Control every MCP tool call your agent makes. Set budgets, approvals, and hard limits across MCP servers — so your agent can do its job without breaking things.
Intercept is an open-source proxy between AI agents and MCP servers. It enforces YAML-defined policies on every tool call: rate limits, spend caps, access controls, argument validation, human-in-the-loop approval. One YAML file. No agent changes. Open source, Apache 2.0.
Intercept scans your MCP config, discovers every tool, and opens a web UI to review and assign policies:
npx -y @policylayer/intercept init
Rate limit and block:
create_refund:
rules:
- name: "daily-limit"
rate_limit: "10/day"
delete_repository:
rules:
- name: "block"
action: denyHuman approval for high-value actions:
create_refund:
rules:
- name: "large-refund-approval"
action: require_approval
conditions:
- path: "args.amount"
op: "gt"
value: 100000
approval_timeout: "30m"Budget enforcement with MPP (-32042):
generate_image:
rules:
- name: "image-budget"
spend:
per_call: 0.50
daily: 50.00- Block tool calls. Deny dangerous tools unconditionally (e.g.
delete_repository) - Validate arguments. Enforce constraints on tool arguments (
amount <= 500,currency in [usd, eur]) - Rate limit. Cap calls per minute, hour, or day with
rate_limit: 5/hourshorthand - Track spend. Stateful counters with dynamic increments (e.g. sum
args.amountacross calls) - Enforce budgets on paid tools. When an MCP server charges via MPP (-32042), Intercept checks your spend policy and blocks over-budget calls before money moves
- Hide tools. Strip tools from
tools/listso the agent never sees them, saving context window tokens - Require approval. Hold tool calls for human approval via CLI or admin API (
--enable-admin-api) before execution - Idempotent enforcement. Prevent duplicate actions from agent retries with
idempotency_window: 5m - Fail-closed. If Intercept goes down, nothing runs. Your agent doesn't get a free pass.
- Default deny. Allowlist mode where only explicitly listed tools are permitted
- Hot reload. Edit the policy file while running; changes apply immediately without restart
- Validate policies.
intercept validate -c policy.yamlcatches errors before deployment - Persistent state. Rate limits, spend counters, and approval records persist across restarts. SQLite by default. Redis for multi-instance deployments.
- Shadow mode. Evaluate every call without enforcing. See what would have been blocked before you go live.
- Multi-transport. Stdio and HTTP. Works with local MCP servers and remote endpoints.
| System prompt | Intercept | |
|---|---|---|
| Enforcement | Probabilistic | Deterministic — blocked at transport layer |
| Bypassable | Injection, reasoning, context overflow | Agent never sees the rules |
| Stateful | No memory of previous calls | Counters, spend tracking, sliding windows |
| Auditable | No structured log | Every decision logged with reason |
| Latency | N/A | Sub-millisecond per evaluation (p95) |
Prompts tell the agent what it should do. Intercept defines what it is allowed to do.
npx -y @policylayer/intercept # Run directly
npm install -g @policylayer/intercept # Install globallyPre-built binaries on GitHub Releases.
Claude Code, Cursor, Claude Desktop, Windsurf, VS Code, Cline, OpenAI Codex, Gemini CLI, Zed, Continue — any client that speaks MCP. intercept init auto-detects your config.
Local server (stdio):
{
"mcpServers": {
"github": {
"command": "intercept",
"args": ["-c", "policy.yaml", "--", "npx", "-y", "@modelcontextprotocol/server-github"],
"env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "..." }
}
}
}Remote server (HTTP/SSE):
{
"mcpServers": {
"stripe": {
"command": "intercept",
"args": ["-c", "policy.yaml", "--upstream", "https://mcp.stripe.com", "--header", "Authorization: Bearer tok"]
}
}
}Or use intercept init to generate this configuration automatically.
- CLI reference — commands, flags, transport modes, state backends
- Policy reference — YAML format, conditions, operators, stateful counters
- Example policies — scaffolds for 349 MCP servers
- Ready-made policy templates for GitHub, Stripe, AWS, Notion, Slack, and more