Aerostack
Aerostack

MCP security — per-tool allow/deny, agent guardrails, auth gates, and human approval for AI agents

MCP Security

Your AI agents have root access.
Enforce MCP security before it costs you.

Every MCP server you install gives your AI agent unrestricted access to your databases, repos, cloud, and APIs. No permissions. No guardrails. One hallucination away from disaster. Aerostack enforces MCP security at the tool level with per-tool allow/deny scopes, composable agent guardrails that block PII and policy violations, and human approval gates for irreversible actions.

Secure Your Agents See It In Action
Today
All tools exposed
With Aerostack
You choose which tools
// The Problem

What your AI agent can do right now.

Install any MCP server in Claude, Cursor, ChatGPT, or Windsurf. Your agent immediately gets full, unrestricted access to every tool. Here's what that means.

Database MCP

Any AI agent with Postgres/MySQL MCP

Agent can do all of this
DROP TABLE users critical
DELETE FROM orders WHERE 1=1 critical
UPDATE accounts SET balance = 0
SELECT * FROM credit_cards
ALTER TABLE — break schema
With Aerostack — you allow only
SELECT with read-only access
View table structure
Run approved reports

GitHub MCP

Any AI agent with GitHub MCP

Agent can do all of this
Delete repository critical
Force push to main critical
Merge PRs without review
Change branch protection rules
Remove collaborators
With Aerostack — you allow only
Read code and issues
Create branches and PRs
Review diffs and comments

Slack MCP

Any AI agent with Slack MCP

Agent can do all of this
Send messages as you to any channel critical
Delete channels critical
Remove members from workspace
Export private conversations
Change workspace settings
With Aerostack — you allow only
Read specific channels
Search message history
Post to approved channels only

Cloud (AWS/GCP) MCP

Any AI agent with Cloud MCP

Agent can do all of this
Terminate production instances critical
Delete S3 buckets with data critical
Modify security groups (open ports)
Change IAM policies
Download secrets from vault
With Aerostack — you allow only
Describe instances and resources
View CloudWatch metrics
Read deployment configs
// Try It

Toggle permissions.
See what your agent can do.

This is the Aerostack permission panel. Every MCP tool can be individually enabled or disabled. Your agent only sees what you allow.

3 / 8 tools enabledNo dangerous tools exposed
Safe
query
Run SELECT queries
Safe
list_tables
List all tables
Safe
describe_table
View table schema
Caution
insert
Insert new rows
Caution
update
Modify existing rows
Dangerous
delete
Delete rows
Dangerous
execute
Run arbitrary SQL
Dangerous
drop_table
Drop a table

When your agent calls a blocked tool, Aerostack returns a clear error — the action is never executed.
// How It Works

Four layers of agent safety.

Aerostack sits between your AI agent and your tools. Every tool call, every output, and every sensitive action goes through enforcement checks — not advisory rules.

MCP Scopes — Per-Tool Allow/Deny

Configure exactly which tools each agent can call via mcp_scopes. The call is rejected before it reaches the MCP server. Least-privilege at the permission layer, not the prompt layer.

Agent Guardrails — I/O Checks

The guardrail node runs PII detection, regex blocklist, prompt-injection heuristic, output-length caps, cost budgets, topic scope, and content policy on agent I/O — routing to pass or blocked.

Auth Gate — Identity Before Action

Require email OTP, phone OTP, or magic-link verification before the agent proceeds past a sensitive step. The workflow resumes with a confirmed identity context.

Human Approval — Sign-Off Before Execute

Pause the agent and route an approval request to a human reviewer. Approve, reject, or send feedback from the dashboard or mobile app. Every decision logged for audit.

AI Agent
Claude, GPT, Cursor…
MCP Scopes
Allow/deny per tool
Guardrail Node
PII · injection · policy
MCP Server
Only allowed tools execute

Every tool call passes through scopes + guardrails before reaching your infra. Human approval intercepts irreversible actions.

// MCP Scopes

Per-tool allow/deny.
Least-privilege for every agent.

MCP security starts with scope control. For every bot you deploy, mcp_scopes defines the exact tools that agent is permitted to call. Install a full Postgres MCP and only expose read_table and run_query. Block drop_table and delete_rows entirely.

When the agent calls a blocked tool, the request is rejected before it reaches the MCP server — not after. This is enforcement at the permission layer, not the prompt layer. Prompts can be manipulated; MCP scopes cannot.

