Skip to main content
pbac.gateway/v1.0/public preview
gateway :9090 healthy · 14,832 decisions/hour
Policy-Based Access Control
for Agentic Systems

Stop trusting
your agents.
Start governing them.

Every MCP tool call is introspected. Every scope is checked. Every decision is logged. When Claude Code, OpenCode, or any autonomous agent hits an MCP server, the gateway asks the PBAC AS the only question that matters: is this allowed right now?

live introspection trace
12:34:52.103OKscope=drive:readalice12ms
12:34:52.219OKscope=jira:writebob8ms
12:34:52.287OKscope=github:repos:readalice9ms
12:34:52.341DENYscope=jenkins:triggercharlie4ms
12:34:52.487OKscope=slack:readbob11ms
12:34:52.553OKscope=github:prs:readalice7ms
12:34:52.612OKscope=jira:readalice14ms
12:34:52.671DENYscope=github:prs:mergeclaude-code5ms
12:34:52.734OKscope=postgres:querybob22ms
12:34:52.801OKscope=drive:writealice10ms
12:34:52.869OKscope=slack:writealice13ms
12:34:52.931OKscope=github:issues:readci-bot6ms
12:34:52.988DENYscope=postgres:deletecharlie3ms
12:34:53.044OKscope=jira:writealice15ms
12:34:53.112OKscope=github:repos:writealice9ms
12:34:53.181OKscope=drive:readbob8ms
12:34:53.249OKscope=slack:readalice12ms
12:34:53.312DENYscope=github:org:adminclaude-code4ms
12:34:53.379OKscope=jenkins:viewci-bot7ms
12:34:53.441OKscope=jira:adminalice18ms
12:34:52.103OKscope=drive:readalice12ms
12:34:52.219OKscope=jira:writebob8ms
12:34:52.287OKscope=github:repos:readalice9ms
12:34:52.341DENYscope=jenkins:triggercharlie4ms
12:34:52.487OKscope=slack:readbob11ms
12:34:52.553OKscope=github:prs:readalice7ms
12:34:52.612OKscope=jira:readalice14ms
12:34:52.671DENYscope=github:prs:mergeclaude-code5ms
12:34:52.734OKscope=postgres:querybob22ms
12:34:52.801OKscope=drive:writealice10ms
12:34:52.869OKscope=slack:writealice13ms
12:34:52.931OKscope=github:issues:readci-bot6ms
12:34:52.988DENYscope=postgres:deletecharlie3ms
12:34:53.044OKscope=jira:writealice15ms
12:34:53.112OKscope=github:repos:writealice9ms
12:34:53.181OKscope=drive:readbob8ms
12:34:53.249OKscope=slack:readalice12ms
12:34:53.312DENYscope=github:org:adminclaude-code4ms
12:34:53.379OKscope=jenkins:viewci-bot7ms
12:34:53.441OKscope=jira:adminalice18ms
// works with →
Claude CodeOpenCodeClineContinue

Core Capabilities

Policy as Arbiter

OPA evaluates Rego rules over policy data and request context. Policy defines precedence when multiple data sources conflict.

Single Access Plane

Employees, contractors, federated users, and agents — all through one model. Resource types span resource servers so policy targets types, not silos.

Agent-Safe Access

Agent clients get time-bound, scope-constrained tokens. Policy can apply JIT scoping, reduced TTL, and provider trust tiers — no privilege escalation.

Context-Aware

Beyond static attributes: time, location, risk score, MFA, transaction amount. Step-up, constrain, or deny at authorize, token, and introspect.

Standards-Based

OAuth 2.0, OIDC, DCR, RFC 8707 (resource indicators), RFC 9396 (RAR). You own the rules, not the lock-in.

How It Works

ClientUser / Agent / M2MOAuth 2.0 / UMAAuthorization ServerSpring Boot + MySQLevaluateOpen Policy AgentRego + policy dataintrospectResource Serverenforce obligations
Built on Open Policy AgentOAuth 2.0 / OIDC / UMA 2.07 RFCs implementedEvery decision audit-logged

Your policies are OPA Rego. Your data is JSON. If you leave, everything comes with you.

Who Benefits

For CISOs / CSOs

  • Control without code — Change policy; decisions reflect immediately.
  • One place to govern — Single policy plane across first-party and third-party apps.
  • Agent-safe access — Policy-driven scope and TTL constraints; no privilege escalation.
  • Zero-trust ready — Context (MFA, location, risk) drives allow/deny/step-up at every phase.

For Platform & Integration Teams

  • Days, not quarters — Add new resource types and policies without rewriting integrations.
  • Ecosystem outcomes — Define "calendar" or "document" once; policy applies across vendors.
  • Least privilege — Restrict clients by type, RS, or specific resource.

For App & Product Owners

  • Delegation with guardrails — Users delegate to agents with time-bound scope; RS enforces via introspect.
  • Obligations — PDP returns audit_level, data_masking, rate_limit; RS enforces.
  • Standards-based — OAuth 2.0, OIDC, DCR, RFC 8707, RFC 9396. You own the rules.