Phinn
every agent action, accounted for
every agent action, accounted for
Phinn sits between your agents and tools (HTTP + MCP), enforcing default-deny, requiring human approvals for risky actions, and generating cryptographically verifiable receipts for every call.
Four ways it breaks down.
LangGraph, Claude, and ChatGPT can hit APIs, databases, and internal services with no enforceable guardrails.
When an agent mutates production data, teams can’t prove who initiated or approved it.
Agents can call tools directly unless enforcement sits at the gateway layer.
SecOps lacks real-time, tamper-evident telemetry on agent behavior.
Phinn issues short-lived, capability-scoped tokens per action. No token → no execution.
Slack approvals for deletes, wires, and other risky actions. Policies define approvers. Every decision is recorded with identity.
Hash-chained, Ed25519-signed receipts for every action. Verify offline with phinnctl verify. Prove to auditors exactly what happened, when, and who approved it.
Structured events stream to Splunk or Datadog using OTel semantics for full agent visibility.
Phinn runs entirely in your infrastructure. Tool traffic stays in your VPC; only configured telemetry and approvals leave. Fully self-hosted control plane today, managed issuer on deck.
Three components working together: gateway, issuer, and your existing tools.
Agent hits the issuer for a token scoped to method, path, and tool.
Issuer runs policy and, if needed, triggers Slack. Token is minted only after approval.
Gateway verifies binding, prevents replay, forwards to the tool, and writes a signed receipt.
Same gateway, multiple topologies.
Run the gateway beside each agent workload. Route HTTP/MCP calls with minimal config changes.
Operate Phinn as a central ingress so agent traffic routes through one enforcement point.
Drop it on a VM for non-Kubernetes environments. Same enforcement, simpler stack.