Set rules your AI agents can't ignore.

Q: How is this different from system prompts?

A prompt asks your agents to behave. PolicyLayer enforces your rules so they can't misbehave. Every call is evaluated before execution.

Q: What MCP servers does it work with?

Anything that speaks the MCP protocol — Stripe, GitHub, Postgres, AWS, Slack, Cloudflare, Sentry, Vercel, Linear, Notion — plus self-hosted and community servers. If your client can connect to it over MCP, you can route it through PolicyLayer.

Q: Do I need to change my agent?

No. Your MCP client connects to a PolicyLayer URL with a grant token — issued per agent, person, environment, or workflow. Same tools. Same schemas.

Q: How does PolicyLayer handle credentials?

PolicyLayer accepts static API keys or managed OAuth with full discovery, registration, and refresh. We store credentials AES-256-GCM encrypted at the column level, decrypted only on the path to the upstream MCP. Once saved, no one — including us — can read them back through the dashboard or API. They never appear in events, logs, or the tokens issued to clients. Your users and agents authenticate to PolicyLayer with their own scoped tokens, never the raw upstream credential.

Q: Who is this for?

Teams whose AI clients — Claude Code, Cursor, Codex, custom agents — connect to several MCP servers, and who want per-person access, policy, and an audit trail without building gateway infrastructure themselves. Engineers set it up in minutes; engineering and security leaders get the control and the record.

Q: How do I get started?

Sign up at app.policylayer.com, register your first upstream MCP server, define a policy, and point your AI client at the PolicyLayer gateway. Most teams have their first policy enforcing in under 10 minutes.

PolicyLayer is the hosted gateway for your MCP servers. One scoped token per person and agent. Deterministic rules on every tool call, enforced before it runs.

SET YOUR FIRST RULE →

From signup to enforced policy in about 5 minutes. Free to start. No card required. Nothing to host.

LIVE POLICY DECISIONS

stripe.refund_payment ALLOW

amount <= 50 grant: support-agent

stripe.refund_payment DENY

amount > 1000 grant: support-agent

postgres.execute_sql ALLOW

pattern: ^SELECT grant: analyst@acme

github.merge_pull_request ALLOW

branch = staging grant: release-bot

aws.terminate_instance DENY

pattern: ^prod- grant: ci-runner

aws.terminate_instance ALLOW

pattern: ^dev- grant: ci-runner

s3.delete_object RATE-LIMIT

100/min per grant grant: data-pipeline

coinbase.send_crypto ALLOW

amount <= 100 && asset = USDC grant: payouts-svc

412 ALLOWED · 9 DENIED · 4 RATE-LIMITED LAST HOUR

// WHY NOW

Agents got the keys. Nobody set the rules.

MCP made it easy to hand agents real systems: code, data, payments, infrastructure. Nothing in it decides what they're allowed to do, or records what they did. Prompts are not control. Enforcement has to sit at the execution boundary.

If the server is in their config, your agents can:

Delete repositories CODE

Issue refunds PAYMENTS

Drop production tables DATA

Terminate live servers INFRASTRUCTURE

Disable user accounts IDENTITY

Email your customers COMMUNICATIONS

Transfer funds BANKING

Delete backups STORAGE

Read production secrets SECRETS

PolicyLayer puts a gate in front of every one of them.

See how it governs each surface: payments, code, data, infrastructure, and customer ops.

// HOW IT WORKS

PolicyLayer sits between agents and what they can change.

Register a server, attach a policy, point your client at the gateway URL. Nothing to deploy, no platform team required — your agents keep their tools; you decide what each call can do.

⬡

AGENT

Calls tools via MCP

tool_call

◆

POLICYLAYER

Enforces before execution

postgres.run_query read_only = true

ALLOW DENY RATE-LIMIT APPROVE

if allowed

⬢

MCP SERVER

Stripe, AWS, Postgres...

Add Stripe, GitHub, Postgres, Slack, AWS, or any other MCP server.

Define policy

Set defaults, rate limits, denials, approvals, hidden tools, and argument-level conditions.

Issue grants

Give each person, agent, CI job, or environment its own scoped token tied to a named policy.

Connect client

Paste the PolicyLayer proxy URL into your MCP client config. Agents keep the same tools. PolicyLayer enforces your rules before calls execute.

// SCOPED ACCESS

Stop sharing one upstream credential across every agent.

