Agent Gateway

The safe data door for AI agents.

Your AI agents need to read company data. Don't hand them raw database credentials — and don't hand-build a locked-down API for every one. Register a database, set a policy, give the agent a token. It reads only what you allow, with PII masked, rate-limited, and every query logged.

Start freeOr explore the Data Console

Raw DB credentials to an agent

It can read every customer's PII, run anything, with zero audit. No security team signs off on that.

A hand-built API per agent

Slow, brittle, and rewritten for every new agent and every schema change. There's no standard safe door — until now.

What it does

Scoped to exactly what you allow

Pick the tables and columns an agent may read. Everything else is invisible — no joins to off-limits data, no SELECT *, no surprises.

PII masked by default

We scan for emails, phone numbers, cards and SSNs on connect and mask them server-side. The agent gets useful data, never the raw secret.

Read-only, always

The gateway can't write, drop, or mutate — by construction. Row caps and per-token rate limits keep one agent from hammering prod.

Speaks MCP natively

Register the gateway as an MCP server and your agent gets list_tables and query_table out of the box. Or call the plain REST endpoint.

Every query audited

Who asked for what, when, which columns were masked, and what was denied — a full activity log you can finally answer questions from.

No raw credentials

Agents authenticate with a scoped, revocable token — never your database password. Revoke one agent without touching the others.

How it works

1

Register a database

Connect read-only and we introspect the schema and scan for PII automatically.

2

Set the policy

Tick the tables and columns agents may read, set PII masking, row caps and rate limits.

3

Issue a token

Hand one agent a scoped agt_ token — over MCP or REST. Revoke it anytime.

4

Ship with confidence

The agent reads only what's allowed, masked and rate-limited, with every query logged.

Plug into any agent over MCP

Point your agent at the gateway's MCP endpoint with a scoped token. It gets two tools — list_tables and query_table — both governed, masked and audited.

{
  "mcpServers": {
    "support-copilot": {
      "url": "https://dbshifts.com/api/v1/agent-gateways/mcp",
      "headers": { "Authorization": "Bearer agt_..." }
    }
  }
}

Ship agents without betting the database on them.

Free to start — no card. Read-only, masked, rate-limited, fully audited.

Get startedTalk to us