Permission before execution.Proof after every decision.

Every AI call asks permission first. Permisyn decides and signs the proof.

Every call from your team and your agents is authorized against budget and passport before the model ever sees it — then signed into a receipt anyone can independently verify. One company key in, zero blind trust out.

Free to start — no sales callNo provider keys in app codePre-execution decisionAgent passportsSigned receipts
Supported providers

One authorization layer across your model stack.

OpenAI, Anthropic, Gemini, Mistral, Azure, Groq, Together, and custom HTTPS upstreams.
OpenAIChat, responses, completions
AnthropicClaude messages
GeminiGoogle AI Studio / Vertex
MistralLa Plateforme models
Azure OpenAIEnterprise deployments
GroqOpenAI-compatible
Together AIOpenAI-compatible
HTTPSCustom HTTPSAny public upstream
How sharing one key actually works

An admin sets it up once. Team members only ever fill in their own name.

No per-app provider keys to hand out or revoke, and nothing left for a team member to misconfigure — the agent, its budget, and its passport are already fixed before anyone pastes a snippet.

1

Admin names the agent + passport

In Fleet Control, an admin sets the team, purpose, budget, and — optionally — allowed models/providers/data scope for one agent. Saving it signs that passport immediately.

2

Admin shares one snippet

The rendered header snippet already has the agent, team, purpose, and budget baked in — nothing to invent, nothing to get wrong.

3

Team member fills in only their name

Every teammate pastes the same snippet and replaces one value: their own X-Permisyn-User. The company key never changes hands raw.

4

Every call is already authorized and signed

Permisyn checks the passport and budget before the model ever sees the request, then signs the decision — allowed or blocked — into a receipt anyone can verify.

Made for teams that move fast

Governance that fits a lean team, not just a security department.

Most AI governance tools assume you already have a platform team to run them. Permisyn is built so one founder or one early engineer can turn it on before lunch — and it keeps working, unattended, as the team and the agent fleet grow.

Live in minutes

Point your existing OpenAI or Anthropic client at Permisyn. No procurement call, no vendor security questionnaire before your first authorized call.

One key, not one per engineer

An admin sets up one shared, policy-locked key. Every teammate pastes the same snippet and fills in only their own name.

Free to start

Register and start routing real, governed traffic immediately — no seat minimum, no sales call to get access.

Scales with you

The proxy auto-scales behind the scenes as your team and agent fleet grow — nothing for you to provision or tune yourself.

Why we built Permisyn

Every founder ends up sharing one API key with people they trust, and hoping for the best. We think you deserve better than hoping.

The default way most small teams run AI right now is one provider key, pasted into a dozen scripts and agents, with no record of who called what or how much it cost until the bill shows up. That is not a gap you can staff your way out of when you don't have a platform team — it is a structural one. Our goal with Permisyn is simple: give a founder the same command-and-control over AI spend and access that a well-resourced enterprise security team would build for themselves, without needing to be one. One key in. Every call — from your team and from your agents — authorized, attributed, and signed before it ever reaches the model. One switch to freeze everything the moment something looks wrong.

We hold ourselves to running this the way we would want a vendor to run something core to our own business: hardened against real load, and against real incidents we found and fixed directly in production, not just in a staging environment. If it is not solid enough for us to trust with our own traffic, it does not ship. That is the whole goal — a startup gets real, accountable AI governance from day one, not after its first bad surprise.

Authorize

Every call is checked against agent passport and policy before upstream execution.

Deny

Model rules, cost caps, kill switches, and rate limits stop unauthorized traffic early.

Secretless

Store provider keys in the encrypted vault; agents send only a Permisyn key while policy is enforced before upstream.

Prove

Every authorized call becomes signed evidence with transparency proofs and exportable audit bundles.

Live guided demo

See every kind of call get authorized live.

From request headers to identity, passport, budget, and kill-switch checks to signed proof — walk through fourteen real decision paths, the exact pre-flight control every one of your team's and agents' calls gets in production.

Routine support reply. Identity and budget attach, policy allows — the baseline path every healthy call takes.

Request headers
POST /v1/chat/completions
X-Permisyn-Agent: support-ticket-agent
X-Permisyn-User: ops@company.com
X-Permisyn-Team: support
X-Permisyn-Purpose: customer ticket reply
X-Permisyn-Max-Cost-USD: 0.50
Decision timeline
Request composed
support-ticket-agent context attached
2
User & team attached
ops@company.com · support
3
Passport check
within allowed models
4
Budget check
within cap
5
Final decision: ALLOWED
cleared to execute
6
Signed receipt
hash + signature generated
Proof preview
Decision
PENDING
Action hash
waiting...
Signature
unsigned
No provider keys stored. Pre-execution and fail-closed by default.
Create free accountRead docs
Mission-grade primitives

The control tower for autonomous AI.

