One authorization layer across your model stack.
An admin sets it up once. Team members only ever fill in their own name.
No per-app provider keys to hand out or revoke, and nothing left for a team member to misconfigure — the agent, its budget, and its passport are already fixed before anyone pastes a snippet.
Admin names the agent + passport
In Fleet Control, an admin sets the team, purpose, budget, and — optionally — allowed models/providers/data scope for one agent. Saving it signs that passport immediately.
Admin shares one snippet
The rendered header snippet already has the agent, team, purpose, and budget baked in — nothing to invent, nothing to get wrong.
Team member fills in only their name
Every teammate pastes the same snippet and replaces one value: their own X-Permisyn-User. The company key never changes hands raw.
Every call is already authorized and signed
Permisyn checks the passport and budget before the model ever sees the request, then signs the decision — allowed or blocked — into a receipt anyone can verify.
Governance that fits a lean team, not just a security department.
Most AI governance tools assume you already have a platform team to run them. Permisyn is built so one founder or one early engineer can turn it on before lunch — and it keeps working, unattended, as the team and the agent fleet grow.
Live in minutes
Point your existing OpenAI or Anthropic client at Permisyn. No procurement call, no vendor security questionnaire before your first authorized call.
One key, not one per engineer
An admin sets up one shared, policy-locked key. Every teammate pastes the same snippet and fills in only their own name.
Free to start
Register and start routing real, governed traffic immediately — no seat minimum, no sales call to get access.
Scales with you
The proxy auto-scales behind the scenes as your team and agent fleet grow — nothing for you to provision or tune yourself.
Every founder ends up sharing one API key with people they trust, and hoping for the best. We think you deserve better than hoping.
The default way most small teams run AI right now is one provider key, pasted into a dozen scripts and agents, with no record of who called what or how much it cost until the bill shows up. That is not a gap you can staff your way out of when you don't have a platform team — it is a structural one. Our goal with Permisyn is simple: give a founder the same command-and-control over AI spend and access that a well-resourced enterprise security team would build for themselves, without needing to be one. One key in. Every call — from your team and from your agents — authorized, attributed, and signed before it ever reaches the model. One switch to freeze everything the moment something looks wrong.
We hold ourselves to running this the way we would want a vendor to run something core to our own business: hardened against real load, and against real incidents we found and fixed directly in production, not just in a staging environment. If it is not solid enough for us to trust with our own traffic, it does not ship. That is the whole goal — a startup gets real, accountable AI governance from day one, not after its first bad surprise.
Authorize
Every call is checked against agent passport and policy before upstream execution.
Deny
Model rules, cost caps, kill switches, and rate limits stop unauthorized traffic early.
Secretless
Store provider keys in the encrypted vault; agents send only a Permisyn key while policy is enforced before upstream.
Prove
Every authorized call becomes signed evidence with transparency proofs and exportable audit bundles.
See every kind of call get authorized live.
From request headers to identity, passport, budget, and kill-switch checks to signed proof — walk through fourteen real decision paths, the exact pre-flight control every one of your team's and agents' calls gets in production.
Routine support reply. Identity and budget attach, policy allows — the baseline path every healthy call takes.
waiting...unsignedThe control tower for autonomous AI.
The product is built around primitives that generic gateways do not make first-class: authorization before action, durable agent identity, accountable users and teams, a kill boundary, and proof that survives incident review.
AI Flight Recorder
Every call becomes a decision receipt with policy, user, team, cost, outcome, and signature.
Agent Passport
Each AI worker gets identity, purpose, risk, owner, permissions, budget, and proof history.
Pre-flight Control
Model, spend, identity, and kill state are checked before upstream.
Kill Boundary
Security can halt the next model call without waiting for app teams to redeploy code.
Don't trust us. Verify us.
Every call Permisyn clears is signed with your org's own Ed25519 key. Anyone can verify what an agent did with your public key — no Permisyn login, no shared secret. And every agent carries a signed passport that the proxy enforces before a call leaves your network.
Independently verifiable audit
Each run is a signed receipt. Recompute the canonical payload, check the signature against the public key — offline, forever. Not even Permisyn can rewrite what already shipped.
GET /api/verify/{run_id}
→ { "algorithm": "ed25519",
"verified": true,
"public_key_pem": "-----BEGIN PUBLIC KEY-----…" }Agent Passport enforcement
Declare the models, providers, and data scope an agent may use. The proxy blocks anything outside the passport before traffic reaches the provider — identity and least-privilege for AI workers.
passport: allowed_models = "gpt-4o-mini" POST /v1/chat/completions (model: gpt-4o) → 403 passport_violation (blocked pre-upstream)
Anchored to Bitcoin, not just signed
A signature proves who attested; it can't prove when. Permisyn hash-chains the entire audit log and stamps the root into a real Bitcoin block via OpenTimestamps — so even Permisyn can't backdate or rewrite history after the fact.
