Governed execution for production AI agents

Agents can reason.
Nolixan lets them act — safely.

Connect AI agents to apps, APIs, MCP servers, and private tools — with OAuth, secrets, permissions, approvals, and audit trails built in.

  • Built for MCP
  • OAuth ready
  • Policy gated
  • Audit logged
  • VPC / on-prem ready

One control plane for the tools your agents need· example integrations

Google WorkspaceSlackGitHubSalesforceHubSpotNotionJiraStripePostgresInternal APIsMCP serversGoogle WorkspaceSlackGitHubSalesforceHubSpotNotionJiraStripePostgresInternal APIsMCP servers
Why agent action is hard

The hard part isn’t making agents talk. It’s letting them act.

Chat is solved. The moment an agent touches a real system — a CRM, a payment, a database — every shortcut becomes a production incident.

Credentials scattered across prompts and scripts

An API key gets pasted into a system prompt to “just make it work.”

prompt.md…use this token to call Stripe:
authBearer sk_live_a9F2…c1
secret exposed in prompt

One leaked log line exposes every system that key can touch.

Tools exposed without permission boundaries

An agent that only needs to read the CRM also has write and delete.

crm.readgranted
crm.writegranted
crm.deletegranted · unbounded
over-scoped access

A confused or jailbroken agent reaches far beyond its job.

No approval flow for risky actions

The agent issues a $4,000 refund at 2am with nobody watching.

actionstripe.create_refund · $4,000
time02:14 · auto-executed
no approval required

Irreversible actions run with no human in the loop.

No audit trail after something breaks

An agent updates the wrong CRM record and the team scrambles to explain it.

queryaudit WHERE action=crm.update
result0 rows
no trace recorded

Nobody knows which token, which tool, or who approved it.

Interactive demo

See a governed agent action in real time.

Click through a real request — or let it play. No two calls are treated the same: reads pass, writes are scoped, and risky actions wait for a human.

“Create a Salesforce follow-up task, send a Slack update, and attach the source summary from Notion.”

Agent receives the request

Create a Salesforce follow-up, post a Slack update, and attach the Notion summary.
Understood. Planning 3 tool calls — routing through Nolixan for authorization.
Architecture

One runtime between every agent and every action.

Whatever framework your agents use, every tool call is routed, authorized, policy-checked, and recorded in one place — instead of re-invented per app.

Agents & frameworks

OpenAI Assistants
LangChain
CrewAI
Claude
Custom agents
MCP clients
NNolixan control plane
Tool registry
Auth broker
Policy engine
Approval workflow
Execution runtime
Audit trace

every action flows through here

Business systems

SaaS apps
Internal APIs
Databases
MCP servers
Webhooks
Private tools
Platform

Everything between the agent and the action.

The full control plane — auth, tools, policy, approvals, runtime, and audit — so you ship production agents instead of stitching primitives together.

Managed OAuth & API keys

Never put a secret in a prompt again — Nolixan brokers auth and injects credentials at call time.

AES-256-GCM at rest · auto-refresh · per-user tokens

MCP gateway

Expose governed tools to any MCP client through one endpoint with progressive discovery.

JSON-RPC · initialize / tools.list / tools.call

Tool & connector registry

Typed, discoverable tools your agents can list and call without bespoke glue code.

1,000+ providers · JSON-Schema validated

Runtime policy engine

Allow, deny, or require approval for every call — evaluated server-side, not in the agent.

fail-closed: default-deny on writes · ordered rule resolution

Human-in-the-loop approvals

Pause risky actions for a person; execution resumes on approve, stops on deny.

approve / deny · Slack & web · resumable

Audit logs & traces

Every invocation is attributable and exportable for security and compliance reviews.

actor · tool · policy · args hash · trace_id

Private enterprise connectors

Bring your own internal APIs as first-class, org-scoped tools.

manifest-driven generic_http · org-scoped

Webhooks & events

React to provider events safely and route them into your agent or sync pipeline.

verified signatures · idempotent delivery

Agent SDK

One token, every framework — list tools, invoke, and get a trace back.

JavaScript · Python · MCP · REST

VPC / on-prem ready

Deploy inside your own boundary so secrets and data never leave it.

tenant isolation · no secret egress

Developer experience

One token. Every framework. Governed by default.

Policy, approval, and the audit trail are enforced on Nolixan’s side — so they hold no matter how the agent calls out.

agent.ts
import { Nolixan } from "@nolixan/sdk";

const nolixan = new Nolixan({ token: process.env.NOLIXAN_AGENT_TOKEN });

// 1. discover the tools this token is allowed to use
const tools = await nolixan.tools.list({ provider: "salesforce" });

// 2. invoke — with user/workspace context attached
const res = await nolixan.tools.invoke("salesforce.create_task", {
  input: { subject: "Follow up with Acme" },
  context: { user: "u_123", workspace: "ws_acme" },
});

console.log(res.status, res.trace_id); // "approval_required" nlx_8f2c4a

Response

{
  "status": "approval_required",
  "tool": "salesforce.create_task",
  "policy": "crm.write → 1 approver",
  "approval_url": "https://app.nolixan.dev/a/8f2c",
  "trace_id": "nlx_8f2c4a"
}
Permission-scoped tokennlx_live · 3 tools
Tool schema validatedJSON-Schema · 200
Trace ID returnednlx_8f2c4a
Read the quickstart
Security & governance

Built for teams that can’t let agents run wild.

