AgentBouncer overview
Verify signed AI-agent requests and apply project-specific access policies.
AgentBouncer verifies HTTP Message Signatures sent by AI agents, resolves the signer public key, evaluates your project policy, and returns a final access decision.
The most important integration rule
Use allowed as the final authorization decision. verified reports the cryptographic result, while allowed reports the effective project-policy decision.
| verified | allowed | Meaning |
|---|---|---|
| true | true | The signature is valid and the request is allowed. |
| true | false | The signature is valid, but the project policy denied access. |
| false | true | The request was not verified but was allowed by MONITOR_ONLY or another permissive setting. |
| false | false | The request failed verification and access was denied. |
- Verify RFC 9421 HTTP Message Signatures.
- Resolve provider and project-owned public keys.
- Apply trust tiers, trust scores, actions, tools, and custom rules.
- Protect MCP tools, APIs, checkout operations, and autonomous workflows.
- Record verification events for analytics and incident investigation.