Kestra Labs is the security checkpoint between AI assistants and your enterprise SaaS. Control who can do what, with which credentials, under what conditions and audit every interaction.
Both products share identity validation, device posture, Key Management integration, session management, and policy engine. The only difference is what gets proxied.
Secure AI-to-SaaS Gateway
Let AI assistants use Salesforce, Slack, GitHub and 245+ other SaaS tools while your security team controls every credential, permission, and data flow.
Secure Claude API Proxy
Your developers call Claude through your proxy, not Anthropic's endpoint directly. You set the spend caps, model allowlists, and log every prompt and response. PAT = Personal Access Token.
Every request passes through 5 security layers in under 500ms. If any layer fails, credentials are never touched.
Global CDN + API Gateway. TLS encryption, DDoS shield, organization key validation.
Entra ID validation, device posture (Zero Trust), role resolution, policy evaluation. Shared between both products.
Three paths by tier: SOHO (our key), Bank (your key + our key), Zero Trust (session-scoped, memory only).
MCP Fortress: calls SaaS APIs + PII redaction. PAT Fortress: proxies to Claude API + response logging.
Audit logging, platform metrics, alerts. PAT Fortress logs full request+response for SOC 2 compliance.
Secure AI-to-SaaS Gateway
Connect to any SaaS platform with pre-built, regularly updated connectors. Manage credentials in our secure vault with automatic rotation, health monitoring, and breach detection. No more storing API keys in CI/CD systems or spreadsheets.
Live Connectors (21):
Define granular policies that control exactly what each user can do. Rules are evaluated in real-time using a deny-by-default architecture:
Every policy evaluation is logged and can be audited in real-time.
Every request, decision, and policy change is logged to an immutable audit trail. Export evidence for SOC 2 Type II, ISO 27001, PCI DSS, and HIPAA audits.
Secure Claude API Proxy
PAT (Personal Access Token), the API key your developers use to call Claude. PAT Fortress makes sure your organization controls it, not individual developers.
Change your base URL from api.anthropic.com to pat.kestralabs.com. Everything else stays the same. Your developers never see the real Claude API key.
Restrict to specific Claude models, set per-request token limits, enforce monthly spend caps per PAT, and apply rate limiting per user. All policies are evaluated in real-time.
Every prompt sent to Claude AND every response is logged. Archived to encrypted storage with server-side encryption. Critical for SOC 2 Type II compliance. MCP Fortress only logs decisions; PAT Fortress logs everything.
Choose how much you trust Kestra Labs with your keys.
Managed Vault
"Giving your house key to a trusted neighbor"
We hold encrypted credentials and decrypt per request. Fastest setup.
Setup: 5 minutes
Safety Deposit Box
"Your key + our key required"
Customer Key Management key required for decryption. You maintain control.
Setup: 30 minutes
No Keys Stored
"Credentials never leave your building"
Entra ID + device posture + session-scoped keys. Maximum security.
Setup: 2-4 hours
Pick one product or bundle both and save. No free trial: we're infrastructure, not a toy.
Both products: save $1/user vs. individual
Both products: save $2/user vs. individual
150+ users · enterprise contract
Contact our sales team for pricing and custom setup.
CONTACT SALESNo free trial. No demo required. No sales call for SOHO and Bank. Overage: 1.25x base rate. Claude API token costs are billed directly by Anthropic; Kestra Labs only charges for platform access.