GET /transparency/anchor/{id}/verify
→ { "verified": true,
"status": "bitcoin_confirmed",
"block_height": 872341 }Not a wrapper you have to trust
No SDK, no framework hooks to install in every agent. Point your existing OpenAI/Anthropic client at Permisyn and the same signed decision applies — zero code rewrite.
Secretless egress + freeze
Store OpenAI or Anthropic keys in an encrypted vault so callers send only their Permisyn key — the provider key is injected server-side after policy passes. One button freezes all AI traffic org-wide.
Edge data-plane + living compliance
Run enforcement at your edge; Permisyn coordinates authorization policy and proof — data never leaves your VPC. Compliance attestations are generated from the signed log and Ed25519-signed, not filled in by hand.
No governed calls in the last moment — the feed is real, not staged, so it's quiet when traffic is quiet.
One clearance layer. Every control.
Nothing your AI does is unauthorized, unaccounted for, or unprovable — checked inline, before the call leaves your network.
Agent Passport & least-privilege policy
A signed identity per agent — allowed models, providers, data scope, and spend — enforced pre-upstream, never just a snapshot.
Action-scope governance
Every other AI gateway stops at which model an agent may call. Permisyn governs which tool or function calls it's allowed to request, too — enforced pre-flight, even on streaming calls.
Multi-agent trust chain
When one agent calls another, its permissions can never exceed what it was actually, provably handed — and every hop is watched for behavioral drift, not just static rule violations.
Signed receipts & anchoring
Every call is Ed25519-signed with your org key and hash-anchored to Bitcoin via OpenTimestamps — even Permisyn can't backdate history.
Public proof & compliance surfaces
Evidence anyone can check without trusting Permisyn — not a claim locked inside a dashboard only you can see.
Identity, usage & command
See exactly who's using AI and how much it costs, rolled up by user, team, and agent — and halt any of it in one click.
Kill switch
Halt any agent in seconds from the dashboard — the next model call is blocked, no redeploy.
Cost caps
Per-agent spend ceilings enforced at request time — a runaway agent is stopped, not just charted.
Secretless egress
Provider keys live in an encrypted vault; callers send only their Permisyn key. No OpenAI key in application code or run logs.
Living compliance
EU AI Act / SOC 2 / HIPAA attestations generated from the real signed log and Ed25519-signed.
Edge data-plane
Run enforcement in your own VPC via a sidecar; Permisyn is the control plane. Data never leaves.
No rewrite
Point your existing OpenAI, Anthropic, or Gemini client at Permisyn — same SDK, same request shape. Authorization happens in the proxy path, with zero code rewrite.
Your agent teaches Permisyn what it's allowed to do — automatically, every time.
You don't hand-type an allow-list on day one. Turn on auto_baseline_actions and the tools your agent actually calls on its first run become its trusted baseline automatically — no config file, no guessing your own function names. Every tool discovered afterthat is auto-approved by default — attributed to the exact user and team who triggered it, and signed into the passport's audit-grade change history — or, for agents where you'd rather a human sign off, flip a second toggle so those later discoveries sit pending until you approve or reject them.
# first call ever seen — auto-baselined
observed_actions: [{name: "scan_dependencies", status: "baseline"}]
allowed_actions: ["scan_dependencies", "run_sast_check"]
→ signed PassportRevision, changed_by: "system:auto_baseline"
→ notify: action_baseline_captured
# new tool, seen well after the baseline — auto-approved too
observed_actions += {name: "rotate_secrets",
status: "baseline", discovered_by_user: "bob@company.com"}
allowed_actions: [..., "rotate_secrets"] # passport re-signed
→ signed PassportRevision, changed_by: "system:auto_baseline"
→ notify: action_auto_approved
# a tool NOT in allowed_actions is still rejected, enforcement_mode=block
→ 200 OK, tool_calls stripped from response
authorization_decision: "action_blocked"
decision_reason: "not authorized by passport: drop_database"
# 3rd such attempt in 10 minutes — same enforcement as a human's kill switch
→ agent auto-halted, triggered_by: "system:action_scope_threshold"
notify: action_scope_auto_killedThe authorization boundary, not another gateway.
AI gateways compete on routing, latency, caching, and provider abstraction. Permisyn competes on authorization: who is allowed to make this call, under which budget, with which human accountable, and what proof exists after.
Give every model call a clearance record.
Permisyn deploys at the model boundary, so security teams get enforceable AI authorization without asking every application team to install a trusted wrapper or rebuild a governance stack.
Built for startups and small teams to start today — happy to talk through anything larger directly.
See what we've actually tested →