OPEN SOURCE · MCP GATEWAY
NOW SUPPORTING MPP / X402

Control every MCP tool call
your agent makes.

Set budgets, approvals, and hard limits across MCP servers. So your agent can do its job without breaking things.

DENY drop_table blocked — table not in allow-list
AWAIT $4,200 refund held — waiting for human approval
$500/day Agent spend capped — daily limit hit across 3 services
10/hr create_refund throttled — rate limit exceeded
See what your agent can do
or control your agent now
npx -y @policylayer/intercept
Drop-in. No agent changes required.
// THE DIFFERENCE

Same servers. Same tools. One runs through Intercept.

WITHOUT INTERCEPT
STRIPE
create_refund$4,200ALLOW
cancel_subscriptionenterpriseALLOW
transfer_funds$12,000ALLOW
POSTGRES
execute_queryDELETE FROM usersALLOW
drop_tablecustomersALLOW
delete_rowsallALLOW
AWS
terminate_instancesprod-*ALLOW
delete_resourcevpc-mainALLOW
create_deploymentproductionALLOW
Everything goes through. No limits. No audit trail.
WITH INTERCEPT
STRIPE
create_refund$4,200AWAIT
cancel_subscriptionenterpriseDENY
transfer_funds$12,000DENY
POSTGRES
execute_queryDELETE FROM usersDENY
drop_tablecustomersDENY
delete_rowsallDENY
AWS
terminate_instancesprod-*AWAIT
delete_resourcevpc-mainDENY
create_deploymentproductionAWAIT
Every tool call enforced against your policies.
// HOW IT WORKS

Every tool call checked before it runs.

Intercept is a transparent proxy between your agent and the MCP server. Same tools, same schemas — every call evaluated before it executes.

AGENT
Calls tools via MCP
tool_call
INTERCEPT
Evaluates policy
ALLOW DENY AWAIT
if allowed
MCP SERVER
Stripe, AWS, Postgres...
Sub-ms latency Policy checks run in-process. No network calls. Your agent doesn't know it's there.
Fail-closed If Intercept goes down, nothing runs. Your agent doesn't get a free pass.
Full audit trail Every tool call logged: what was called, the decision, which rule fired.
Single binary One Go binary. No runtime. No dependencies. Runs on anything.
// CONFIGURATION

One YAML file defines what your agent can and can't do.

Readable, version-controlled, and hot-reloaded — update rules without restarting anything.

policy.yaml 
version: "1"
default: deny

tools:
  transfer_funds:
    rules:
      - spend_limit: $500/day

  terminate_instances:
    rules:
      - action: require_approval
        approval_timeout: 10m

  execute_query:
    rules:
      - conditions:
          - path: "args.query"
            op: "regex"
            value: "^SELECT"

  create_deployment:
    rules:
      - rate_limit: 5/day

hide:
  - drop_database
  - delete_repository
Deterministic
Not a prompt. Not probabilistic. If the rule says deny, it's denied. Every time.
Stateful
Running counters with sliding windows. Spend limits track cumulative totals across calls, not just per-request.
Conditional
Match on any argument — regex, comparisons, nested paths. As precise as your use case needs.
Deny-by-default
New tools added upstream don't silently become available. You opt in, not out.
// ENFORCEMENT, NOT PROMPTS

Prompts suggest. Policies enforce.

SYSTEM PROMPTS

Ask the agent to behave.

Probabilistic — can be bypassed by injection or reasoning
No memory of previous calls
No spend tracking or rate limiting
No structured audit trail
INTERCEPT

Define what it is allowed to do.

Deterministic — blocked at the transport layer
Stateful counters and sliding windows
Spend caps with hard cutoffs
Every decision logged with the rule that fired
// UNDER THE HOOD

Built for production, not demos.

Deny-by-default

New tools added upstream don't automatically reach the agent. You opt in, not out.

Hot reload

Push a policy change without restarting. Useful when you're tightening limits mid-incident.

Config validation

intercept validate catches policy errors before deployment. No silent misconfigs.

Idempotent enforcement

Prevent duplicate actions from agent retries. Same call within the window skips re-evaluation.

Multi-transport

Stdio and HTTP. Works with local MCP servers and remote endpoints.

Human-in-the-loop

Hold sensitive actions for human approval. One-time use, fingerprinted, audited, with optional webhook notifications.

Spend enforcement

Cap cumulative spend per agent, per tool, or per day. When agents pay via MCP, this is the hard limit between the agent and real money.

Persistent state

Rate limits, spend counters, and approval records persist across restarts. SQLite by default. Redis for multi-instance deployments.

Shadow mode

Evaluate every call without enforcing. See what would have been blocked before you go live.

// POLICY LIBRARY

Starter policies for 3,000+ MCP servers.

Pre-classified tools across 18,000+ endpoints. Know what's dangerous before your agent does.

Stripe
27 tools

12 write · 3 destructive · 12 read

VIEW POLICY →
AWS
55 tools

22 write · 8 destructive · 25 read

VIEW POLICY →
Supabase
32 tools

14 write · 5 destructive · 13 read

VIEW POLICY →
GitHub
34 tools

15 write · 4 destructive · 15 read

VIEW POLICY →
PagerDuty
62 tools

28 write · 6 destructive · 28 read

VIEW POLICY →
Postgres
12 tools

4 write · 3 destructive · 5 read

VIEW POLICY →
BROWSE ALL POLICIES →
// FAQ

Questions.

What is Intercept? +

An open-source MCP gateway that controls every tool call before it executes. It sits between your agent and the MCP server as a transparent proxy. You define rules in YAML — what to block, rate limit, cap, or hold for approval. One line change in your MCP config. No agent modifications.

What MCP servers does it work with? +

Any MCP server, including third-party ones you don't control. Stripe, AWS, Postgres, GitHub, Supabase, PagerDuty — if it speaks MCP, Intercept can sit in front of it. The policy library has starter templates for 3,000+ servers.

Do I need to change my agent? +

No. One line change in your MCP config. The agent sees the same tools and the same schemas. Intercept is transparent — it only becomes visible when a rule fires.

How is this different from system prompts? +

Prompts tell the agent what it should do. Intercept defines what it is allowed to do. You can't cap spend with a prompt. You can't make a tool genuinely read-only with a prompt. With Intercept, either the call is within policy or it isn't. Deterministic, not probabilistic.

Is it open source? +

Yes. Intercept is fully open source under the Apache 2.0 licence. Single Go binary, no dependencies, no vendor lock-in. Run it anywhere.

What doesn't Intercept cover? +

Intercept governs tool calls that pass through the proxy. It does not govern direct API calls outside the MCP path, model reasoning, or actions taken by tools after they receive the forwarded call. If traffic bypasses the proxy, Intercept has no visibility.

policylayer/intercept

Control every MCP tool call
your agent makes.

Set budgets, approvals, and hard limits across MCP servers.

See what your agent can do
or control your agent now
npx -y @policylayer/intercept
Drop-in. No agent changes required.
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.