboard shows "MCP disconnected"

The MCP service isn't running or hasn't sent a heartbeat yet (every 60 seconds).

# Check status
sudo systemctl status troxy-mcp

# Restart
sudo systemctl restart troxy-mcp

# Watch live logs, you should see "[troxy] heartbeat ok" every 60s
journalctl -u troxy-mcp -f

The dashboard dot updates within 60 seconds of the next heartbeat.

Agent name shows as "unknown" in activity

Transactions logged before you set an agent name won't have one. New ones use the name from your config. Edit ~/.troxy/config.json and restart the service.

"No MCP clients detected" during init

Troxy looks for Claude Desktop, Cursor, and Windsurf config files. If none are found, it prints the JSON snippet, paste it into your client's MCP config manually (see Connecting via MCP).

CLI shows "authentication required" or "login required"

troxy login

All CLI commands other than troxy init and troxy status require a login session. Run troxy login to start one.

API key invalid or revoked

If you see "API key invalid or revoked", your saved key is no longer accepted. Generate a new key in the dashboard under API Keys, then reconnect:

troxy init --key txy-your-new-key-here

Service fails to start (wrong binary path)

If journalctl -u troxy-mcp shows "command not found", the service was installed with an incorrect path. Fix it:

troxy uninstall
troxy init --key txy-your-key-here

npm permission error during install

If you see EACCES: permission denied when installing globally:

sudo npm install -g troxy-cli

Update errors

If troxy update fails with a permission error, run sudo troxy update. If it fails with ENOTEMPTY, remove the package manually and reinstall:

sudo rm -rf /opt/homebrew/lib/node_modules/troxy-cli && sudo npm install -g troxy-cli@latest

Check API health

troxy status