Every action is classified before it runs — and logged after. Read freely, gate the risky stuff, block what should never happen.

Policy firewall classifying
Allowed
notion.get_pageslack.post_messagehubspot.read_contact
Needs approval
salesforce.create_taskstripe.create_refund
Blocked
postgres.drop_tableadmin.delete_user
Every decision — allow, approve, or block — is written to the audit log.
RBACroles & teams
Scoped credentialsper-agent, per-tool
Policy rulesallow / deny / approve
Approval gateshuman-in-the-loop
Audit exportSIEM-ready
Tenant isolationenv-scoped data
Secret encryptionAES-256-GCM
VPC / on-premyour boundary
Provability

Don't just govern agents — prove it.

Most platforms log what an agent did. Nolixan produces cryptographic proof you can verify offline — the layer no one else owns.

Offline-verifiable receipts

Every action yields an Ed25519-signed, hash-chained receipt. Hand a regulator the receipt and a public key — they verify exactly what happened, without trusting (or even reaching) us.

Exact approved-action re-run

What a reviewer approved is byte-for-byte what executes — no drift between the request that was approved and the call that runs.

Separation of duties

The person (or agent) who requests a sensitive action can't be the one who approves it. Every blocked self-approval is recorded.

Signed, diffable authority

Each agent carries a signed capability contract and every policy change is a versioned, diffable snapshot — "git for governance."

receipt.json · verify_receipt.py
actionstripe/create-refund
decisionapproved
approver≠ requester (SoD ✓)
args_hashsha256:9f2c…a1
signatureed25519 ✓ verified
chaintamper-evident ✓

exit 0 — signature + chain verified offline

Data redaction

Govern the data, not just the action.

Content-level DLP strips sensitive values out of what an agent sends, what it receives, and what you log — before the model ever sees them. Stronger than access control: a single allowed call can never leak a card number, secret, or patient ID.

tool response · inbound redaction
card4111 1111 1111 1111
emailalice@acme.com
aws_keyAKIA…REDACT
card411111******1111
email[REDACTED]
aws_key[REDACTED]
Financial · PAN, IBAN, routing Government / National-ID Health / PHI · NPI, MRN, MBI Contact / PII · email, phone, SSN Credentials & secrets · 24 providers Network / device GDPR special category

~60 built-in classes across 7 categories, checksum-validated to keep false positives low. Per class, choose redact · mask · drop · tokenize · fingerprint; start in monitor mode, then enforce. Every redaction writes a counts-only, signed receipt you can verify offline — no raw values stored.

The full control plane

Govern what the agent perceives, decides, and spends.

Beyond policy and audit, Nolixan governs the whole agent lifecycle — discovery, identity, credentials, cost, and the MCP surface itself.

Policy-shaped discovery

The agent only perceives the tools it's allowed to use — denied tools never appear in discovery, with governance metadata inline.

Cooperative verdicts

A blocked or gated action returns actionable guidance — a deny explains why, an approval returns a pollable handle, a sanitize lists redacted fields — so the agent complies instead of dead-ending on a 403.

JIT short-lived credentials

Mint task-scoped credentials that expire in minutes instead of handing agents standing access there's nothing to leak.

Per-agent DID identity

Each agent gets its own did:nolixan identity and keypair, so every action is attributable even when agents share a key.

Shadow-agent discovery

Surface unregistered actors taking actions in an environment, risk-ranked from the audit trail, with a live decision feed.

MCP OAuth

Nolixan is a spec-compliant OAuth 2.1 server, so remote MCP clients like Claude.ai connect, consent, and call governed tools — no shared API key.

Tool-poisoning scanner

Detect hidden instructions, schema abuse, typosquatting, and rug-pulls in MCP tools before your agent trusts them.

Spend budgets & SLOs

Per-tenant and per-agent budgets throttle or kill runaway cost before it runs; SLOs track error-budget burn on agent actions.

Machine-checked compliance

Controls mapped to OWASP Agentic Top-10 and SOC 2 with exact source evidence — CI fails the moment an anchor moves.

Use cases

Wherever an agent needs to do real work.

The pattern is always the same: real tools, scoped access, the right approvals, and a record of everything that happened.

Customer support agents

Resolve tickets end to end across the support stack.

Tools

ZendeskNotionHubSpotSlack

Governance

Scoped credentialsFull audit trail

Faster resolutions without exposing customer data.