Set Up MCP Scopes How Workspaces Work
bot config — mcp_scopes 
{
  "name": "Analytics Bot",
  "mcp_scopes": {
    "postgres": [
      "read_table",
      "run_query",
      "list_tables"
    ],
    "github": [
      "list_repos",
      "read_file",
      "create_issue"
    ]
  }
}
postgres.run_query — allowed
github.create_issue — allowed
postgres.drop_table — blocked
github.delete_repository — blocked
// Agent Guardrails

Block PII, injection, and off-topic output.
Agent guardrails, enforced in the graph.

The guardrail node is the LLM security layer inside your workflow. It runs composable safety checks on agent I/O before anything is acted upon — enabling you to secure AI agents at runtime, not just at configuration time. Enable only what you need. Every check routes to a pass or blocked edge.

pii_detection

PII Detection

Detects and redacts personal information — emails, phone numbers, SSNs, credit card numbers — before the agent outputs them or logs them downstream.

regex_blocklist

Regex Blocklist

Define banned words, phrases, or patterns. The check runs client-side with zero LLM cost — word-boundary regex matches before any expensive call fires.

prompt_injection

Prompt Injection

Heuristic scan for prompt injection attempts — instructions embedded in user input designed to override your system prompt or escalate privilege.

output_length

Output Length Cap

Hard limit on agent response length in characters. Prevents runaway generation, cost blowouts, and downstream overflow issues.

cost_budget

Cost Budget

Accumulates token spend across nodes. If the conversation budget (in cents) is exceeded, the guardrail routes to blocked — the agent cannot run more LLM calls.

topic_scope

Topic Scope

LLM-backed check: restrict the agent to configured topics. An HR bot stays on HR questions. A support bot stays on product support. Off-topic queries are blocked.

content_policy

Content Policy

LLM-backed moderation check on output. Catches harmful, illegal, or policy-violating content before it reaches your users or downstream systems.

Guardrail routing

Agent Output
Raw text from LLM node
Guardrail Node
7 composable checks
pass ↓ blocked ↓
Pass edge
Continue workflow
Blocked edge
Error message / escalate / halt
// Identity + Approval

Verify who the agent is acting for.
Then require a human to confirm.

Two security primitives that work at the execution level — not the prompt level. Every sensitive action can be gated by identity and gated by a human decision before it runs.

Auth Gate

Verify identity before sensitive steps

Place an auth gate node anywhere in your workflow to require identity verification before the agent proceeds. Supports email OTP, phone OTP, and magic link. The agent pauses, the user verifies, and the workflow resumes with a confirmed identity context.

Use before

Accessing personal account data
Writing to a system of record
Triggering a payment or refund
Sending messages on behalf of the user
Any step that reads or changes PII

Human Approval

Block irreversible actions until signed off

The human approval node pauses the agent and routes the decision to a reviewer — via the Aerostack dashboard or the OpenClaw mobile app. The reviewer approves, rejects, or sends feedback and lets the agent revise. Every decision is timestamped and logged for audit.

Use before

Deleting records or dropping tables
Sending bulk or outbound messages
Deploying code or infrastructure changes
Moving money or issuing refunds
Any action that cannot be undone

LLM security: advisory vs. enforced — the difference that matters

OWASP LLM Top 10, NIST AI RMF, and most vendor LLM security guides tell you what to implement: least-privilege access, input validation, output filtering, human oversight. They are advisory. Aerostack ships the enforcement layer: MCP scopes enforce least-privilege at the tool call, the guardrail node runs input/output checks in the execution graph, auth gates verify identity in-flow, and human approval nodes hold irreversible actions until a person signs off. The controls are in your workflow — not in a document. This is what it means to secure AI agents in production, not just describe how to.

// Comparison

Nobody else is doing this.

Compare MCP security and agent guardrails across platforms. Aerostack is the only platform with both tool-level permission control and enforced runtime guardrails.

Feature
Raw MCP
Claude / Cursor
Aerostack
Tool-Level Control
Per-tool allow / deny
Read-only mode for MCP
Block destructive tools
Custom permission presets
Agent Guardrails
PII detection & redaction
Prompt injection heuristic
Regex blocklist (words/patterns)
Output length cap
Cost budget enforcement
Topic scope — on-subject only
Content policy check (LLM-backed)
~
Runtime Protection
Audit log of every tool call
Rate limiting per tool
Real-time monitoring
Alert on blocked action
Auth gate — identity verification in-flow
Pause agent and require human sign-off before execution
Governance
Workspace-level policies
Team permission templates
Compliance-ready (SOC 2, GDPR)
~
Least-privilege by default
// Use Cases

Safe agents for every team.

Data Teams

Give AI agents read-only database access for analytics and reporting. Block all writes. No more "I accidentally dropped the table" incidents.

