How do I guard my first tool call?
From zero to a guarded call in a few minutes: create an account, mint a key with a policy, and ask the gateway for a verdict.
1. Create an account
Sign up on the dashboard with Google, GitHub, or an email and password. Everything you create — keys, policies, upstreams — is scoped to your account.
2. Write a policy
On the Policies page, create a policy. A policy is an ordered list of rules; each rule matches a tool by a glob and yields a decision. Start simple — for example, allow read-only tools, require approval for anything that sends or deletes:
[
{ "tool": "send_*", "decision": "require_approval" },
{ "tool": "delete_*", "decision": "deny" },
{ "tool": "*", "decision": "allow" }
]See writing policies for conditions, priority, and the default decision.
3. Create an API key
On the API Keys page, create a key and attach your policy. The full key is shown once — copy it now; only its hash is stored.
4. Ask for a verdict
The simplest way to use Enforgate is the /v1/check endpoint — a dry-run verdict for a single tool call. Replace the key below with the one you just created:
curl -s https://api.enforgate.com/v1/check \
-H "Authorization: Bearer bwb_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"serverName": "demo",
"toolName": "send_email",
"args": { "to": "someone@example.com" }
}'You get back a verdict and an audit-log entry:
{
"decision": "require_approval",
"reason": "send_email requires human approval",
"policyId": "…",
"toolCallId": "…",
"latencyMs": 7
}5. Proxy your real tools
To guard an agent end-to-end, register your MCP servers as upstreams and point the agent at the gateway's /mcp endpoint — see the integration guides. Every tool call then flows through the same policy and audit log.
Tip: the dashboard's Playground runs your real policy and writes real audit rows, so you can test verdicts (and the approval flow) without wiring up an agent.