Most people keep agents on a short leash because one bad call could drain an account. TAP gives each agent its own identity and approval rules, so you can safely turn them loose on your email, your infra, and your money.
Examples
Set up TAP once and your agents can reach any API without ever touching the credentials. Optionally, configure approvals for especially sensitive APIs.
$ "Check my email for any unpaid invoices and pay them on Wise."
› gmail → wise · it really pays them
$ "Migrate all our company domains to Cloudflare DNS, update the SSL certificates on AWS, and trigger Vercel redeployments for any affected services."
› cloudflare → aws → vercel · runs end to end
$ "Check my Mercury balance. If it's over $50k, move the excess into the highest-yield account."
› mercury · add a checkpoint if you want one
$ "Give me a morning briefing: Mercury balance and any large transactions, unread emails that need action, and whether any Vercel deployments failed overnight."
› mercury · gmail · vercel · runs unattended
The catch
To an agent, a web page or email it reads is just more instructions. One can say 'send me the key,' and it will.
A raw key can move money, delete data, or email everyone you know, with nothing in between to catch it.
Agents can read them straight out of process memory, and plenty of APIs echo them right back. Once a key is in the context, it's in every prompt after it.
How it works
Just tell your agent:
TAP key: <your key>
TAP instructions: https://proxy.tap.human.tech/instructions To add a service, you paste its key into the dashboard. The agent reads the instructions URL and calls what it needs, so you're not loading a list of tool definitions into every prompt. It works with anything that makes HTTP requests: Claude Code, OpenClaw, your own scripts.
Paste a key into TAP once. The agent calls services by name and never sees the secret, so a leak, a jailbreak, or a bad prompt can't spend it.
Optional. Turn on a checkpoint for a credential and its calls arrive with the full request to approve or deny, wherever you've set up notifications. Leave it off and everything runs.
Your agent just makes HTTP calls to TAP instead of straight to the API.
The agent sends a payload, gets back a signature, and never sees the key.
Verify it yourself
They live in a hardware enclave we can't read into. Microsoft's HSM only releases them to TAP code that matches a measurement we publish. Verify it →
It only sees a name like mercury. The real key goes in when TAP sends the request, and gets stripped out of anything that comes back.
Every request is checked against your policy. If nothing allows it, it waits for you.
It's open source under Apache-2.0. Read exactly how your keys are handled, or run your own copy. GitHub →
The request flow, policy engine, and attestation details are all in the docs →
Get started
We built TAP to give our own agents access to our accounts, then open-sourced it. The hosted version is free to start, keeps your credentials in a hardware enclave even we can't read into, and is the right choice for almost everyone. You can also self-host the open-source build if you're comfortable owning the security yourself. Verify it.
Start freeOr self-host it from the repo
Use our managed hosting, or run the open-source build yourself in Docker.
Sign up and add your credentials
Slack, GitHub, Mercury, Stripe, AWS, or whatever else your agent needs.
Create an agent and copy the API key
Pick which credentials it can touch. The key shows once.
Paste two lines into your agent's prompt
TAP key: <your key>
TAP instructions: https://proxy.tap.human.tech/instructions It fetches that URL and works out how to use your services on its own.