FAQ

Does Tollgate custody funds?

No. Agents approve USDC to the developer's payout address directly on-chain. The settler's hot wallet exists only to pay gas for USDC.transferFrom. If Tollgate ceases operating, developers retain their accepted IOUs and can settle them with any EOA that can call the wrapper contract.

Can I switch chains?

Base (chainId 8453) is the canonical settlement chain. The EIP-712 anchor contract is pre-deployed to the same CREATE2 address on Optimism, Arbitrum, Polygon, and mainnet — cross-chain IOUs will ship after the Base-only launch stabilises.

What happens if the agent revokes allowance?

Settlement fails. The developer adds the agent to its scope-local blacklist so future requests from that address are rejected. The attack is documented in AUDIT_FALSE_POSITIVES.md §8 as an accepted structural risk with multiple defences (graduated trust, exposure caps, allowance sampling).

Is my API key a secret?

Yes. The hash (HMAC-SHA256(apiKey, developerSalt)) is embedded in the 402 response — the plaintext key is server-side only. Leak the plaintext key and you must rotate; Tollgate's dashboard has a one-click rotate flow.

Can I self-host the facilitator?

The code is runtime-agnostic (Workers / Node / Edge) and the schema is in packages/core/src/db/schema.ts. Enterprise tier includes a fully-supported self-hosted path. Hobbyists may run the facilitator on their own Cloudflare Workers account today; the settler requires an on-chain hot wallet.

Do you support ERC-1271 (contract signatures)?

Not at launch. IOUs are rejected with NOT_EOA if the signer has bytecode. A follow-up release will add an opt-in ERC-1271 verifier.