Safe Postgres access, for agents and humans
One policy engine in the PostgreSQL wire protocol. Scope what a credential can do, mask what it sees, bound what it spends, and record every statement. The same controls work whether the principal is an AI agent or a person.
Access control & safety
Decide what the connection can do
Every rule is enforced in the PostgreSQL wire protocol, before a query reaches your database. Set it once on a credential; it applies to every statement that credential runs.
Scoped credentials
Issue a per-principal Postgres username and password. The principal never sees your real database credentials, and you revoke access with one click.
- For agents
- Give each agent its own credential instead of sharing one superuser string. Revoke a compromised agent without rotating the database password.
- For humans
- Hand a contractor or analyst a credential scoped to exactly what their task needs. When the engagement ends, you delete the credential, not the database user.
Read-only enforcement
Block every INSERT, UPDATE, DELETE, and DDL per credential. Reads pass, writes are rejected before they reach your database.
- For agents
- The safest credential you can hand an AI. A misfired generated UPDATE never runs, because the proxy refuses it.
- For humans
- A support engineer querying production can read freely with no path to change a row by accident.
Table and column allowlists
Allow the exact schemas, tables, and columns a credential can touch. Anything off the list is blocked at the wire.
- For agents
- Keep an agent in the tables relevant to its job. It cannot wander into billing or auth tables it was never meant to see.
- For humans
- Scope an analyst to the reporting schema. The customer PII tables stay invisible even if they go looking.
Row-level policies
Scope a credential to a slice of a table. PgBeam appends a WHERE predicate to every query, so the principal only ever sees the rows you allow.
- For agents
- Bind a per-tenant agent to one tenant_id. Its queries are rewritten so it can only read that tenant's rows, no matter what SQL it generates.
- For humans
- Constrain an analyst to one region or one customer. The same table serves everyone; each principal sees only their slice.
Kill-switch
Stop a single credential or every credential on a project instantly. The next statement is refused, no credential rotation required.
- For agents
- An agent stuck in a loop, or behaving in a way you don't like, is off in one click. No waiting for a deploy.
- For humans
- Cut off access during an incident without touching the database or coordinating a password change.
Identity & auth
How principals connect
Two front doors, both backed by the same policy engine: a guarded Postgres connection string and a hosted MCP endpoint.
Hosted MCP endpoint
One URL to connect to. Policy-enforced query, list_tables, describe_table, and explain tools. No server to run, no install.
- For agents
- Paste one URL into Claude Code, Cursor, or any MCP client. The agent gets structured database tools instead of a raw socket.
- For humans
- Wire the same endpoint into an internal tool or a chat assistant your team already uses. The policy follows the token.
Guarded connection string
A standard Postgres connection string that any driver, ORM, or client speaks. Enforcement happens at the wire, so nothing in your stack changes.
- For agents
- Hand an agent framework a connection string it already knows how to use. psql, pg, asyncpg, JDBC: all work, all guarded.
- For humans
- Drop the string into a BI tool, a notebook, or a migration runner. It connects like any other Postgres, with the guardrails attached.
SCRAM-SHA-256 auth
Credentials authenticate via SCRAM, so the password is never sent over the wire, even inside the encrypted channel.
- For agents
- An agent's stored secret authenticates without ever transmitting the password itself. One less secret to leak in a log.
- For humans
- Bring credential auth up to the standard your security team already expects from Postgres, end to end.
Data protection
Control what comes back
Guardrails on the result, not just the query. Sensitive values are handled in flight, before they leave the proxy.
PII and column masking
Redact, null, or hash sensitive columns in flight, by schema.table.column. Your app reads real values; the principal receives masked ones it can still join and group on.
- For agents
- An agent can analyze customer behavior without ever seeing an email or a card number. The raw value never reaches the model context.
- For humans
- An analyst runs cohort queries on masked emails. They can group and count without reading anyone's actual address.
Budgets & limits
Bound the blast radius
Caps that turn a runaway query or a bad loop into a bounded, recoverable event instead of a database incident.
Query budgets and row caps
Cap queries per hour or day and rows per result. Runaway loops and accidental full-table scans hit a ceiling instead of your database.
