# PolicyLayer > PolicyLayer is the hosted control plane for production MCP. It enforces customer-defined rules on every MCP tool call — allow, deny, rate-limit, or require human approval — before agents can touch payments, infrastructure, code, data, or customer operations. Customers define the rules. PolicyLayer enforces them at the execution boundary. *Ship AI agents to production. Safely.* PolicyLayer checks every MCP tool call against your policy before it runs. No gateway to build or maintain. Three primitives: **deterministic enforcement**, **per-identity grants**, **full audit trail**. ## Get started - **Dashboard / sign up:** https://app.policylayer.com/?utm_source=agent_view&utm_medium=index_md — register a server, define a policy, issue a scoped token, and point your MCP client at the PolicyLayer URL. - **Quick start:** https://policylayer.com/docs — connect your first agent in a few minutes. - **Book a demo:** https://policylayer.com/demo ## What PolicyLayer does - Sits between AI agents and the MCP servers they call. - Evaluates every tool call against deterministic policy before it reaches the upstream server. - Builds policies around the fields that matter: amount, branch, environment, SQL text, recipient, customer tier. Allow, deny, rate-limit, or require human approval before execution. - Issues scoped grants per agent, person, environment, or workflow — each grant attaches to its own policy, revocable without touching the rest. - Brokers one upstream credential behind every grant, held in custody you can prove. - Records every decision (the grant, the policy version, the rule that fired) as an append-only audit log. ## Why prompts are not control A system prompt asks an agent to behave; it cannot enforce. A prompt is probabilistic — the agent can ignore, misinterpret, or be injected past it. PolicyLayer evaluates tool calls at the transport boundary: a denied call never reaches the upstream server, regardless of what the model decides. Prompts cannot cap spend. Prompts cannot make a tool genuinely read-only. PolicyLayer can. ## Reading this site as an agent Every docs, blog, attack, and glossary page is available as clean markdown — append `.md` to the URL. The key product pages mirror the same way (see below). For the full machine-readable map see [/llms.txt](https://policylayer.com/llms.txt); for the entire site's content in one bounded file see [/llms-full.txt](https://policylayer.com/llms-full.txt). ## Product - [MCP Gateway](https://policylayer.com/mcp-gateway) — markdown: https://policylayer.com/mcp-gateway.md - [MCP Security](https://policylayer.com/mcp-security) — markdown: https://policylayer.com/mcp-security.md - [Pricing](https://policylayer.com/pricing) — markdown: https://policylayer.com/pricing.md - [Homepage](https://policylayer.com) — control plane positioning, live decision feed - [Docs](https://policylayer.com/docs) — quick start, core concepts, writing policies, roles, upstream auth (each page + `.md`) - [Solutions](https://policylayer.com/solutions) — use cases by domain and by agent type - [Security](https://policylayer.com/security) — how the gateway handles credentials, headers, and customer data - [About](https://policylayer.com/about) — manifesto ## Free tools - [MCP Security Scanner](https://policylayer.com/scan) — shows every tool an AI agent can access, by risk (`npx policylayer scan`) - [MCP Tool Reference](https://policylayer.com/tools) — searchable index of MCP tools across thousands of servers - [MCP Incident Database](https://policylayer.com/mcp-incidents) — known MCP CVEs, disclosures, exploitation reports ## Research and reference - [The State of MCP Security](https://policylayer.com/research/state-of-mcp) — audit of 4,000+ servers, 30,000+ tools - [MCP Attack Database](https://policylayer.com/attacks) — attack classes, each page + `.md` - [Blog](https://policylayer.com/blog) — MCP security, policy enforcement, agent control (each post + `.md`) - [Glossary](https://policylayer.com/glossary) — MCP and agent-governance definitions (each term + `.md`)