Agent firewall · both directions

The firewall for every agent — the ones you run, and the ones that visit you.

AxioRank inspects every tool call your AI agents make — catching leaked secrets, destructive commands, and prompt injection in under 100 ms, then enforcing your policies and writing a redacted, immutable audit trail. And on the way in, it verifies every AI agent that visits your site — cryptographically, not by user-agent string.

Open the console Try the live inspector See the inbound side

drop-in gateway · deny by default · secrets fingerprinted, never stored

POST/gateway/tool-callinspecting

toolaws.s3.deleteBucket

risk

policyevaluating…

sig

scanning payload…

<0ms

Synchronous hot path

Signal categories

Content detectors

Critical-signal risk floor

The exposure

Agents act autonomously — with production credentials.

Give a model tools and it can read your database, push code, and call your cloud. The same autonomy that makes agents useful makes a single bad tool call catastrophic.

Credential leak

Agents hold real secrets

A tool call carries a live cloud key straight to an external service — one paste from exfiltration.

arguments.env.AWS_ACCESS_KEY_ID

"AKIA••••••••••••EXAMPLE"

▌secret.aws_access_keycritical

Destructive op

One statement drops prod

Generated SQL runs without a WHERE clause and rewrites — or deletes — an entire table.

arguments.query

DELETE FROM users;

▌destructive.sql_no_wherehigh

Injection

Untrusted input hijacks

Hostile content steers the agent toward your cloud metadata endpoint to harvest credentials.

arguments.url

"http://169.254.169.254/…"

▌injection.ssrfhigh

How it works

One synchronous hop from tool call to verdict.

The risk engine and policy layer are pure and in-process — no network calls on the hot path. The whole pipeline returns in under 100 ms.

Wrap

Your agent calls the gateway through the SDK instead of the tool directly.

axio.enforce({ tool, arguments })

Authenticate

The gateway resolves the agent from its API key — no session, no SDK rewrite.

Bearer axr_live_…

Inspect

Detectors scan every payload leaf for signals and combine them into a score.

31 detectors → risk 0–100

Decide

Policies resolve under deny-overrides to a single allow or deny verdict.

deny-overrides

Record

A redacted, immutable audit row is written and high-risk calls fire alerts.

redacted · append-only

Content inspection

Five categories. Thirty-one detectors.

Every string leaf of a tool call is scanned with bounded, ReDoS-safe patterns. Findings become redacted signals — the evidence proves a match without ever echoing the raw value.

Secret

12 detectors

Live credentials, fingerprinted and masked out of the stored payload.

AWS access keyAWS secret keyGitHub tokenGitHub PAT

Slack tokenGoogle API keyLLM provider keyStripe live keyPrivate key (PEM)JWTBearer tokenHardcoded credential

+8 more · hover to expand

Destructive

6 detectors

Irreversible commands against files, databases, and cloud resources.

rm -rfSQL DROP / TRUNCATEDELETE without WHEREResource teardown

Git force pushDangerous CLI flag

+2 more · hover to expand

Injection

6 detectors

Attempts to hijack the agent, your database, shell, or network.

Prompt injectionSystem overrideSQL injectionShell injection

SSRF / metadataPath traversal

+2 more · hover to expand

PII

4 detectors

Personal data, masked in evidence — card numbers are Luhn-validated.

EmailUS SSNPhoneCredit card (Luhn)

Egress

3 detectors

Bulk reads and oversized payloads that signal data exfiltration.

Unbounded SELECT *Bulk exportOversized payload

Live inspector

Run the firewall in your browser.

Edit a tool call and watch AxioRank inspect it. Detection runs client-side, but the score and verdict use the combine() and evaluatePolicy() functions straight from the production engine.

toolarguments

valid JSON · every string leaf is scanned

Denied96

denied by policy "deny-live-secret" (secret detected)

risk scorebase 90 → 96

96/100

signals · 1

Secret

AWS access key idcritical
secret.aws_access_key · arguments.env.AWS_ACCESS_KEY_ID
AK…LE · len 20 · sha256:96bca470

Policy playground

deny-overrides · toggle a rule to re-evaluate

deny-live-secret
deny if secret detected · prio 5
matched
deny-destructive
deny if destructive detected · prio 15
risk ≥ 75
deny if risk ≥ 75 · prio 50

Policy engine

Deny-overrides, by design.