The product is built around primitives that generic gateways do not make first-class: authorization before action, durable agent identity, accountable users and teams, a kill boundary, and proof that survives incident review.

AI Flight Recorder

Every call becomes a decision receipt with policy, user, team, cost, outcome, and signature.

Agent Passport

Each AI worker gets identity, purpose, risk, owner, permissions, budget, and proof history.

Pre-flight Control

Model, spend, identity, and kill state are checked before upstream.

Kill Boundary

Security can halt the next model call without waiting for app teams to redeploy code.

Now shipping · verifiable by anyone

Don't trust us. Verify us.

Every call Permisyn clears is signed with your org's own Ed25519 key. Anyone can verify what an agent did with your public key — no Permisyn login, no shared secret. And every agent carries a signed passport that the proxy enforces before a call leaves your network.

Independently verifiable audit

Each run is a signed receipt. Recompute the canonical payload, check the signature against the public key — offline, forever. Not even Permisyn can rewrite what already shipped.

GET /api/verify/{run_id}
→ { "algorithm": "ed25519",
    "verified": true,
    "public_key_pem": "-----BEGIN PUBLIC KEY-----…" }

Agent Passport enforcement

Declare the models, providers, and data scope an agent may use. The proxy blocks anything outside the passport before traffic reaches the provider — identity and least-privilege for AI workers.

passport: allowed_models = "gpt-4o-mini"

POST /v1/chat/completions  (model: gpt-4o)
→ 403 passport_violation  (blocked pre-upstream)

Anchored to Bitcoin, not just signed

A signature proves who attested; it can't prove when. Permisyn hash-chains the entire audit log and stamps the root into a real Bitcoin block via OpenTimestamps — so even Permisyn can't backdate or rewrite history after the fact.

GET /transparency/anchor/{id}/verify
→ { "verified": true,
    "status": "bitcoin_confirmed",
    "block_height": 872341 }

Not a wrapper you have to trust

No SDK, no framework hooks to install in every agent. Point your existing OpenAI/Anthropic client at Permisyn and the same signed decision applies — zero code rewrite.

Secretless egress + freeze

Store OpenAI or Anthropic keys in an encrypted vault so callers send only their Permisyn key — the provider key is injected server-side after policy passes. One button freezes all AI traffic org-wide.

Edge data-plane + living compliance

Run enforcement at your edge; Permisyn coordinates authorization policy and proof — data never leaves your VPC. Compliance attestations are generated from the signed log and Ed25519-signed, not filled in by hand.

Live — real signed decisions, right now

No governed calls in the last moment — the feed is real, not staged, so it's quiet when traffic is quiet.

Everything Permisyn enforces

One clearance layer. Every control.

Nothing your AI does is unauthorized, unaccounted for, or unprovable — checked inline, before the call leaves your network.

The differentiators— not on any AI gateway, guardrails SDK, or observability roadmap

Agent Passport & least-privilege policy

A signed identity per agent — allowed models, providers, data scope, and spend — enforced pre-upstream, never just a snapshot.

Time-boxed & region-scopedEnforced data residencyChain-scoped budgetSigned passport historyPolicy simulationRole templates

Action-scope governance

Every other AI gateway stops at which model an agent may call. Permisyn governs which tool or function calls it's allowed to request, too — enforced pre-flight, even on streaming calls.

Action-scope enforcementAuto-discovered action namesAuto-baseline onboardingPer-agent approval gate

Multi-agent trust chain

When one agent calls another, its permissions can never exceed what it was actually, provably handed — and every hop is watched for behavioral drift, not just static rule violations.

Chain of custodyCapability delegationBehavioral drift detection

Signed receipts & anchoring

Every call is Ed25519-signed with your org key and hash-anchored to Bitcoin via OpenTimestamps — even Permisyn can't backdate history.

Verifiable auditExternal anchoringSigned output attestation

Public proof & compliance surfaces

Evidence anyone can check without trusting Permisyn — not a claim locked inside a dashboard only you can see.