- For agents
- An agent that retries a failing query in a loop spends its budget and stops, instead of hammering the database all night.
- For humans
- A misjudged SELECT without a WHERE returns the first N rows and a clear limit, not a 40-million-row table dump.
Audit & observability
Know what ran, and react to it
Every statement is recorded with its decision. Stream those events to your own systems and flag the ones that look wrong.
Full query audit log
Every statement recorded with its decision, reason, rows, bytes, and latency. Filter in the dashboard, export, and archive for retention.
- For agents
- Reconstruct exactly what an agent did and why a query was allowed or blocked. The audit trail is the answer to 'what did the model touch?'
- For humans
- Answer an auditor's question about who read which table when, with the SQL and the outcome on record.
Anomaly detection
Flag query-volume spikes, off-hours access, and query shapes a credential has never run before. Surface alerts when a credential drifts from its baseline.
- For agents
- Catch an agent that starts behaving differently from its normal pattern: more volume, new query shapes, access at 3am.
- For humans
- Notice a human credential being used in a way it never was before, which is often the first sign of a compromised account.
Webhook & SIEM audit export
Stream audit events to your own systems. Fire a webhook when a query is blocked, a budget runs out, or a kill-switch trips, and pipe the full log to a SIEM.
- For agents
- Trigger your own automation the moment an agent's query is blocked. Route the full agent audit stream into Splunk, Datadog, or Elastic.
- For humans
- Land database access events in the same SIEM your security team already watches, alongside everything else.
Write safety & branching
Let principals write, safely
Read-only is the safe default. When a principal needs to write, give it somewhere safe to do it instead of production.
Instant branches
Hand a credential an instant, isolated branch of the database: fast, cheap, and scales to zero. The principal writes freely, then you discard it. Production is never touched.
- For agents
- Let an agent run a backfill or test a generated UPDATE against a throwaway copy of production. Discard the branch when the session ends; nothing merges back unless you say so.
- For humans
- Give a contractor a writable sandbox that looks exactly like production, without risking the real thing or standing up a separate environment.
Always-rollback dry-run
A mode where transactions are never committed. The principal writes, sees the effect within the transaction, and PgBeam rolls back at the end.
- For agents
- Let an agent see what its write would do without it ever persisting. True dry-run for generated mutations.
- For humans
- Validate a destructive statement against real data, observe the result, and know nothing was actually committed.
Migrations
Catch the dangerous DDL first
Schema changes are where a single statement can lock a table or rewrite millions of rows. PgBeam lints before it runs.
Safe migrations
Lint a migration before it runs: catch table rewrites, ACCESS EXCLUSIVE locks, missing CONCURRENTLY, unsafe column drops or type changes, and NOT NULL without a default. Warn or block, with a preview and fix hints.
- For agents
- Stop an agent-generated migration from taking an exclusive lock on a hot table in production. The lint runs before the DDL does.
- For humans
- Give engineers shipping schema changes the same review a senior DBA would do, automatically, on every migration.
Agent ergonomics
Built for the way agents work
A proxy that absorbs the things agents and bursty traffic do to a database, and speaks back in a way models understand.
LLM-readable errors
When a query is blocked, the proxy returns an error the model can read and act on, explaining what was refused and why.
- For agents
- A blocked query becomes a hint the agent can correct against, not an opaque failure it loops on.
- For humans
- Clients and tools get a clear reason for a rejection instead of a generic permission error.
Connection pooling
Warm, authenticated upstream connections are shared across many clients. Thousands of short-lived sessions map onto a small number of database connections.
- For agents
- Agents open and abandon connections constantly. The pool absorbs the churn so your database connection count stays flat.
- For humans
- Bursty internal tools and notebooks share the pool instead of exhausting your database's connection limit.
Query caching
Repeated reads are served from a regional cache with stale-while-revalidate semantics, controlled per query or from the dashboard.
- For agents
- Agents re-ask the same questions. Caching absorbs the repeats so the database isn't queried a hundred times for the same answer.
- For humans
- Dashboards and reports that re-run the same reads resolve from cache instead of round-tripping every time.
Get started with PgBeam
No credit card required. Start with a 14-day free trial and scale when you need to.