Developer
VSCode
Terminal
Claude
Cursor
Codex
Prompt
Context
Tool Call
Ingress
Blekline Ingress
Policy enforcement, PII masking, approval queues and audit trails, with mask/block/send options.
Zero retention
Role-Aware
SOC2 Ready
MCP, agent-first
Sanitized
Approved
Auditable
Models
Claude
OPenai
Gemini
Execution
sandboxes
Redacted data
ENvironment
Daytona / Modal / Cloudflare / Vercel
01 - devs and agents
Made for where you interact with AI Agents. Install in Cursor, Claude Desktop, or Codex in under 2 minutes. Real-time interaction governance with policy enforcement.
02 - Scalable AI Governance
From Local to Production
Fast and Scalable Governance
Security Infrastructure for AI Agents
Govern
Block secrets in shell/file tools; workspace MCP policy; evaluate before execute.
Mask
PII/secrets redaction; fast local path + Azure authoritative; OpenAI/Anthropic ingress proxy.
Prove
Metadata events, policy stream, investigations, built for security reviews.
03 - Integrations
Govern Agents where you already work
Blekline sits at the MCP ingress, before prompts reach models and before tools execute.
Claude Desktop01
02
[03]
Remote Server MCP for Claude Desktop
Connect via remote MCP. Blekline masks prompts and evaluates tool calls before content reaches Claude or downstream MCP tools.
mcp:maskmcp:enforceRemote MCP
Cursor01
02
[03]
Automatic redaction without workflow friction
Every Agent, Composer, and Chat session can mask secrets before model context and block risky tool calls before they hit your sandbox or internal APIs.
Mask PII and API keysEnforce tool policyMetadata audit events
Openai COdex
01
02
[03]
Govern OpenAI Codex sessions
Codex uses TOML config, not JSON. Add Blekline as an MCP server in
.codex/config.toml, tool calls get the same mask and enforce pipeline as Cursor and Claude.Project-level MCPHeadless setupsModel-agnostic
Claude Desktop01
02
[03]
Remote Server MCP for Claude Desktop
Connect via remote MCP. Blekline masks prompts and evaluates tool calls before content reaches Claude or downstream MCP tools.
mcp:maskmcp:enforceRemote MCP
Cursor01
02
[03]
Automatic redaction without workflow friction
Every Agent, Composer, and Chat session can mask secrets before model context and block risky tool calls before they hit your sandbox or internal APIs.
Mask PII and API keysEnforce tool policyMetadata audit eventsOpenai COdex
01
02
[03]
Govern OpenAI Codex sessions
Codex uses TOML config, not JSON. Add Blekline as an MCP server in
.codex/config.toml, tool calls get the same mask and enforce pipeline as Cursor and Claude.Project-level MCPHeadless setupsModel-agnostic03 - Use Blekline
Install in Seconds
Works with your favourite coding languages and frameworks.
import { BleklineClient } from "@blekline/client";
const blekline = new BleklineClient({
baseUrl: "https://app.blekline.com",
workspaceToken: process.env.BLEKLINE_WORKSPACE_TOKEN!,
metadata: { clientSurface: "sdk" },
});
const { maskedText, decision } = await blekline.mask({
text: "Email alice@corp.com — deploy with AKIAIOSFODNN7EXAMPLE",
platform: "MyAgent",
});
const tool = await blekline.enforceToolCall({
toolName: "run_shell",
arguments: { cmd: "curl https://api.internal/deploy" },
platform: "MyAgent",
});
console.log(maskedText, decision?.action ?? tool.action);
// mask | allow | blockimport os
from blekline_client import BleklineClient
client = BleklineClient(
workspace_token=os.environ["BLEKLINE_WORKSPACE_TOKEN"],
base_url="https://app.blekline.com",
client_surface="sdk",
)
masked = client.mask(
text="Email alice@corp.com — deploy with AKIAIOSFODNN7EXAMPLE",
platform="MyAgent",
)
print(masked["maskedText"], masked.get("decision"))
tool = client.enforce_tool_call(
tool_name="run_shell",
arguments={"cmd": "curl https://api.internal/deploy"},
platform="MyAgent",
)
print(tool["action"], tool["entitiesMasked"])# Mask PII & secrets before model context
curl -sS https://app.blekline.com/api/mask \
-H "Content-Type: application/json" \
-H "x-blekline-workspace-token: blw_..." \
-H "x-blekline-client-surface: sdk" \
-d '{
"text": "Email alice@corp.com — deploy with AKIAIOSFODNN7EXAMPLE",
"platform": "REST"
}'
# Evaluate tool call before execution
curl -sS https://app.blekline.com/api/mcp/enforce-tool-call \
-H "Content-Type: application/json" \
-H "x-blekline-workspace-token: blw_..." \
-d '{
"toolName": "run_shell",
"arguments": { "cmd": "curl https://api.internal/deploy" },
"platform": "REST"
}'// .cursor/mcp.json or claude_desktop_config.json
{
"mcpServers": {
"blekline": {
"command": "npx",
"args": ["-y", "@blekline/mcp-server"],
"env": {
"BLEKLINE_API_URL": "https://app.blekline.com",
"BLEKLINE_WORKSPACE_TOKEN": "blw_...",
"BLEKLINE_CLIENT_SURFACE": "claude-desktop"
}
}
}
}
// Tools the agent can call:
// blekline_mask_prompt({ text: "alice@corp.com ..." })
// blekline_evaluate_tool_call({
// toolName: "run_shell",
// arguments: { cmd: "curl https://api.internal/deploy" }
// })How it works? The new standard for safe AI integration.
04 - How it works
Connect, enforce and deploy.
Core system metrics that define Blekline runtime quality, control depth, and enforcement reliability.
05 - AI-first Infrastructure
Optimized for LLMs and AI Agents
06 - COmparison
Why Blekline?
Without Blekline
With Blekline
Secret in tool args
Reaches model/sandbox
Blocked at ingress
PII in prompt
Sent to vendor
Masked + mapped
MCP tools
Ungoverned
Policy per workspace
Audit
Scattered logs
Blocked at ingress
Sandbox
Fast but blind
Fast and governed
07 - OPen-core, scaled for business
Built for Developers. Scaled for Enterprise.
08 - FAQ's
Frequently asked questions
Get started with Blekline
What is an MCP ingress control plane?
Blekline sits between your AI agents and everything they touch: model APIs, tools, and sandboxes. Every call is masked, policy-checked, and audited before it executes.
Do I need an account to start?
No. Local secret scanning and tool enforcement work offline via @blekline/contracts. You need a workspace token only for cloud PII masking, fleet policy, and audit events.
How is Blekline different from prompt guardrails?
Prompt instructions are best-effort. Blekline enforces policy at the MCP call boundary, before the model or tool runs, regardless of which model or client you use.
CApabilities & Solutions
Does Blekline work with Cursor and Claude?
Yes. Blekline connects over MCP to Cursor, Claude Desktop, and Codex. One server covers all models; no changes to your agent code.
What’s the difference between mcp-server and mcp-proxy?
Server gives agents mask/enforce tools. Proxy sits in front of downstream MCP (e.g. Daytona) and blocks tool calls before they execute.
Are prompts stored in Blekline?
No. Default audit events are metadata only: action taken, entity counts, tool name, client surface. No raw prompt bodies or full tool arguments.
