Safe Postgres forAI agents

A scoped connection string or hosted MCP endpoint that enforces read-only access, allowlists, PII masking, and budgets at the wire, and audits every query. Any Postgres, zero code changes.

No credit card. 14-day trial. Works with any Postgres.

agent → pgbeam → prod
live

Connecting agent…

PgBeam decides every statement at the wire.

CLI

$ curl -fsSL https://pgbeam.com/install | sh

AI Agents

Learns to install, auth, and use PgBeam
Read https://pgbeam.com/skill.md and follow instructions

Capabilities

Everything an agent should not get wrong

Hand an agent a scoped connection string instead of a superuser one. Every guardrail is enforced at the wire, before a query reaches your database.

Wire-level guardrails

Read-only enforcement, table allowlists, and a kill-switch, enforced in the PG wire protocol before a query reaches your database. Blocked queries return an LLM-readable error.

Full audit trail

Every statement an agent runs, allowed or blocked, with the decision, rows, bytes, and latency. Queryable in the dashboard and archived for retention.

PII masking

Redact, null, or hash sensitive columns in agent results, applied in flight. Your app sees real data; the agent never does.

Hosted MCP endpoint

Paste one URL into Claude Code, Cursor, or any MCP client. Policy-enforced query, list_tables, describe_table, explain, and schema_catalog tools, with no install.

Performance

Faster reads, wherever your users are.

First-query latency (TLS connect + p50 query) measured from serverless functions. MISS benefits from connection pooling; HIT serves from the edge cache without touching the database.

Running live benchmarks

Measuring real latency from global regions

N. VirginiaDublinTokyo
See more benchmarks →

How it works

Safe agent access in four steps

Enforcement happens at the PostgreSQL wire protocol, between the agent and your database. Works with RDS, Aurora, self-hosted, or any managed Postgres. No code changes.

1

Issue a scoped agent credential

Connect your database once. PgBeam mints a Postgres connection string and a hosted MCP URL for each agent. The agent gets those, never your real database credentials, and you can revoke either one instantly.

agent credential
# Connection string
postgresql://agent_4f2c:••••@a1b2c3.proxy.pgbeam.app:5432/app
# Hosted MCP endpoint
https://a1b2c3.proxy.pgbeam.app/mcpBearer pba_…

Scoped, revocable, kill-switchable. Your real database credentials never leave PgBeam.

2

Attach a policy

Pick read-only or read-write, allow specific tables, mask sensitive fields, and set query budgets and row caps. Policies stream to the proxy and hot-reload, so a change takes effect on the next query.

Policy: analytics-readonlyattached
Read-onlySELECT only
Tablespublic.orders, public.users
Maskusers.email → hash
Budget5k queries / day · 1k rows max
3

Enforcement happens in the wire

Every statement is parsed and checked against the policy before it reaches your database. Disallowed writes and off-limits tables are blocked with an LLM-readable error; flagged columns are masked in the result. No code in your database, no extension to install.

Per-statement decision
SELECT id, email FROM usersmasked

email hashed before it leaves the wire

UPDATE orders SET status = 'paid'blocked
SELECT * FROM internal_secretsblocked
SELECT count(*) FROM ordersallowed
4

Audit every query

Each statement is recorded with its decision, reason, rows, bytes, and latency. Query the log in the dashboard, hit a kill-switch to stop an agent mid-session, and keep an exportable record of everything the agent did.

audit log
timeagentdecisionrowsms
12:04:21agent_4f2callowed1289
12:04:19agent_4f2cmasked111
12:04:12agent_9a1dblocked2
12:03:58agent_4f2callowed1k14

Try it

See exactly what an agent can and cannot run

Type a statement or pick one below. PgBeam evaluates it against the example policy the same way the wire does: allowed, masked, or blocked, each with the LLM-readable reason the agent gets back.

policy playground
read-only · allowlist · PII masked
MASKEDusers.email

allowed, but sensitive columns are rewritten before results leave the wire: users.email → hash. The agent can still join and group on them.

Policy in force

moderead-only
tables
public.orderspublic.userspublic.products
mask
users.emailhashusers.phoneredact

Every statement is checked against this policy in the wire before it reaches the database. Change the query on the left to see the decision.

The full gateway

One policy engine, enforced at the wire

A guarded connection string and a hosted MCP endpoint, both backed by the same policy. Set the rules once; they apply to every statement the agent runs, over any Postgres host.

Scoped agent credentials

Issue a per-agent Postgres username and password. The agent never sees your real database credentials, and you revoke its access with one click.

Hosted MCP endpoint

One URL the agent connects to. query, list_tables, describe_table, explain, and schema_catalog tools, every call enforced against the policy. No server to run.

Read-only enforcement

Block every INSERT, UPDATE, DELETE, and DDL per credential. Reads pass, writes are rejected before they reach your database.

Table allowlists

Allow the exact schemas and tables the agent should touch. Anything off the list is blocked at the wire.

PII masking

Redact, null, or hash sensitive columns in flight. Your app reads real values; the agent receives masked ones it can still join and group on.

Query budgets and row caps

Cap queries per hour or day and rows per result. Runaway loops and accidental full-table scans hit a ceiling instead of your database.

Kill-switch

Stop a single agent or every agent on a project instantly. The next statement is refused, no credential rotation required.

Full audit trail

Every statement recorded with its decision, reason, rows, bytes, and latency. Filter in the dashboard, export, and archive for retention.

Zero code changes

Enforcement is in the PostgreSQL wire protocol, not your database. Standard drivers, ORMs, and agent frameworks connect with a connection-string host swap. The serverless HTTP driver (@neondatabase/serverless) needs one line pointing it at PgBeam. No extension to install.

A real proxy underneath

The gateway runs on a globally distributed wire-protocol proxy. Connection pooling absorbs the connections agents leak, query caching absorbs the questions they re-ask, and routing to the nearest region keeps latency low worldwide.

Connection poolingQuery cachingGlobal regionsScale to zero

Give your agent Postgres it can't wreck

Issue a scoped credential, attach a policy, and watch every query in the audit log. No credit card required. 14-day free trial.