Sales operations agents

Keep the CRM clean and follow-ups on time.

Tools

SalesforceGmailSlack

Governance

Approval on writesAudit export

Pipeline hygiene with a human on risky updates.

Engineering agents

Triage issues, open PRs, query read replicas.

Tools

GitHubJiraPostgres (read)

Governance

Read/write scopesBlocked destructive ops

Automation that can’t take down production.

Finance operations agents

Reconcile transactions and process refunds.

Tools

StripeNetSuiteSlack

Governance

Approval gatesTamper-evident audit

Every dollar movement approved and traceable.

Internal workflow agents

Drive cross-tool operations on private systems.

Tools

Internal APIsNotionSlack

Governance

Private connectorsRBAC

Glue work automated inside your boundary.

Regulated & enterprise agents

Act in healthcare or finance systems of record.

Tools

Core systemsInternal APIs

Governance

Tenant isolationVPC / on-premFull audit

Agent automation that passes compliance review.

Why teams trust it

Production-grade by design, not by promise.

No logos to borrow trust from yet — so here’s exactly what the architecture guarantees.

100%of actions logged
0secrets stored in prompts
1,000+connectors & tools
default-denyfail-closed, on writes
Production-ready design

Async, multi-tenant runtime with encryption, rate limiting, and idempotent execution baked in.

Tenant-scoped execution

Every call is bound to an environment; one tenant can never read or act on another’s data.

Every action traceable

Actor, tool, credential, policy, args hash, and outcome — recorded and exportable.

No secrets in prompts

Credentials live in an encrypted broker and are injected at call time, never in the model context.

Policy before execution

Rules are evaluated server-side before a tool ever runs — not trusted to the agent.

Approval for risky actions

High-impact calls pause for a human; nothing irreversible happens unattended.

FAQ

Questions teams ask before they ship.

What is Nolixan?

Nolixan is a secure control plane for production AI agents. It lets agents discover tools, authenticate via OAuth and API keys, call apps, APIs, and MCP servers, follow policies, require human approvals, and produce audit trails — so agent actions are safe to run in production.

How is Nolixan different from a connector catalog?

A catalog gives you connections. Nolixan adds the governance layer on top: a runtime policy engine, human-in-the-loop approvals, agent-scoped tokens, and a full audit trail — the part that makes agent actions safe, not just possible.

Does Nolixan support MCP?

Yes. Nolixan exposes a governed MCP gateway, so any MCP client — Claude, Cursor, or your own agent — discovers only the tools a token is scoped to, with policy and audit applied automatically.

How does Nolixan handle OAuth and API keys?

Credentials are brokered and encrypted at rest with AES-256-GCM, refreshed automatically, and injected at call time. They are never placed in prompts or the model context.

Can Nolixan run in a VPC or on-prem?

Yes. Nolixan is built for deployment inside your own boundary with strict tenant isolation, so secrets and data never leave your environment.

Can teams require human approval before actions?

Yes. Any action can be gated by policy to require approval. The agent pauses, a person approves or denies in Slack or the web app, and execution resumes — or stops.

How does Nolixan help with audit logs?

Every invocation records the actor, tool, credential, policy decision, an args hash, outcome, and trace ID. Logs are tenant-scoped and exportable for security and compliance reviews.

Can I prove what an agent did?

Yes. Every action produces an Ed25519-signed, hash-chained receipt you can verify offline with a public key — no need to trust or even reach Nolixan. The exact action a reviewer approved is byte-for-byte what executes, and separation of duties stops anyone from approving their own request.

How does Nolixan stop sensitive data from leaking to the model?

Content-level data redaction (DLP) strips sensitive values out of tool inputs, tool outputs, and logs before the model ever sees them — about 60 built-in classes across 7 categories (financial, government IDs, PII, PHI, secrets, network, GDPR). Per class you choose redact, mask, drop, tokenize, or fingerprint, and each redaction writes a counts-only signed receipt with no raw values stored.

How do you control cost and identity for many agents?

Each agent gets its own DID identity and can be issued just-in-time credentials that expire in minutes instead of standing access. Per-tenant and per-agent spend budgets throttle or kill runaway cost before an action runs, and shadow-agent discovery surfaces unregistered actors.

Can developers build private connectors?

Yes. Bring internal APIs as first-class, org-scoped tools using a manifest-driven HTTP connector — governed exactly like public ones.

Does Nolixan work with any agent framework?

Yes. Use the SDK (JavaScript or Python), MCP, or the REST API with OpenAI Assistants, LangChain, CrewAI, Claude, or custom agents.

Is Nolixan for production agents or prototypes?

Both. Start with one agent, one workflow, and one policy in minutes — then scale to production with the same governance in place.

Your agents are ready to act. Make every action governed.

Start with one agent, one workflow, and one policy. Scale safely from prototype to production.