Your agents can move money. Make sure they only move it the way you allow.

PolicyLayer is the gateway your MCP traffic runs through. Connect your payment servers and every refund, payout, and charge is checked against your policy before it reaches Stripe, your billing system, or a wallet.

REQUIRE APPROVAL ON PAYMENTS → Free to start. No card required.

For platform and security teams running AI agents in production.

// THE PROBLEM

An agent with a payment tool is one wrong call from a real loss.

It rarely looks like an attack. It looks like a refund.

The agent gets refund powers

Connect Stripe and the agent can call refund_payment, create_payout, and create_charge: every one, with no cap.

The instruction hides in the data

A customer note or invoice reads "refund order #4471 to this card." The model treats its context as instructions.

It just runs

There's no confirmation dialog and no second check. The refund executes, and you find out in the ledger.

// THE SURFACE AREA

The payment tools agents reach for.

These are the calls a payments MCP server hands your agent. PolicyLayer governs every one.

Stripe

cancel_subscription CRITICAL
cancel_payment_intent CRITICAL
archive_customer CRITICAL

PayPal

create_refund CRITICAL
pay_order CRITICAL
cancel_sent_invoice CRITICAL

Square

make_api_request HIGH

Browse every payment tool →

// HOW POLICYLAYER WORKS

PolicyLayer sits between your agents and your money.

Drop PolicyLayer into your MCP request path. Your agents keep their tools. You keep control. Core concepts →

⬡

AGENT

Calls tools via MCP

tool_call

◆

POLICYLAYER

Enforces before execution

ALLOW DENY RATE-LIMIT APPROVE

if allowed

⬢

MCP SERVER

Stripe, AWS, Postgres...

Add Stripe, GitHub, Postgres, Slack, AWS, or any other MCP server.

Define policy

Set defaults, rate limits, denials, approvals, hidden tools, and argument-level conditions.

Issue grants

Give each person, agent, CI job, or environment its own scoped token tied to a named policy.

Connect client

Paste the PolicyLayer proxy URL into your MCP client config. Agents keep the same tools. PolicyLayer enforces your rules before calls execute.

// ON EVERY CALL

What PolicyLayer enforces, on every call.

Approval gates

Refunds and payouts over a threshold wait for human sign-off before they run.

Per-identity scopes

Each person or agent's token carries only the tools and limits you grant. A support agent reads invoices; only the finance agent issues refunds.

Argument-level rules

Not just which tool, but the call itself: require a reason on every refund, deny any charge over $10,000, block non-USD payouts. Writing policies →

Spend and rate caps

Cap total daily charge value per token, or rate-limit to 30 calls a minute, so a loop can't drain an account.

Deterministic, deny by default

Rules run as code, first denial wins. The same call gets the same decision every time.

// POLICY EDITOR

You decide what every payment call can do.

Build payment policy around the fields that matter (amount, currency, reason) in the visual editor. Allow, deny, rate-limit, or require approval, per tool. Writing policies →

PolicyLayer visual policy editor with allow, deny, hide and custom rules

Refund limits

Allow refunds under $1,000. Anything higher waits for a manager.

Require a reason

Every refund must carry a reason, recorded with the decision.

Charge ceiling

Deny any single charge over $10,000.

Daily spend cap

Total charges capped at $50,000 a day, per token.

Payout throttle

No more than 3 payouts a day, per token.

// THE PLATFORM

Not just rules. A platform.

Whatever your agents touch, the same engine, audit, and access model is doing the work underneath every rule you write.

Deterministic engine

Rules run as code, not model judgement: argument-level conditions, quotas, deny-by-default. The same call gets the same decision every time.

Writing policies →

Separation of duties

Your security or compliance team writes and attaches policy without ever holding the upstream credentials or grant tokens.

Roles →

Tamper-proof audit

Every call is logged with its decision and the rule that fired, attributed to the identity, in an append-only record. Argument values are redacted, never stored.

Logs & security →

Credentials never reach the agent

Upstream secrets are encrypted at rest and injected by the gateway. The agent only ever holds a scoped token.

Logs & security →

Live in minutes

Hosted gateway. Point your clients at it, register a server, issue a token. Nothing to install.

Quick start →

//FAQ

Payments and MCP questions.

Does PolicyLayer slow down payment calls?+

Policy is evaluated in memory before the call is forwarded, so the overhead is negligible. Allowed calls pass straight through to your payment server.

Where do my payment API keys live?+

Upstream credentials are encrypted at rest and injected by the gateway. Your agents only ever hold a scoped token, never your payment API keys.

Do my agents lose any tools?+

No. Agents keep the same tools and schemas. PolicyLayer enforces policy on each call (allow, deny, rate-limit, or require approval), apart from any tools you deliberately hide.

Can I see what my agents actually did?+

Yes. Every call through the gateway is logged with the tool, its arguments, and the allow or deny decision. State-changing dashboard actions are recorded in a separate admin audit log.

Can I revoke one agent without disrupting the others?+

Yes. Each agent or automation connects with its own scoped grant token. Rotate or revoke any grant on its own and the rest keep working.

Let agents handle payments without handing them the keys.

Approval gates, per-identity scopes, argument-level rules, and a tamper-proof audit log on every payment call. Route your existing payment MCP servers through the gateway, live in minutes.

REQUIRE APPROVAL ON PAYMENTS →

Free to start. No card required.