Engineering Teams

Let agents read code, create PRs, and review diffs — but block force pushes, repo deletion, and branch protection changes.

Support Teams

Agents can read customer tickets and search knowledge bases. Block sending messages to prevent AI from responding without human review.

DevOps Teams

Monitor infrastructure with AI — describe instances, read metrics, check logs. Block terminate, delete, and any destructive cloud operations.

Compliance Teams

Meet SOC 2 and GDPR least-privilege requirements. Every tool call audited. Permission changes tracked. Export-ready compliance reports.

Agency & Freelancers

Give clients AI-powered dashboards without worrying about agents breaking things. Set permissions per client workspace.

Stop giving agents
the keys to everything.

Set up tool-level permissions in under 5 minutes. Free to start. Your databases, repos, and APIs will thank you.

Get Started Free Read the Docs

Related features

MCP Workspaces OpenClaw Enterprise MCP Servers Agent Automation
// FAQ

MCP security & agent guardrails — common questions

What is MCP security and why does it matter?
MCP security refers to enforcing what MCP servers and tools an AI agent is permitted to call, and under what conditions. Without it, any MCP server you connect gives the agent unrestricted access — to your database, repos, cloud, and APIs. Aerostack enforces MCP security at the tool level: every tool call is checked against your allow/deny rules before it reaches the server. You can also require human approval for sensitive operations, so the agent pauses and waits for sign-off before executing. This is the enforcement layer most security frameworks recommend but do not ship.
What are agent guardrails and how do they work?
Agent guardrails are composable safety checks that run on agent I/O before the output is acted upon. In Aerostack, the guardrail node supports: PII detection and redaction, a regex blocklist for banned words or patterns, output-length caps, cost-budget enforcement, a prompt-injection heuristic, topic-scope limiting (the agent can only respond about configured subjects), and an LLM-backed content policy check. Each check is individually enabled per workflow. If any check fails, the node routes to a "blocked" edge and your flow can send an error message, escalate, or halt — instead of letting unsafe content pass through silently.
How do I secure AI agents with per-tool allow/deny (MCP scopes)?
Aerostack's MCP scopes let you configure exactly which tools each bot or agent is allowed to call. You set mcp_scopes per bot — for example, allowing read_table and run_query on a database MCP while blocking drop_table and delete_rows. When the agent tries to call a blocked tool, the request is rejected before it reaches the MCP server. This is least-privilege by design: install any MCP and only expose the subset of tools that agent actually needs.
What is an auth gate and when should I use it?
An auth gate is a security checkpoint inside a workflow that verifies the identity of a user before allowing sensitive steps to proceed. It supports email OTP, phone OTP, and magic link verification. You place it in your workflow graph before any node that accesses personal data, makes writes, or triggers irreversible actions. The agent pauses at the gate, the user verifies their identity, and the workflow continues only on success. This creates an identity-verified execution context — the agent knows who it is acting for before it acts.
How does human approval work before irreversible agent actions?
The human approval node pauses a running agent or workflow and routes a decision to a designated reviewer — via the Aerostack dashboard or the OpenClaw mobile app. The agent holds its state at the edge until the reviewer approves, rejects, or sends feedback. Every decision is logged with timestamp and reviewer identity for audit. This is the last line of defense for actions that cannot be undone: sending bulk messages, writing to production databases, deleting records, deploying code, or moving money.
What is tool-level AI agent security?
Tool-level security lets you allowlist or blocklist individual MCP tools for each agent. An agent given read access cannot delete records, even if the MCP supports it.
How does MCP authentication work on Aerostack?
Every workspace URL is authenticated via OAuth or API key. Secrets are injected at the edge and never sent to the AI client.
Can I audit what actions an AI agent has taken?
Yes. Aerostack logs every tool call with timestamp, agent identity, input parameters, and response — viewable per workspace.
What happens if an AI agent tries to call a blocked tool?
The tool call is rejected with a permission error. The agent receives a structured response indicating the action is not permitted.
Is Aerostack security model zero-trust?
Yes. Secrets are never exposed to the AI model or client. Access is verified at the edge on every request, with no ambient trust between components.
How is Aerostack different from advisory-only AI security frameworks?
Most AI security frameworks — OWASP LLM Top 10, NIST AI RMF, vendor best-practice guides — describe what you should do. They recommend least-privilege access, input validation, output filtering, and human oversight. Aerostack ships those controls as running infrastructure: MCP scopes enforce least-privilege at the tool call, the guardrail node performs input/output checks in the execution graph, auth gates verify identity before sensitive steps, and human approval nodes block irreversible actions until a human signs off. Advisory is what to do; Aerostack is the enforcement layer that does it.