Ship AI agents to production. Safely.

PolicyLayer checks every MCP tool call against your policy before it executes, so agents go live fast and can never exceed what you allow.

  • Full audit trail
  • Per-identity grants
  • Human approvals
TAKE YOUR AGENTS LIVE →
No card required. Nothing to host. Book a demo →
LIVE POLICY DECISIONS
stripe.refund_payment ALLOW
amount <= 50 grant: support-agent
stripe.refund_payment DENY
amount > 1000 grant: support-agent
postgres.execute_sql ALLOW
pattern: ^SELECT grant: analyst@acme
github.merge_pull_request ALLOW
branch = staging grant: release-bot
aws.terminate_instance DENY
pattern: ^prod- grant: ci-runner
aws.terminate_instance ALLOW
pattern: ^dev- grant: ci-runner
s3.delete_object RATE-LIMIT
100/min per grant grant: data-pipeline
coinbase.send_crypto ALLOW
amount <= 100 && asset = USDC grant: payouts-svc
412 ALLOWED · 9 DENIED · 4 RATE-LIMITED LAST HOUR

Works with Claude Code, Cursor, Codex, and any MCP client

43,000+ MCP SERVERS INDEXED 220,000+ TOOLS RISK-CLASSIFIED 12,500+ HIGH-RISK TOOLS IDENTIFIED
// HOW IT WORKS

PolicyLayer sits between your agents and what they can do.

Security needs to know what agents can do, who approves the risky actions, and what gets logged. PolicyLayer answers all three.

AGENT
Calls tools via MCP
tool_call
POLICYLAYER
Enforces before execution
postgres.run_query read_only = true
ALLOW DENY RATE-LIMIT APPROVE
if allowed
MCP SERVER
Stripe, AWS, Postgres...
  1. 01
    Observe

    See what your agents actually do

    Route real traffic through PolicyLayer. Every call logged and visible, nothing blocked yet.

    LOGGING
  2. 02
    Enforce

    Turn what you saw into policy

    Turn what you observed into deterministic rules: allow, deny, or require a human.

    ALLOWDENYAPPROVAL REQUIRED
  3. 03
    Prove

    Hand security the receipts

    Export the audit trail and policy evidence for compliance and incident review.

    AUDIT READY
// POLICY EDITOR

Define exactly what each tool call is allowed to do.

Build policies around the fields that matter: amount, branch, environment, SQL text, recipient, customer tier. Allow, deny, rate-limit, or require human approval before execution.

PolicyLayer dashboard — policy editor for the Stripe MCP server, showing tool list, allow/deny/hide/custom toggles, and the policy summary sidebar
Refunds and payouts
Allow refunds under $100. Deny over $1000. Rate-limit payouts to 3 per day per grant.
Production infrastructure
Block deletion of any prod-tagged resource. Allow changes in dev and staging.
Approvals
Require human approval for transfers over $5000, merges to main, or external customer email.
Tool discovery control
Block tools your agents should never discover. New upstream tools never silently become available.

Writing policies →

// SCOPED ACCESS

Give each agent exactly the access it needs.

Every agent, person, environment, and workflow gets its own labelled grant, scoped to its own policy. One upstream credential behind them all, and you revoke any single grant without touching the rest.

Per-identity access

Different agents, environments, and people can all run different policies against the same MCP server. One upstream credential, many scoped grants.

Instant revocation

Kill one token immediately without rotating the upstream API key or redeploying every client. Offboard a person or contain an incident in seconds.

Audit by grant

Every decision records which grant made the call, which policy applied, and which rule allowed or denied it. Forensic trail without storing secrets.

Least privilege by default

New grants start with only the tools and actions you explicitly allow. New upstream tools never silently become available to existing agents.

Core concepts →

// RUN IT IN PRODUCTION

Every decision on the record. Every credential locked down.

Every call logged, every policy versioned. Upstream credentials held in custody you can prove.

Full audit log

Every call recorded with the grant that made it, the outcome, the policy version that decided, and the rule that fired. Append-only: it can't be edited or removed from inside the app.

Versioned policies

Every save is an immutable policy version. Roll back without losing history. Diff what changed, who changed it, and when.

Tool catalogue

Tools auto-discovered from every connected server and surfaced with full schemas. Edit policy directly per tool.

Tokens encrypted at rest

Static API keys and OAuth tokens stored AES-256-GCM encrypted at the column level, decrypted only on the path to the upstream MCP.

Credentials never readable after entry

Upstream credentials cannot be read back through the dashboard or API once saved. They never appear in events, logs, or the tokens issued to clients.

Fail-closed

Ambiguous grant, policy, or upstream states resolve to deny, not allow.

Logs & security →

// POLICY LIBRARY

Start from pre-built policies for the tools your agents already use.

Pre-classified tools across the MCP servers your agents already use. Start from deny-by-default instead of a blank page.

Stripe 27 tools AWS 55 tools GitHub 34 tools Postgres 12 tools Supabase 32 tools PagerDuty 62 tools Browse all
// FAQ

Questions.

How is this different from system prompts? +

A prompt asks your agents to behave. PolicyLayer enforces your rules so they can't misbehave. Every call is checked deterministically before it executes, so a jailbreak or prompt injection can't talk its way past.

What MCP servers does it work with? +

Anything that speaks the MCP protocol: Stripe, GitHub, Postgres, AWS, Slack, Cloudflare, Sentry, Vercel, Linear, Notion, plus self-hosted and community servers. If your client can connect to it over MCP, you can route it through PolicyLayer.

Do I need to change my agent? +

No. Point your MCP client at a PolicyLayer URL with a grant token, issued per agent, person, environment, or workflow. Same tools. Same schemas.

How does PolicyLayer handle credentials? +

PolicyLayer accepts static API keys or managed OAuth with full discovery, registration, and refresh. We store credentials AES-256-GCM encrypted at the column level, decrypted only on the path to the upstream MCP. Once saved, no one, including us, can read them back through the dashboard or API. They never appear in events, logs, or the tokens issued to clients. Your users and agents authenticate to PolicyLayer with their own scoped tokens, never the raw upstream credential.

Who is this for? +

Teams whose AI clients (Claude Code, Cursor, Codex, custom agents) connect to several MCP servers and need per-person access, policy, and an audit trail without building their own gateway. Engineers set it up in minutes. Engineering and security leaders get the control and the record.

How do I get started? +

Sign up, register your first MCP server, define a policy, and point your AI client at the PolicyLayer gateway. Most teams have their first policy enforcing in under 10 minutes.

Take your agents live. Without losing control.

Route your MCP traffic through PolicyLayer. Every tool call is checked against your policy before it runs: allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

TAKE YOUR AGENTS LIVE →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.