Platform | PolicyArc

Where PolicyArc sits in your stack

PolicyArc is the authorization layer between who your users are and what they're allowed to do.

Identity Providers

Okta / Auth0

OIDC / SAML

Azure AD / Entra

Enterprise IdP

SPIFFE / SPIRE

Workload Identity

Custom OIDC

Any RFC 8414 IdP

→trust &
tokens

PolicyArc Platform

Authorization Server

OAuth 2.0 · UMA · OIDC · DCR

Policy Engine

OPA · Rego · policy-as-code

Policy Management

Admin UI · Audit Log · Bundle Server

→scoped
tokens

Your Apps & APIs

REST / GraphQL APIs

Resource Servers

MCP Gateway

AI Agent Access

Web Applications

SaaS · Internal Tools

Data Services

Databases · Storage

Clients requesting access

AI Agents

LLM tools, MCP clients

Human Users

employees, contractors, customers

M2M Services

microservices, batch jobs

Core Capabilities

Everything you need to govern access across humans, services, and AI agents.

Agent-Safe Access

AI agents receive JIT, scoped, and time-bound tokens, eliminating privilege escalation — safely rollout Agentic AI systems across the enterprise.

Single Access Plane

All identities (agents, humans, and workloads) governed by a single authorization service — free dev teams from building authorization into everything.

Policy as Arbiter

Define who can do what in plain policy rules, enforced consistently on every request — eliminate hard-coded permission logic scattered across services and apps.

Context-Aware

Decisions use static attributes like role and MFA alongside live signals like resource sensitivity and workflow state — grant or restrict based on the full picture.

Standards-Based

Built on OAuth 2.0, OIDC, Open Policy Agent, and open standards — integrate with any identity provider and take your policies with you if you ever leave.

Works with your Infra

PolicyArc is designed to slot into your existing stack without ripping anything out. Connect your current IdP, protect your existing APIs, and extend to AI agent access.

How It Works

From request to decision in milliseconds

Every access request flows through the same path — regardless of whether it comes from a human, a service, or an AI agent.

Client requests a token — OAuth 2.0 client credentials, authorization code, or UMA flows.

PolicyArc evaluates policy — the Authorization Server calls OPA, which runs Rego rules against your policy data, identity claims, and request context.

Token issued with obligations — scoped, time-bound tokens carry PDP output including obligations your resource servers must enforce.

Resource server enforces — introspects with resource context; PolicyArc re-evaluates and returns fine-grained enforcement decisions.

Token Request Flow

POST /token

grant_type=client_credentials

↓

OPA evaluates Rego policy

allow if { scope ⊆ permitted; time_ok }

↓

Scoped JWT issued

exp: 300s · obligations: [audit, mask_pii]

↓

Resource server enforces

POST /introspect → obligations applied

Supported Standards

Built on open standards, not proprietary lock-in

Every protocol PolicyArc implements is an IETF RFC or open standard. Your clients, resource servers, and identity providers work with PolicyArc out of the box — no vendor SDKs required. Your policies are OPA Rego. Your data is JSON. If you leave, everything comes with you.

OAuth 2.0OpenID ConnectUMA 2.0RFC 7591 DCRRFC 8707RFC 9396 RARRFC 7009 RevocationAuthZENSPIFFE / SPIREJWKS DiscoveryCIBA

Deployment

Deploy the way you want to

Whether you want a fully managed service or complete control inside your own perimeter, PolicyArc fits. Start in the cloud and migrate to self-hosted when you're ready — the same Helm chart, the same policies, the same API.

SaaS (Managed)

Fully hosted by PolicyArc. Up in minutes, no infrastructure to manage.

Self-Hosted (Helm)

Deploy on your own Kubernetes cluster. Full control, your network boundary.

Docker / Compose

Run locally or on any VM with a single compose file. Ideal for dev and staging.

Azure Marketplace

One-click deployment into your Azure subscription. Billing through your existing commitment.