Each agent, person, environment, and workflow gets its own labelled grant. Attach different policies. Revoke any one without breaking the rest.

Per-identity access

Different agents, environments, and people can all run different policies against the same MCP server. One upstream credential, many scoped grants.

Instant revocation

Kill one token immediately without rotating the upstream API key or redeploying every client. Offboard a person or contain an incident in seconds.

Audit by grant

Every decision records which grant made the call, which policy applied, and which rule allowed or denied it. Forensic trail without storing secrets.

Least privilege by default

New grants start with only the tools and actions you explicitly allow. New upstream tools never silently become available to existing agents.

Core concepts →

// POLICY EDITOR

Define exactly what each tool call is allowed to do.

Build policies around the fields that matter — amount, branch, environment, SQL text, recipient, customer tier. Allow, deny, rate-limit, or require human approval before execution.

PolicyLayer dashboard — policy editor for the Stripe MCP server, showing tool list, allow/deny/hide/custom toggles, and the policy summary sidebar

Refunds and payouts

Allow refunds under $100. Deny over $1000. Rate-limit payouts to 3 per day per grant.

Production infrastructure

Block deletion of any prod-tagged resource. Allow changes in dev and staging.

Approvals

Require human approval for transfers over $5000, merges to main, or external customer email.

Hidden tools

Hide tools your agents should never discover. Deny-by-default for any new upstream tool.

Writing policies →

// INSIDE THE CONTROL PLANE

Visibility and rollback across every server you run.

Tool catalogue

Every server's tools auto-discovered via the upstream's tools/list and surfaced in the dashboard with full schemas. Edit policy directly per tool.

Full audit log

Every call recorded with the grant that made it, the outcome, the policy version that decided, and the rule path that fired. Append-only. Filter by server, grant, or outcome.

Versioned policies

Every save creates an immutable policy version. Roll back without losing history. Diff what changed, who changed it, and when.

Logs & security →

// TRUST & CUSTODY

Production-grade credential custody.

Tokens encrypted at rest

Static API keys and OAuth tokens stored AES-256-GCM encrypted at the column level, decrypted only on the path to the upstream MCP.

Write-only after entry

Upstream credentials cannot be read back through the dashboard or API once saved. They never appear in events, logs, or the bearer tokens issued to clients.

Fail-closed

Ambiguous grant, policy, or upstream states resolve to deny, not allow.

Append-only events

Decision events and policy versions are append-only by design. The audit log you build can't be edited or removed from inside the app.

Logs & security →

// POLICY LIBRARY

Start from known-risk tool policies.

Pre-classified tools across the MCP servers your agents already use. Start from deny-by-default instead of a blank page.

Stripe 27 tools AWS 55 tools GitHub 34 tools Postgres 12 tools Supabase 32 tools PagerDuty 62 tools Browse all →

// FAQ

Questions.

How is this different from system prompts? +

A prompt asks your agents to behave. PolicyLayer enforces your rules so they can't misbehave. Every call is evaluated before execution.

What MCP servers does it work with? +

Anything that speaks the MCP protocol — Stripe, GitHub, Postgres, AWS, Slack, Cloudflare, Sentry, Vercel, Linear, Notion — plus self-hosted and community servers. If your client can connect to it over MCP, you can route it through PolicyLayer.

Do I need to change my agent? +

No. Your MCP client connects to a PolicyLayer URL with a grant token — issued per agent, person, environment, or workflow. Same tools. Same schemas.

How does PolicyLayer handle credentials? +

PolicyLayer accepts static API keys or managed OAuth with full discovery, registration, and refresh. We store credentials AES-256-GCM encrypted at the column level, decrypted only on the path to the upstream MCP. Once saved, no one — including us — can read them back through the dashboard or API. They never appear in events, logs, or the tokens issued to clients. Your users and agents authenticate to PolicyLayer with their own scoped tokens, never the raw upstream credential.

Who is this for? +

Teams whose AI clients — Claude Code, Cursor, Codex, custom agents — connect to several MCP servers, and who want per-person access, policy, and an audit trail without building gateway infrastructure themselves. Engineers set it up in minutes; engineering and security leaders get the control and the record.

How do I get started? +

Sign up at app.policylayer.com, register your first upstream MCP server, define a policy, and point your AI client at the PolicyLayer gateway. Most teams have their first policy enforcing in under 10 minutes.

Let agents act without letting them run wild.

Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

SECURE YOUR MCP →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.