MCP ENFORCEMENT PROXY

Control every MCP tool call before it executes.

One enforcement layer across every MCP server. Every action is allowed, blocked, or approved before it executes.

Control your agents in 30 seconds
npx -y @policylayer/intercept init
Generates enforcement policies across every MCP server.
WITH POLICYLAYER (ENFORCED)
STRIPE
refund$245kAWAIT
transfer$1.2MDENY
POSTGRES
queryDROP TABLEDENY
delete2.4M rowsDENY
AWS
terminateprod-*AWAIT
delete_vpcprodDENY
// WHY EXTERNAL ENFORCEMENT

You can't enforce policy inside systems you don't control.

PolicyLayer enforces it at the boundary — a transparent proxy between your agent and every MCP server. Same tools, same schemas, every call evaluated before it executes.

AGENT
Calls tools via MCP
tool_call
POLICYLAYER
Evaluates policy
ALLOW DENY AWAIT
if allowed
MCP SERVER
Stripe, AWS, Postgres...
Sub-ms latency Policy checks run in-process. No network calls. Your agent doesn't know it's there.
Fail-closed If PolicyLayer goes down, nothing runs. Your agent doesn't get a free pass.
Full audit trail Every tool call logged: what was called, the decision, which rule fired.
Single binary One Go binary. No runtime. No dependencies. Runs on anything.
// SETUP

From at risk to enforced in 30 seconds.

Run one command. PolicyLayer finds your MCP servers, scans every tool, and opens a web UI to assign policies.

Intercept init web UI — Stripe tools sorted into Allow, Rate Limit, Require Approval, Deny, and Hide columns
Intercept init web UI
// CONFIGURATION

One YAML file defines what your agent can and can't do.

Readable, version-controlled, and hot-reloaded — update rules without restarting anything.

policy.yaml 
version: "1"
default: deny

tools:
  transfer_funds:
    rules:
      - spend_limit: $500/day

  terminate_instances:
    rules:
      - action: require_approval
        approval_timeout: 10m

  execute_query:
    rules:
      - conditions:
          - path: "args.query"
            op: "regex"
            value: "^SELECT"

  create_deployment:
    rules:
      - rate_limit: 5/day

hide:
  - drop_database
  - delete_repository
Deterministic
Not a prompt. Not probabilistic. If the rule says deny, it's denied. Every time.
Stateful
Running counters with sliding windows. Spend limits track cumulative totals across calls, not just per-request.
Conditional
Match on any argument — regex, comparisons, nested paths. As precise as your use case needs.
Deny-by-default
New tools added upstream don't silently become available. You opt in, not out.
// ENFORCEMENT, NOT PROMPTS

Prompts suggest. Policies enforce.

SYSTEM PROMPTS

Ask the agent to behave.

Probabilistic — can be bypassed by injection or reasoning
No memory of previous calls
No spend tracking or rate limiting
No structured audit trail
POLICYLAYER

Define what it is allowed to do.

Deterministic — blocked at the transport layer
Stateful counters and sliding windows
Spend caps with hard cutoffs
Every decision logged with the rule that fired
// UNDER THE HOOD

Built for production, not demos.

Deny-by-default

New tools added upstream don't automatically reach the agent. You opt in, not out.

Hot reload

Push a policy change without restarting. Useful when you're tightening limits mid-incident.

Config validation

Policy validation catches errors before deployment. No silent misconfigs.

Idempotent enforcement

Prevent duplicate actions from agent retries. Same call within the window skips re-evaluation.

Multi-transport

Stdio and HTTP. Works with local MCP servers and remote endpoints.

Human-in-the-loop

Hold sensitive actions for human approval. One-time use, fingerprinted, audited, with optional webhook notifications.

Spend enforcement

Cap cumulative spend per agent, per tool, or per day. When agents pay via MCP, this is the hard limit between the agent and real money.

Persistent state

Rate limits, spend counters, and approval records persist across restarts. SQLite by default. Redis for multi-instance deployments.

Shadow mode

Evaluate every call without enforcing. See what would have been blocked before you go live.

// POLICY LIBRARY

Starter policies for 3,000+ MCP servers.

Pre-classified tools across 18,000+ endpoints. Know what's dangerous before your agent does.

Stripe
27 tools

12 write · 3 destructive · 12 read

VIEW POLICY →
AWS
55 tools

22 write · 8 destructive · 25 read

VIEW POLICY →
Supabase
32 tools

14 write · 5 destructive · 13 read

VIEW POLICY →
GitHub
34 tools

15 write · 4 destructive · 15 read

VIEW POLICY →
PagerDuty
62 tools

28 write · 6 destructive · 28 read

VIEW POLICY →
Postgres
12 tools

4 write · 3 destructive · 5 read

VIEW POLICY →
BROWSE ALL POLICIES →
// FAQ

Questions.

What is PolicyLayer? +

An open-source MCP enforcement proxy that controls every tool call before it executes. It sits between your agent and the MCP server. You define rules in YAML — what to block, rate limit, cap, or hold for approval. One line change in your MCP config. No agent modifications.

What MCP servers does it work with? +

Any MCP server, including third-party ones you don't control. Stripe, AWS, Postgres, GitHub, Supabase, PagerDuty — if it speaks MCP, PolicyLayer can sit in front of it. The policy library has starter templates for 3,000+ servers.

Do I need to change my agent? +

No. One line change in your MCP config. The agent sees the same tools and the same schemas. PolicyLayer is transparent — it only becomes visible when a rule fires.

How is this different from system prompts? +

Prompts tell the agent what it should do. PolicyLayer defines what it is allowed to do. You can't cap spend with a prompt. You can't make a tool genuinely read-only with a prompt. Either the call is within policy or it isn't. Deterministic, not probabilistic.

Is it open source? +

Yes. PolicyLayer is fully open source under the Apache 2.0 licence. Single Go binary, no dependencies, no vendor lock-in. Run it anywhere.

What doesn't PolicyLayer cover? +

PolicyLayer governs tool calls that pass through the proxy. It does not govern direct API calls outside the MCP path, model reasoning, or actions taken by tools after they receive the forwarded call. If traffic bypasses the proxy, PolicyLayer has no visibility.

policylayer/intercept

Control every MCP tool call
your agent makes.

Set budgets, approvals, and hard limits across MCP servers.

npx -y @policylayer/intercept init
Protect your agent in 30 seconds. Scans your MCP config and generates enforcement policies for every server.
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.