Allow, require approval or deny every MCP tool call before it reaches the real world.
So PolicyLayer sits outside the model and judges every call at the point where intent becomes action:
Connect a server without changing the agent, watch real calls arrive, then turn observed behaviour into policy.
Pick a known MCP server or paste any HTTP endpoint.
Use the proxy URL and grant token PolicyLayer generates.
Apply policy directly from what your agents actually call.
Policy evaluates the tool, caller and arguments. The same request produces the same decision every time.
args.amount ≤ 100 · APPROVE when args.amount > 100 per grant · 10/day Issue scoped grants to people and agents. Hold consequential actions until an authorised human approves them.
stripe.refund_payment Requested by support-agent under refunds-production Nothing executes without a verdict. The evidence writes itself: who called, which policy version decided, why it was allowed or stopped, and what happened upstream.
Upstream credentials encrypted at the column level, decrypted only on the path to the upstream server.
Once saved, credentials cannot be retrieved through the dashboard or API. They are decrypted only when PolicyLayer calls the upstream server.
Ambiguous grant, policy or upstream states resolve to deny, not allow.
The audit record cannot be edited or removed from inside the app.
PolicyLayer’s Registry continuously classifies public MCP servers and their tools. Use that intelligence as the starting point, then tune policy to your own workflows.
A prompt asks an agent to follow rules. PolicyLayer enforces rules on its MCP tool calls. Every call is checked deterministically before execution, so prompt injection cannot bypass the policies governing that action.
Anything that speaks the MCP protocol: Stripe, GitHub, Postgres, AWS, Slack, Cloudflare, Sentry, Vercel, Linear, Notion, plus self-hosted and community servers. If your client can connect to it over MCP, you can route it through PolicyLayer.
No. Point your MCP client at a PolicyLayer URL with a grant token, issued per agent, person, environment, or workflow. Same tools. Same schemas.
PolicyLayer supports static API keys and managed OAuth. Credentials are encrypted with AES-256-GCM and decrypted only when calling the upstream MCP server. They are never exposed in client tokens, events or logs, and cannot be retrieved through the dashboard or API after saving.
Teams whose AI clients (Claude Code, Cursor, Codex, custom agents) connect to several MCP servers and need per-person access, policy, and an audit trail without building their own gateway. Engineers set it up themselves and keep the control. The decision record is simply there when leadership asks.
Sign up, connect an MCP server, create a scoped grant and policy, then point your MCP client at PolicyLayer.
Connect an MCP server, issue a scoped grant and enforce your first policy. No SDK or infrastructure to deploy.
No code required.