oakallow

What is oakallow?

When an AI agent tries to take an action, whether that's sending an email, calling an API, or transferring funds, oakallow is the layer that decides whether it should. Every tool call passes through a per-call governance check that handles the permission decision, the human approval when one is needed, and the audit trail that proves what was reviewed and when. Reach it through the REST API, the MCP connector, or both.

oakallow is a hosted security service for AI agent tool execution. Instead of building your own permission system, token minting, approval workflows, and audit trails, you integrate through the REST API or the MCP connector and get production-grade security in minutes.

Whether you're building AI agents for your customers or your own team, oakallow gives you a deliberate checkpoint at the moments that matter. Permission rules decide what runs automatically. Approval workflows pause the actions that need a human. Cryptographic tokens prove what was authorized. Audit logs show what happened and why.

Route only the actions that matter

A permission check is a deliberate security checkpoint, not a log line. If a tool fires thousands of times an hour and never needs human review, register it once with a default-allow rule and skip the runtime call. Per-call pricing is for governed-action volume. Your application telemetry stays in your own observability stack where it belongs.

Our Mission

How oakallow Works

oakallow sits between your AI agent and the tools it wants to execute. You register tools through the dashboard, the REST API, or by letting the MCP connector auto-discover them, then define permission rules that control what each tool is allowed to do, for which tenants, and on which resources.

At runtime, before your agent executes a tool, it calls the permission check endpoint. The check happens at the edge via Cloudflare Workers with single-digit millisecond resolution. The result is one of three outcomes: allowed, requires_approval, or disabled.

If the tool is allowed, your agent mints a single-use HMAC-signed execution token, runs the tool, and logs the result. If approval is required, the request is routed to a human decision-maker. If disabled, the tool does not execute. Every step is logged with a complete audit trail.

• Permission resolution. A 12-level resolution chain evaluates tenant, org, resource, tool, method, and category rules to produce a definitive permission decision.
• Approval workflows. When a tool requires human review, the approval request is created and can be decided via the dashboard. Approvals have configurable timeouts.
• Cryptographic tokens. Each execution is signed with an HMAC token containing a single-use nonce. The token proves the tool was authorized and can never be replayed.
• Audit trail. Every permission check, approval decision, and tool execution is logged. You have complete visibility into what your AI agent did, when, and why it was allowed.

Where oakallow Comes From

oakallow was born from production security code built for VixPro AI, an AI companion engineer for server infrastructure. The permission resolution, token signing, approval workflows, and audit logging that keep VixPro AI safe have been extracted, generalized, and made available as a standalone hosted service — accessible via REST or MCP — for any developer building AI agents.

This isn't a hypothetical security layer. It runs in production at VixPro AI today, governing real AI tool execution on real servers.

Security Is Foundational

About Islemonics Studios LLC

oakallow is built and operated by Islemonics Studios LLC, a software company based in Pleasanton, California. We build products at the intersection of AI, infrastructure, and security.