MCP POLICY ENFORCEMENT

Control what your production agents can do through MCP.

One enforcement layer across every MCP server your agents reach. Deterministic policy on every tool call. Per-person access. Full audit log.

We're rolling out invites in batches.
LIVE POLICY DECISIONS
stripe.refund_payment DENY
amount > 1000
aws.terminate_instance DENY
pattern: ^prod-
stripe.create_charge ALLOW
amount <= 500
postgres.execute_sql DENY
pattern: DROP|TRUNCATE
stripe.create_payout RATE-LIMIT
3/day per grant
github.merge_pull_request ALLOW
branch = staging
github.delete_repository DENY
environment = production
coinbase.send_crypto DENY
amount > 5000
42 ALLOWED · 14 DENIED · 6 RATE-LIMITED LAST HOUR
// WHY NOW

AI agents are getting root access to the economy.

They are moving capital, reconfiguring infrastructure, rewriting production systems, and triggering real-world operations at machine speed. But the industry is relying on probabilistic prompts to protect deterministic systems.

PolicyLayer is the missing control plane. Every MCP call is evaluated at the transport boundary before it reaches the system it can change.

AGENT
Calls tools via MCP
tool_call
POLICYLAYER
Evaluates policy
ALLOW DENY RATE-LIMIT
if allowed
MCP SERVER
Stripe, AWS, Postgres...
Hosted gateway Sign in, register your servers, and route clients through PolicyLayer. No infrastructure to run.
Imperceptible latency Policy evaluates in microseconds. The extra hop is the same shape as any API gateway already in your stack.
Auth handled Static API keys stored encrypted, or managed OAuth with discovery, registration, and refresh.
No client changes Paste the proxy URL into your existing MCP client config. No SDK install, no code change.
Per-person access Each person or agent gets a scoped token. Revoke instantly. Rotate without redeploys.
Audit log Every tool call recorded with the decision and the policy path that fired.
// ENFORCEMENT, NOT PROMPTS

Prompts suggest. PolicyLayer enforces.

SYSTEM PROMPTS

Ask the agent to behave.

Probabilistic
Can be ignored or injected past
No shared state
No hard spend controls
No audit-grade log
POLICYLAYER

Define what it can do.

Deterministic
Stateful
Spend caps and rate limits
Evaluated before execution
Full audit log
// HOW IT WORKS

Register a server. Define policy. Issue grants.

PolicyLayer is the control plane for your MCP traffic. Add your upstream server, define what agents are allowed to do, issue per-person access, and paste the proxy URL into Claude Code, Cursor, Windsurf, Codex, or Gemini. The agent keeps the same tool schemas — PolicyLayer decides which calls reach the server.

01
Register server
Add Stripe, GitHub, Postgres, Slack, AWS, or any other MCP server.
02
Define policy
Set defaults, rate limits, spend caps, denials, hidden tools, and argument-level conditions.
03
Issue grants
Give each person, agent, or environment a scoped token tied to a named policy.
04
Connect client
Paste the proxy URL into your MCP client config.
// POLICY EDITOR

A visual editor for what your agents can do.

For every tool, decide what can run, who can run it, and under what conditions. Match on arguments like amounts, environments, branches, query patterns, and recipients.

PolicyLayer dashboard — policy editor for the Stripe MCP server, showing tool list, allow/deny/hide/custom toggles, and the policy summary sidebar
Deterministic
Rules execute outside the model. If a call violates policy, it never reaches the upstream server.
Stateful
Running counters for rate limits, quotas, and spend caps — across calls, grants, and servers.
Argument-aware
Match fields like amount, branch, namespace, SQL text, recipient, or environment.
Deny-by-default
New upstream tools don't reach the agent. You opt in, not out.
// INSIDE THE CONTROL PLANE

Run policy across your fleet.

Tool catalogue

Every server's tools auto-discovered via the upstream's tools/list and surfaced in the dashboard with full schemas. Edit policy directly per tool.

Per-person grants

Each person or agent gets a labelled bearer token attached to a named policy. Different grants on the same server can run different policies. Revoke any grant without touching the others.

Decision feed

Every call recorded with the grant that made it, the outcome, the policy version that decided, and the rule path that fired. Filter by server, grant, or outcome.

Versioned policies

Every save creates an immutable policy version. Roll back without losing history. Diff what changed, who changed it, and when.

// TRUST & CUSTODY

Built to hold production credentials.

Tokens encrypted at rest

Static API keys and OAuth tokens stored AES-256-GCM encrypted at the column level, decrypted only on the path to the upstream MCP.

Write-only after entry

Upstream credentials cannot be read back through the dashboard or API once saved. They never appear in events, logs, or the bearer tokens issued to clients.

Fail-closed

Ambiguous grant, policy, or upstream states resolve to deny, not allow.

Append-only events

Decision events and policy versions are append-only by design. The audit log you build can't be edited or removed from inside the app.

// POLICY LIBRARY

Starter policies for 3,000+ MCP servers.

Pre-classified tools across thousands of MCP endpoints. Know what's dangerous before your agents do.

Stripe
27 tools

12 write · 3 destructive · 12 read

VIEW POLICY →
AWS
55 tools

22 write · 8 destructive · 25 read

VIEW POLICY →
Supabase
32 tools

14 write · 5 destructive · 13 read

VIEW POLICY →
GitHub
34 tools

15 write · 4 destructive · 15 read

VIEW POLICY →
PagerDuty
62 tools

28 write · 6 destructive · 28 read

VIEW POLICY →
Postgres
12 tools

4 write · 3 destructive · 5 read

VIEW POLICY →
BROWSE ALL POLICIES →
// FAQ

Questions.

What MCP servers does it work with? +

Anything that speaks the MCP protocol — Stripe, GitHub, Postgres, AWS, Slack, Cloudflare, Sentry, Vercel, Linear, Notion — plus self-hosted and community servers. If your client can connect to it over MCP, you can route it through PolicyLayer.

Do I need to change my agent? +

No. Your MCP client connects to a PolicyLayer URL with a grant token — issued per person or per agent. Same tools. Same schemas.

How is this different from system prompts? +

Prompts ask the agent to behave. PolicyLayer decides what it can do. Every call is evaluated at the transport boundary, before it reaches the upstream server.

How does PolicyLayer handle credentials? +

PolicyLayer accepts static API keys or managed OAuth with full discovery, registration, and refresh. We store credentials AES-256-GCM encrypted at the column level, decrypted only on the path to the upstream MCP. Once saved, no one — including us — can read them back through the dashboard or API. They never appear in events, logs, or the tokens issued to clients. Your users and agents authenticate to PolicyLayer with their own scoped tokens, never the raw upstream credential.

Who is this for? +

Teams running multiple MCP servers in production: AI engineers, platform engineers, security teams, and technical leaders who need deterministic control over agent actions.

When can I get access? +

We're onboarding teams now. After you sign up, expect to hear from us within a week. We're prioritising teams running 5+ MCP servers in production.

How much does it cost? +

Free during the initial launch phase.

Control what your agents can do through MCP.

Get the gateway. Get the dashboard. Get the audit log.

We're prioritising teams running 5+ MCP servers in production.
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.

// REQUEST EARLY ACCESS

We're letting people in as fast as we can.

You're in the queue.

We'll be in touch as soon as we can let you in.