Public verifiable badgeAI Bill of MaterialsAuditor scoped portal

Identity, usage & command

See exactly who's using AI and how much it costs, rolled up by user, team, and agent — and halt any of it in one click.

User & team identityUsage by user & teamDependency GraphFreeze all AIOne-click verified onboarding
Also included — not an upsell— the baseline you'd expect from any AI proxy, bundled on every plan

Kill switch

Halt any agent in seconds from the dashboard — the next model call is blocked, no redeploy.

Cost caps

Per-agent spend ceilings enforced at request time — a runaway agent is stopped, not just charted.

Secretless egress

Provider keys live in an encrypted vault; callers send only their Permisyn key. No OpenAI key in application code or run logs.

Living compliance

EU AI Act / SOC 2 / HIPAA attestations generated from the real signed log and Ed25519-signed.

Edge data-plane

Run enforcement in your own VPC via a sidecar; Permisyn is the control plane. Data never leaves.

No rewrite

Point your existing OpenAI, Anthropic, or Gemini client at Permisyn — same SDK, same request shape. Authorization happens in the proxy path, with zero code rewrite.

Self-provisioning trust

Your agent teaches Permisyn what it's allowed to do — automatically, every time.

You don't hand-type an allow-list on day one. Turn on auto_baseline_actions and the tools your agent actually calls on its first run become its trusted baseline automatically — no config file, no guessing your own function names. Every tool discovered afterthat is auto-approved by default — attributed to the exact user and team who triggered it, and signed into the passport's audit-grade change history — or, for agents where you'd rather a human sign off, flip a second toggle so those later discoveries sit pending until you approve or reject them.

Day 1
Agent's first call declares scan_dependencies and run_sast_check. Permisyn locks the baseline and signs the passport — zero manual setup.
Day 12
Same agent calls a tool it's never used before: rotate_secrets. It's trusted immediately, the same way — no wait, no pause, tagged with who called it.
Same moment
The owning team gets an in-dashboard notification that rotate_secrets was seen and auto-allowed — visible, not hidden, but never blocking.
From then on
rotate_secrets is part of the signed allow-list going forward, with a full record of exactly when and by whom it was first seen.
# first call ever seen — auto-baselined
observed_actions: [{name: "scan_dependencies", status: "baseline"}]
allowed_actions: ["scan_dependencies", "run_sast_check"]
→ signed PassportRevision, changed_by: "system:auto_baseline"
→ notify: action_baseline_captured

# new tool, seen well after the baseline — auto-approved too
observed_actions += {name: "rotate_secrets",
  status: "baseline", discovered_by_user: "bob@company.com"}
allowed_actions: [..., "rotate_secrets"]   # passport re-signed
→ signed PassportRevision, changed_by: "system:auto_baseline"
→ notify: action_auto_approved

# a tool NOT in allowed_actions is still rejected, enforcement_mode=block
→ 200 OK, tool_calls stripped from response
   authorization_decision: "action_blocked"
   decision_reason: "not authorized by passport: drop_database"

# 3rd such attempt in 10 minutes — same enforcement as a human's kill switch
→ agent auto-halted, triggered_by: "system:action_scope_threshold"
   notify: action_scope_auto_killed
Why different

The authorization boundary, not another gateway.

AI gateways compete on routing, latency, caching, and provider abstraction. Permisyn competes on authorization: who is allowed to make this call, under which budget, with which human accountable, and what proof exists after.

Before
allow and deny decisions happen pre-upstream
Accountable
agent, user, team, and purpose attached
Provable
signed evidence and transparency proof
Portable
works across provider clients without wrapper trust
Don't take our word for it — try to break it live
Category
Typical promise
Permisyn difference
AI gateways
Route, retry, cache, log traffic
Decide whether the call is authorized to execute
Observability
Explain what happened after the call
Block, pause, meter, and sign before execution
Guardrails
Classify whether content looks safe
Authorize by agent, sponsor, purpose, cost cap, risk, and proof
Wrapper governance
Trust app teams to install wrappers
Govern at the model boundary without app rewrites
Agent authorization SDKs
Signed pre-execution decisions, but via SDK/framework hooks you integrate into every agent
Same signed decisions, zero code rewrite — point your existing client at the proxy

Give every model call a clearance record.

Permisyn deploys at the model boundary, so security teams get enforceable AI authorization without asking every application team to install a trusted wrapper or rebuild a governance stack.

Create authorization key Need help choosing a plan? Talk to us

Built for startups and small teams to start today — happy to talk through anything larger directly.

See what we've actually tested →