HiveKey

Product

OverviewScopeGuardLogEnforcementPlatform & gatewayIntegrations

Solutions

Security teamsPlatform engineeringCompliance & GRCPII & data protectionAI & ML teamsBy industryUse cases

Developers

DocsHow it worksAPI referenceMCP governanceMCP directory

Resources

BlogLearnGlossaryCompareComplianceTrust center

Company

AboutTeamContact
Pricing Book a demo
Home / Docs
Preview docs · APIs are illustrative

Build on the control plane.

Everything you need to put an agent under policy — scope what it can do, guard every action, and prove what happened. See how it works end to end, or jump to the API.

How it works API reference

Browse the docs

Pick a category, or start with how HiveKey works end to end.

How it works

See how an agent goes under policy end to end — a role, a guard rule checked in the path, and the first audit entry.

Concepts

Roles, scope, guards, and the immutable action log — the four ideas the whole platform rests on.

API reference

REST endpoints for agents, roles, policies, tokens, and audit events. Idempotent, versioned, paginated.

MCP governance

Register an MCP server, namespace its tools, and grant them per-role with read-only defaults.

Roles & policies

Compose scope grants with guard rules, version them, and roll them out across the fleet.

SDKs

First-party clients for TypeScript and Python. Wrap any agent runtime; point it at the gateway.

Webhooks

Subscribe to allow/deny verdicts, role changes, and kill-switch events. Signed and replay-safe.

SIEM export

Stream the action log to Splunk, Datadog, or any OCSF sink. Immutable, attributable, exportable.

Core concepts

HiveKey sits in the path of every action an agent takes. Four ideas do the work — learn these and the rest of the docs fall into place.

1

Agent

A verifiable identity for an automation. Every agent has an owner (an accountable human), a role, and a token it presents to the gateway.

2

Role

A reusable bundle of scope grants plus guard rules. Define it once; apply it to many agents. Anything the role doesn't grant is invisible.

3

Scope

The set of actions an agent may attempt — e.g. mail.send, payments.pay, crm.read. Deny-by-default: nothing is granted implicitly.

4

Guard

A condition evaluated before an action runs — domain allowlists, spend caps, sign-off thresholds. The check happens in the path; there's no way around it.

5

Action log

An append-only record of every attempt — allowed or denied — attributed to an agent, a role, and a human. Exportable to your SIEM.

See how HiveKey fits your stack.

From role to first audit entry, end to end — our team sets it up with you.

See how it works