HiveKey

Product

OverviewScopeGuardLogEnforcementPlatform & gatewayIntegrations

Solutions

Security teamsPlatform engineeringCompliance & GRCPII & data protectionAI & ML teamsBy industryUse casesCustomers

Developers

DocsHow it worksAPI referenceMCP governanceMCP directoryStatus

Resources

BlogLearnGlossaryCompareComplianceTrust center

Company

AboutTeamContact
Pricing Book a demo
The platform

Enforcement that lives in the path — not a dashboard you check later.

HiveKey runs as a gateway in front of every agent action — a payment, a database write, an MCP call. A policy enforcement point intercepts the call, a policy decision point evaluates scope and guard, and the verdict is logged across your whole fleet — all in single-digit-to-low-double-digit milliseconds.

Book a demo Read the docs
Architecture

PEP in the path. PDP makes the call. Everything logged.

A clean separation of concerns: the enforcement point sits in the request flow, the decision point holds your policy, and the audit sink captures every verdict — allowed or denied.

Agent fleet

teams · vendors · automations

issues an action request

Gateway · PEP

policy enforcement point

intercepts every call in the path

Policy engine · PDP

policy decision point

scope + guard → allow / deny

Tools

email · payments · MCP

only allowed actions reach here

Audit sink

immutable log · SIEM stream

Every decision from the PDP is written here before the agent ever gets a response.

The policy itself — roles, rules, the trail — lives in Scope, Guard, and Log.

Performance

In the path, but you won't feel it.

Decisions are evaluated against a compiled policy with a local cache. The overhead is a fraction of the network call the agent was already making.

< 12 ms

p50 added latency

policy decision in the path

< 40 ms

p99 added latency

under sustained load

12k+

decisions / sec / node

horizontally scalable

99.95%

design availability

multi-AZ, target SLA

Illustrative targets from internal benchmarks; figures will be published at GA.

Reliability

Fail safe, not fail open.

Enforcement is on the critical path, so it's built like it: redundant by default, with a configurable posture for control-plane outages.

Multi-AZ by default

The gateway and policy engine run redundant across availability zones. No single node is a chokepoint.

Local decision cache

Compiled policy is cached at the enforcement point, so decisions keep flowing if the control plane is briefly unreachable.

Configurable posture

Choose fail-closed (deny on uncertainty) for sensitive actions, or fail-open with full logging for low-risk ones.

Deploy modes

Run it where it fits your security posture.

Same control plane, same policy model — three ways to put the enforcement point in the path.

HiveKey Cloud

Fastest to value

Fully managed control plane. We run the gateway, policy engine, and audit store; you point your agents at it and configure roles.

  • Zero infra to operate
  • Auto-scaling & HA built in
  • Region pinning available
Most common

Self-hosted

Your VPC, your keys

Deploy the full stack into your own cloud with Helm or Terraform. Data and audit log never leave your perimeter.

  • Runs in your VPC
  • BYO KMS / secrets
  • Air-gap friendly

Sidecar

Lowest latency

Run the enforcement point as a sidecar next to each agent runtime. Decisions happen on-host; policy syncs from the control plane.

  • In-process / on-host PEP
  • Local decision cache
  • Survives control-plane blips
Not sure which mode fits? See pricing → Book a demo →

Put every agent your company runs under one policy.

Watch HiveKey scope, guard, and block a live action on your own agents — 30 minutes, no slides, no commitment.

Book your 30-min demo Talk to us