Access layer for your existing PostgresBacked by Y Combinator

Let Claude touch production. Without the postmortem.

Midplane sits in front of your Postgres and decides what each query can do — parser-level, audited, denied before it runs.

Start free →no credit card · free for 1 connection · 1 seat

Or talk to us · design partner program →

Your databasestays where it is

EngineMIT · self-host or hosted

Audit logappend-only

01:stakes

Same agent. Same Postgres. Two ways it ends badly.

The same SQL your engineer's agent might run on a Tuesday morning, with and without midplane in front of Postgres. One deletes prod. One leaks every customer — and looks like a normal read.

before:midplanetue 09:17:34

Production gone in nine seconds.

# cursor agent, cleaning up stale rows
WITH cleanup AS (
  DELETE FROM users
  RETURNING *
)
SELECT count(*) FROM cleanup;

runs against your Postgres

postgres · prod0.9 s

users · 41,802 rows deleted
production: gone

09:18 — #incidents · sev1 · “what happened?”

after:midplanetue 09:17:34

Denied before it runs.

# same agent, same query
WITH cleanup AS (
  DELETE FROM users
  RETURNING *
)
SELECT count(*) FROM cleanup;

hits midplane policy first

midplane · policytable_access

DENIED · users is not in the opt-in write list
the DELETE in the CTE was caught at parse time

09:17 — audit logged · agent pivots to a SELECT

the leak a read-only role lets through

A leak doesn't need a DELETE.

before:midplanetue 11:42:07

Every customer's data, one SELECT.

# cursor agent: “list recent signups”
SELECT email, plan FROM users
ORDER BY created_at DESC
LIMIT 50;

runs against your Postgres

postgres · prod7 ms

50 rows — from 14 different customers
tenant boundary: gone

11:42 — no error, no alert · it reads like a normal query

after:midplanetue 11:42:07

Denied before it runs.

# same agent, same query
SELECT email, plan FROM users
ORDER BY created_at DESC
LIMIT 50;

hits midplane policy first

midplane · policytenant_scope_missing

DENIED · users requires a tenant_id predicate; none present
enforced in the policy engine — before Postgres sees the read

11:42 — audit logged · agent retries with WHERE tenant_id = $1

A read-only role would have allowed this — it's a SELECT. tenant_scope is the one rule a database role can't give you.

— try

Ask the database. Watch the policy decide.

Pick an example. Flip a table's access level. Re-pick to watch the decision change.

Try an example

Click below. Edit the table access on the right. Re-click to see the decision flip.

Try this against your own database — point midplane at any Postgres, get an MCP endpoint for your agent.Start free →

Table access

api_keysid, customer, prefix, last_used_at

customersid, email, name, plan

internal_usersid, email, role, mfa

ordersid, customer, total_usd, status, placed_at

support_ticketsid, customer, subject, status

Audit logLive

Awaiting first event.

02:flow

One-time setup. Three checkpoints, every query.

You hand the agent a Midplane URL once. From then on, every query the agent runs is checked, logged, then executed against your Postgres — or returned as a clean deny the agent can recover from.

Setup · onceDrop a Midplane MCP URL into your agent. The agent never sees your DSN, password, or network.cursor / claude https://eu.midplane.ai/mcp/<tok>

Midplane · every query

01:policy

Decided.

table_access · allow
tenant_scope · allow
multi_stmt   · deny
ddl          · deny

Read-only default, writes per opt-in table, tenant predicate required.

02:audit

Logged.

audit_log ←
  who   = lena@acme
  agent = claude-code
  table = users
  stage = ATTEMPTED
  committed

Written before Postgres sees the query. Log failure rejects the query.

03:execute

…or denied.

allow → postgres
     └ 25 rows · 4.1 ms

deny → structured reply
     └ reason: table_access
     └ agent pivots

Allowed queries run normally. Denied queries return a parsable error — no half-writes.

03:policy

A policy editor you can read at a glance.

Default access in one click. Per-table overrides for the few that need write. Tenant scope on or off, with a column you control. Saved policy reaches the engine in milliseconds — no agent restart, no DSN reshuffle.

Opt in per table.

Schema-qualified entries (stripe.charges) win over bare names. Saves push to the engine over the admin channel; the agent's active MCP session keeps running.

Engine invariants

always denyMulti-statement queries — even a DELETE hidden inside a CTE.
always denyDDL — DROP, ALTER, CREATE never reach Postgres.

Enforced at the parser. Not configurable, not in the editor.

acme · productionsaved

Default for unlisted tables

deny read read + write

Per-table overrides

feature_flagsread + write

audit_logdeny

stripe.chargesdeny

+ add table

Tenant scope

Enforce on every queryon

Default columntenant_id

Changes take effect immediately — no agent restart.

04:audit

Every query. Every decision. Filterable.

Append-only. Filterable by agent, table, tenant, decision. Every row records the MCP client and the agent's declared intent — and for changes you make in the dashboard, the engineer who made them. So six months later you can ask “what was claude-code trying to do?” or “who flipped that flag?”

audit_log · last 3 events

1 denied · region eu · acme/production

timedecisionstatementagentms

14:02:11.034ALLOWSELECT id, email FROM users WHERE tenant_id = $1cursor · v0.454.1

14:02:13.221DENYWITH d AS (DELETE FROM users RETURNING *) SELECT…cursor · v0.451.6

14:02:18.555ALLOWUPDATE feature_flags SET enabled = true WHERE …claude-code · 1.23.0

05:pricing

Pay for scale, not the safety engine.

Policy enforcement, audit log, and tenant isolation are on every tier. Tiers gate structural growth — more connections, more seats, longer retention, enterprise SSO. Query volume is never metered. Hosted in EU or US, or self-host the MIT-licensed engine — same engine and audit format either way.

Free$0 / monthFor one engineer evaluating.