// EVERY TOOL CALL, CHECKED BEFORE IT RUNS

Ship AI agents. Control every action.

Allow, require approval or deny every MCP tool call before it reaches the real world.

No SDK requiredNo infrastructure to deployLive policy changes
release-agent
support-agent
ops-agent
POLICYLAYER
stripe.refund_payment
REQUIRE APPROVAL
GitHub
Stripe
AWS
WORKS WITH THE MCP CLIENTS YOU ALREADY USE
Claude Code
Cursor
Codex
GitHub Copilot
VS Code
Gemini

Models cannot enforce their own rules.

So PolicyLayer sits outside the model and judges every call at the point where intent becomes action:

01
Identify the caller
Every person, agent, environment or workflow gets its own grant. One upstream credential, many attributable identities.
02
Evaluate the action
Policy inspects the exact tool and its arguments before execution. Allow it, deny it, hide it, rate-limit it or require approval.
03
Prove the decision
Every verdict records the grant, policy version, matching rule and upstream result, without retaining argument values in ordinary logs.

Observe first. Enforce when ready.

Connect a server without changing the agent, watch real calls arrive, then turn observed behaviour into policy.

01

Choose a server

Pick a known MCP server or paste any HTTP endpoint.

02

Connect your client

Use the proxy URL and grant token PolicyLayer generates.

03

Govern real traffic

Apply policy directly from what your agents actually call.

STRIPE · OBSERVEEXAMPLE WORKSPACE · LAST 24 HOURS
42CALLS
3TOOLS SEEN
1INTERVENTION
2GRANTS
12:41:23 refund_payment support-production APPROVAL
12:41:19 get_customer support-production ALLOW
12:39:04 create_payout billing-production DENY
12:37:51 list_invoices support-production ALLOW
refund_payment
Choose what should happen the next time this tool is called.
ALLOWAPPROVEDENYCUSTOM

Decide exactly what can run.

Policy evaluates the tool, caller and arguments. The same request produces the same decision every time.

refunds-productionEXAMPLE WORKSPACE · STRIPE · POLICY VERSION 12
SAVE POLICY
12ALLOW
3APPROVE
4DENY
6HIDE
2CUSTOM
get_customer
Retrieve a customer record by identifier.
ALLOWAPPROVEDENYHIDECUSTOM
refund_payment
Refund a payment to the original payment method.
ALLOWAPPROVEDENYHIDECUSTOM
ALLOW when args.amount ≤ 100 · APPROVE when args.amount > 100 per grant · 10/day
create_payout
Create a payout to an external bank account.
ALLOWAPPROVEDENYHIDECUSTOM
delete_customer
Permanently remove a customer object.
ALLOWAPPROVEDENYHIDECUSTOM

Separate who acts from who decides.

Issue scoped grants to people and agents. Hold consequential actions until an authorised human approves them.

GRANTSEXAMPLE WORKSPACE · STRIPE
support-agent Stripe support-production ACTIVE
alice@company Stripe finance-reviewer ACTIVE
billing-workflow Stripe billing-production ACTIVE
staging-agent Stripe staging-open ACTIVE
APPROVAL REQUIRED2 MINUTES AGO
stripe.refund_payment Requested by support-agent under refunds-production
amount$1,250
currencyUSD
customercus_82K4
reasonduplicate
APPROVE CALL DENY

Every action judged against policy.

Nothing executes without a verdict. The evidence writes itself: who called, which policy version decided, why it was allowed or stopped, and what happened upstream.

POLICYLAYER / ENFORCEMENT DECISIONDEC_84F1 · 12:41:23.151
ACTION REQUESTED
support-agent called stripe.refund_payment
VERIFIED IDENTITY
service:support-agent
ACTIVE GRANT
support-production
ARGUMENTS INSPECTED
amount: 425 · currency: USD
MATCHED POLICY
refunds-production · v12 · amount > 100
POLICY DECISION
REQUIRE APPROVAL
ENFORCEMENT STATUS
RELEASED AFTER APPROVAL
HUMAN REVIEW Alice · policy_manager  /  Approved · 12:41:23.151
IMMUTABLE DECISION RECORD EXAMPLE 02 / 03
Attributable by design Every call resolves to a named grant before policy runs.
Immutable policy versions Past decisions remain tied to the exact rules that made them.
Redacted by default Argument keys and matching rules are retained. Argument values are excluded from ordinary logs.

Every credential locked down.

AES-256-GCM AT REST

Upstream credentials encrypted at the column level, decrypted only on the path to the upstream server.

NOT RETRIEVABLE AFTER ENTRY

Once saved, credentials cannot be retrieved through the dashboard or API. They are decrypted only when PolicyLayer calls the upstream server.

FAIL-CLOSED

Ambiguous grant, policy or upstream states resolve to deny, not allow.

APPEND-ONLY AUDIT LOG

The audit record cannot be edited or removed from inside the app.

Start from known risk, not a blank policy.

PolicyLayer’s Registry continuously classifies public MCP servers and their tools. Use that intelligence as the starting point, then tune policy to your own workflows.

Stripe MCP ServerREGISTRY RECORD · CHECKED CONTINUOUSLY
B
27TOOLS CLASSIFIED
9ELEVATED RISK
OAUTHAUTH POSTURE
list_customers ALLOW
refund_payment APPROVAL
create_payout DENY
delete_customer HIDE

Questions.

How is this different from system prompts? +

A prompt asks an agent to follow rules. PolicyLayer enforces rules on its MCP tool calls. Every call is checked deterministically before execution, so prompt injection cannot bypass the policies governing that action.

What MCP servers does it work with? +

Anything that speaks the MCP protocol: Stripe, GitHub, Postgres, AWS, Slack, Cloudflare, Sentry, Vercel, Linear, Notion, plus self-hosted and community servers. If your client can connect to it over MCP, you can route it through PolicyLayer.

Do I need to change my agent? +

No. Point your MCP client at a PolicyLayer URL with a grant token, issued per agent, person, environment, or workflow. Same tools. Same schemas.

How does PolicyLayer handle credentials? +

PolicyLayer supports static API keys and managed OAuth. Credentials are encrypted with AES-256-GCM and decrypted only when calling the upstream MCP server. They are never exposed in client tokens, events or logs, and cannot be retrieved through the dashboard or API after saving.

Who is this for? +

Teams whose AI clients (Claude Code, Cursor, Codex, custom agents) connect to several MCP servers and need per-person access, policy, and an audit trail without building their own gateway. Engineers set it up themselves and keep the control. The decision record is simply there when leadership asks.

How do I get started? +

Sign up, connect an MCP server, create a scoped grant and policy, then point your MCP client at PolicyLayer.

Take your agents live. Keep every action under control.

Connect an MCP server, issue a scoped grant and enforce your first policy. No SDK or infrastructure to deploy.

No code required.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.