Safe Postgres forAI agents
A scoped connection string or hosted MCP endpoint that enforces read-only access, allowlists, PII masking, and budgets at the wire, and audits every query. Any Postgres, zero code changes.
No credit card. 14-day trial. Works with any Postgres.
Connecting agent…
PgBeam decides every statement at the wire.
CLI
$ curl -fsSL https://pgbeam.com/install | shAI Agents
Learns to install, auth, and use PgBeamRead https://pgbeam.com/skill.md and follow instructionsCapabilities
Everything an agent should not get wrong
Hand an agent a scoped connection string instead of a superuser one. Every guardrail is enforced at the wire, before a query reaches your database.
Wire-level guardrails
Read-only enforcement, table allowlists, and a kill-switch, enforced in the PG wire protocol before a query reaches your database. Blocked queries return an LLM-readable error.
Full audit trail
Every statement an agent runs, allowed or blocked, with the decision, rows, bytes, and latency. Queryable in the dashboard and archived for retention.
PII masking
Redact, null, or hash sensitive columns in agent results, applied in flight. Your app sees real data; the agent never does.
Hosted MCP endpoint
Paste one URL into Claude Code, Cursor, or any MCP client. Policy-enforced query, list_tables, describe_table, explain, and schema_catalog tools, with no install.
Performance
Faster reads, wherever your users are.
First-query latency (TLS connect + p50 query) measured from serverless functions. MISS benefits from connection pooling; HIT serves from the edge cache without touching the database.
Running live benchmarks
Measuring real latency from global regions
How it works
Safe agent access in four steps
Enforcement happens at the PostgreSQL wire protocol, between the agent and your database. Works with RDS, Aurora, self-hosted, or any managed Postgres. No code changes.
Issue a scoped agent credential
Connect your database once. PgBeam mints a Postgres connection string and a hosted MCP URL for each agent. The agent gets those, never your real database credentials, and you can revoke either one instantly.
Scoped, revocable, kill-switchable. Your real database credentials never leave PgBeam.
Attach a policy
Pick read-only or read-write, allow specific tables, mask sensitive fields, and set query budgets and row caps. Policies stream to the proxy and hot-reload, so a change takes effect on the next query.
Enforcement happens in the wire
Every statement is parsed and checked against the policy before it reaches your database. Disallowed writes and off-limits tables are blocked with an LLM-readable error; flagged columns are masked in the result. No code in your database, no extension to install.
SELECT id, email FROM usersmaskedemail hashed before it leaves the wire
UPDATE orders SET status = 'paid'blockedSELECT * FROM internal_secretsblockedSELECT count(*) FROM ordersallowedAudit every query
Each statement is recorded with its decision, reason, rows, bytes, and latency. Query the log in the dashboard, hit a kill-switch to stop an agent mid-session, and keep an exportable record of everything the agent did.
Try it
See exactly what an agent can and cannot run
Type a statement or pick one below. PgBeam evaluates it against the example policy the same way the wire does: allowed, masked, or blocked, each with the LLM-readable reason the agent gets back.
allowed, but sensitive columns are rewritten before results leave the wire: users.email → hash. The agent can still join and group on them.
Policy in force
Every statement is checked against this policy in the wire before it reaches the database. Change the query on the left to see the decision.
The full gateway
One policy engine, enforced at the wire
A guarded connection string and a hosted MCP endpoint, both backed by the same policy. Set the rules once; they apply to every statement the agent runs, over any Postgres host.
Scoped agent credentials
Issue a per-agent Postgres username and password. The agent never sees your real database credentials, and you revoke its access with one click.
Hosted MCP endpoint
One URL the agent connects to. query, list_tables, describe_table, explain, and schema_catalog tools, every call enforced against the policy. No server to run.
Read-only enforcement
Block every INSERT, UPDATE, DELETE, and DDL per credential. Reads pass, writes are rejected before they reach your database.
Table allowlists
Allow the exact schemas and tables the agent should touch. Anything off the list is blocked at the wire.
PII masking
Redact, null, or hash sensitive columns in flight. Your app reads real values; the agent receives masked ones it can still join and group on.
Query budgets and row caps
Cap queries per hour or day and rows per result. Runaway loops and accidental full-table scans hit a ceiling instead of your database.
Kill-switch
Stop a single agent or every agent on a project instantly. The next statement is refused, no credential rotation required.
Full audit trail
Every statement recorded with its decision, reason, rows, bytes, and latency. Filter in the dashboard, export, and archive for retention.
Zero code changes
Enforcement is in the PostgreSQL wire protocol, not your database. Standard drivers, ORMs, and agent frameworks connect with a connection-string host swap. The serverless HTTP driver (@neondatabase/serverless) needs one line pointing it at PgBeam. No extension to install.
A real proxy underneath
The gateway runs on a globally distributed wire-protocol proxy. Connection pooling absorbs the connections agents leak, query caching absorbs the questions they re-ask, and routing to the nearest region keeps latency low worldwide.
Give your agent Postgres it can't wreck
Issue a scoped credential, attach a policy, and watch every query in the audit log. No credit card required. 14-day free trial.