MCP POLICY ENFORCEMENT

Control what AI agents can do in production.

PolicyLayer enforces your rules on every MCP tool call before agents can touch payments, infrastructure, code, data, or customer operations.

We are onboarding teams running MCP in production.
LIVE POLICY DECISIONS
stripe.refund_payment DENY
amount > 1000
aws.terminate_instance DENY
pattern: ^prod-
stripe.create_charge ALLOW
amount <= 500
postgres.execute_sql DENY
pattern: DROP|TRUNCATE
github.merge_pull_request ALLOW
branch = staging
coinbase.send_crypto DENY
amount > 5000
s3.delete_object RATE-LIMIT
100/min per grant
github.force_push DENY
branch = main
42 ALLOWED · 14 DENIED · 6 RATE-LIMITED LAST HOUR

Works wherever your agent connects through MCP

// WHY NOW

AI agents are getting root access to the economy.

They can move money, reconfigure infrastructure, merge code, query private data, and contact customers through tools. Prompts are not control. Enforcement has to sit at the execution boundary.

Agent actions now carry real blast radius.

Payments
stripe.refund_payment destructive
shopify.create_payout mutating
coinbase.list_transactions read
Infrastructure
aws.terminate_instance destructive
cloudflare.update_dns mutating
vercel.list_deployments read
Code
github.force_push destructive
gitlab.merge_request mutating
linear.list_issues read
Data
postgres.drop_table destructive
supabase.execute_sql mutating
mongodb.list_collections read
Communications
slack.delete_channel destructive
sendgrid.send_email mutating
intercom.list_users read
SaaS Admin
okta.disable_account destructive
atlassian.modify_project mutating
notion.list_pages read
// HOW IT WORKS

PolicyLayer sits between agents and what they can change.

Drop PolicyLayer into your MCP request path. Your agents keep their tools. You keep control.

AGENT
Calls tools via MCP
tool_call
POLICYLAYER
Enforces before execution
ALLOW DENY RATE-LIMIT APPROVE
if allowed
MCP SERVER
Stripe, AWS, Postgres...
01
Register server
Add Stripe, GitHub, Postgres, Slack, AWS, or any other MCP server.
02
Define policy
Set defaults, rate limits, denials, approvals, hidden tools, and argument-level conditions.
03
Issue grants
Give each person, agent, CI job, or environment its own scoped token tied to a named policy.
04
Connect client
Paste the PolicyLayer proxy URL into your MCP client config. Agent keeps the same tools. PolicyLayer enforces your rules before calls execute.
// SCOPED ACCESS

Stop sharing one upstream credential across every agent.

Each agent, person, environment, and workflow gets its own labelled grant. Attach different policies. Revoke any one without breaking the rest.

Per-identity access

Different agents, environments, and people can all run different policies against the same MCP server. One upstream credential, many scoped grants.

Instant revocation

Kill one token immediately without rotating the upstream API key or redeploying every client. Offboard a person or contain an incident in seconds.

Audit by grant

Every decision records which grant made the call, which policy applied, and which rule allowed or denied it. Forensic trail without storing secrets.

Least privilege by default

New grants start with only the tools and actions you explicitly allow. New upstream tools never silently become available to existing agents.

// POLICY EDITOR

Define exactly what each tool call is allowed to do.

Build policies around the fields that matter — amount, branch, environment, SQL text, recipient, customer tier. Allow, deny, rate-limit, or require human approval before execution.

PolicyLayer dashboard — policy editor for the Stripe MCP server, showing tool list, allow/deny/hide/custom toggles, and the policy summary sidebar
Refunds and payouts
Allow refunds under $100. Deny over $1000. Rate-limit payouts to 3 per day per grant.
Production infrastructure
Block deletion of any prod-tagged resource. Allow changes in dev and staging.
Approvals
Require human approval for transfers over $5000, merges to main, or external customer email.
Hidden tools
Hide tools your agents should never discover. Deny-by-default for any new upstream tool.
// INSIDE THE CONTROL PLANE

Run policy across your fleet.

Tool catalogue

Every server's tools auto-discovered via the upstream's tools/list and surfaced in the dashboard with full schemas. Edit policy directly per tool.

Full audit log

Every call recorded with the grant that made it, the outcome, the policy version that decided, and the rule path that fired. Append-only. Filter by server, grant, or outcome.

Versioned policies

Every save creates an immutable policy version. Roll back without losing history. Diff what changed, who changed it, and when.

// TRUST & CUSTODY

Built to hold production credentials.

Tokens encrypted at rest

Static API keys and OAuth tokens stored AES-256-GCM encrypted at the column level, decrypted only on the path to the upstream MCP.

Write-only after entry

Upstream credentials cannot be read back through the dashboard or API once saved. They never appear in events, logs, or the bearer tokens issued to clients.

Fail-closed

Ambiguous grant, policy, or upstream states resolve to deny, not allow.

Append-only events

Decision events and policy versions are append-only by design. The audit log you build can't be edited or removed from inside the app.

// POLICY LIBRARY

Start from known-risk tool policies.

Pre-classified tools across the MCP servers your agents already use. Start from deny-by-default instead of a blank page.

Stripe 27 tools AWS 55 tools GitHub 34 tools Postgres 12 tools Supabase 32 tools PagerDuty 62 tools Browse all
// FAQ

Questions.

What MCP servers does it work with? +

Anything that speaks the MCP protocol — Stripe, GitHub, Postgres, AWS, Slack, Cloudflare, Sentry, Vercel, Linear, Notion — plus self-hosted and community servers. If your client can connect to it over MCP, you can route it through PolicyLayer.

Do I need to change my agent? +

No. Your MCP client connects to a PolicyLayer URL with a grant token — issued per agent, person, environment, or workflow. Same tools. Same schemas.

How is this different from system prompts? +

A prompt asks your agents to behave. PolicyLayer enforces your rules so they can't misbehave. Every call is evaluated before execution.

How does PolicyLayer handle credentials? +

PolicyLayer accepts static API keys or managed OAuth with full discovery, registration, and refresh. We store credentials AES-256-GCM encrypted at the column level, decrypted only on the path to the upstream MCP. Once saved, no one — including us — can read them back through the dashboard or API. They never appear in events, logs, or the tokens issued to clients. Your users and agents authenticate to PolicyLayer with their own scoped tokens, never the raw upstream credential.

Who is this for? +

Teams running multiple MCP servers in production: AI engineers, platform engineers, security teams, and technical leaders who need deterministic control over agent actions.

When can I get access? +

We're onboarding teams now. After you sign up, expect to hear from us within a week. We're prioritising teams running 5+ MCP servers in production.

Let agents act without letting them run wild.

Deterministic policy on every MCP tool call. Per-identity grants. Full audit log.

Currently onboarding teams running MCP in production.
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.

// REQUEST EARLY ACCESS

We're letting people in as fast as we can.

You're in the queue.

We'll be in touch as soon as we can let you in.