Policies are evaluated in priority order against a fixed precedence — the first matching rung wins, and denials sit on top. The safe default for a firewall: when nothing matches, the call is allowed, but any deny short-circuits everything below it.

A signal-category deny is as strong as an explicit deny — content inspection becomes enforceable, not just observable.

Explicit deny

action = deny, no conditions

deny

Signal deny

a flagged category is present on the call

deny

Explicit allow

action = allow, no conditions

allow

Signal allow

an opt-out for a category on specific tools

allow

Risk threshold

risk ≥ threshold for matching tools

deny

Default

nothing matched

allow

Audit & dashboard

Every call, logged and reviewable.

Decisions land in an immutable, redacted audit log — filterable by agent, tool, risk, and signal category — with high-risk activity surfaced the moment it happens.

app.axiorank.com/logslive

Calls inspected

1,284

Denied

Avg risk

Recent decisionsrisk · verdict

aws.s3.deleteBucket
claude-prod
SecretDestructive
12s98deny
db.query
support-bot
DestructiveEgress
1m90deny
slack.post
intake
PII
2m73allow
github.push
ci-runner—
4m40allow
gmail.send
outreach
PIIEgress
6m84deny

Top signals

last 24h

Secret
47
Destructive
18
PII
9
Injection
5
Egress
3

Deny rate

24h

7.5%

Redaction

Proof a secret was there — without storing it.

Secrets are masked out of the payload at write time and replaced with a deterministic, irreversible fingerprint. The audit log can prove a key of this shape appeared, and even that the same key recurs, while never persisting the value itself.

What the agent sentexposed

{
  "env": {
    "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE"
  }
}

What AxioRank storesredacted

{
  "env": {
    "AWS_ACCESS_KEY_ID": «redacted:secret.aws_access_key»
  }
}

evidence

AK…LE · len 20 · sha256:a1b2c3d4

critical

The other direction

Now point it the other way.

Outbound, AxioRank governs the agents you run. Inbound, it verifies the agents that visit you — cryptographically, not by user-agent string. Same engine, both directions.

Request

An AI agent hits a property guarded by the AxioRank middleware.

axioGuard({ siteKey })

Identify

Match the visitor against the known-agent directory — GPTBot, ClaudeBot, Perplexity, and more.

20+ known agents

Verify

Check the Web Bot Auth signature cryptographically; fall back to reverse-DNS and user-agent.

RFC 9421 · Ed25519

Score

Run the same detectors on the request for scraping, enumeration, and probe signals.

risk 0–100

Decide

Inbound policies resolve under block-overrides to one verdict.

allow · challenge · block

Verdictsallow verified good actorschallenge unknown visitorsblock spoofed identitiesverifiedspoofed

Integrations

Plugs into the stack you already run.

The gateway is the hot path; everything else is wired through tools you already trust — and degrades gracefully when they're not configured.

Supabase

Postgres, auth & policy store

Inngest

Async alerts & daily digests

Slack

Real-time high-risk alerts

PostHog

Decision & signal analytics

SDK

Drop it in. One line guards a call.

No agent rewrite — route tool calls through the gateway and let policy decide. Resolve the decision yourself with toolCall(), or let enforce() throw on a deny.

agent.ts

import { AxioRank, AxioRankDeniedError } from "@axiorank/sdk";
 
const axio = new AxioRank({ apiKey: process.env.AXIORANK_KEY! });
 
try {
  // One line guards the call — throws if the firewall denies it.
  await axio.enforce({
    tool: "aws.s3.deleteBucket",
    arguments: { bucket: "prod-backups", force: true },
  });
  await s3.deleteBucket("prod-backups"); // only runs when allowed
} catch (err) {
  if (err instanceof AxioRankDeniedError) {
    console.error(err.result.reason); // denied by policy "deny-destructive"
  }
}

Govern every agent — outbound and in.

Inspect the tool calls your agents make, verify the agents that visit you, and keep a redacted record of it all — in under 100 ms.

Open the console Try the live inspector