Runtime policy enforcement

Govern agent actions before they reach production

A single evaluate API: enforce rules on structured payloads, route human decisions with full auditability, and integrate with your stack via webhooks—without embedding policy in every service.

Early access

Product updates only. Unsubscribe anytime once we send mail.

Request shape

POST/api/v1/evaluate

{
  "policy_name": "payments-default",
  "context": {
    "agent_id": "invoice-bot",
    "payload_scope": { "amount": 12000, "currency": "USD" }
  },
  "webhook_url": "https://you.example/hooks/agent-nexus"
}

Optional webhook for approval and terminal events. Full reference in OpenAPI.

Why teams adopt a governance API

Production agents touch money, data, and customer trust. Scattered conditionals in each service do not scale—you lose consistent rules, clear accountability, and tenant isolation. A dedicated runtime centralizes policy, approvals, and evidence.

One enforced place for go / no-go decisions
Human gates with roles and tiers—not informal chat threads
Audit trails, webhooks, and exports your security team can review
Key-bound tenancy: workspace from the API key, not client-supplied IDs

How it works

Configure workspaces and policies in the product UI; agents call one evaluate endpoint. Tenancy is derived from the API key.

01
Workspace & team
Invite admins, developers, and approvers. Roles control who configures rules and who can approve.
02
Policies
Templates or advanced JSON: routing, tiers, optional approval timeouts, and optional GitHub sync.
03
API keys
Mint keys per environment. Each key maps to exactly one workspace.
04
Evaluate & audit
POST evaluate with policy name and payload. Outcomes, audit, analytics, and optional compliance exports.

System overview

How everything connects

Agents call one endpoint; configuration and evidence stay in one boundary.

AgentNexusAPI architecture: Control Plane (policies, roles, API keys, audit UI), Decision Engine with POST /v1/evaluate, Execution in your systems, Human Approval (email, Slack, Teams), immutable Audit, and optional Webhook. — One evaluate path: tenancy from the API key, policy at request time, humans on your channels, optional integrator webhooks when approval is needed or a run completes, and a durable audit trail. Open full diagram in docs.

Optional MCP gateway for tool-based clients; REST for everything else. Governance runtime—not a secrets vault—between agents and production systems.

Platform capabilities

Designed for teams that need defensible controls without rebuilding auth and routing from scratch.

Policy engine

Conditional rules on payload_scope with priorities, approval routes, multi-stage flows, and OTP tiers when required.

Single contract

One evaluate shape: policy name, agent context, structured payload—fits orchestrators and services.

RBAC by design

Workspace-scoped roles for configuration, approval, and audit. Optional enterprise SAML or OAuth for dashboard access.

Key-bound tenancy

Workspaces are inferred from API keys; integrations avoid cross-tenant mistakes.

Audit & analytics

Evaluations, delivery attempts, and outcomes in one place; analytics and exportable evidence for review.

Developer experience

Templates and validation in the UI; OpenAPI and framework notes to ship quickly.

Policy-as-Code

Optional GitHub link: signed webhooks update rulesets on push; manual sync for private repos.

Built for the whole room

Engineering & platform

Stop one-off approval bots. Plug evaluate into your agent runtime or gateway and keep policy out of business logic.

Security & compliance

Show who approved what, on which policy version, before downstream execution—plus analytics, exports, and enterprise sign-in when required.

Operations

Route approvers through email, Slack, or Teams; use audit and analytics to report on queues and outcomes.

Request early access

We'll reach out when we open onboarding. Documentation and architecture overview are available anytime.