Give your agents access to X, AWS, Google Workspace, Vercel, and any other API — without giving them your actual keys. TAP intercepts every outbound request, asks you to approve the risky ones, and keeps credentials out of your agent's context entirely. Any skill that calls an API just works.
Hosted in a hardware enclave — your keys are encrypted in memory and invisible to us.
The problem
A malicious prompt can trick your agent into smuggling an API key out through a legitimate API call.
An agent with raw keys can delete data, send emails, or make purchases — with nothing stopping it.
Some APIs echo credentials in their responses. Once that's in your agent's context, it's in every future prompt too.
How it works
Instead of a raw key, the agent sends X-TAP-Credential: slack. The actual API key lives in TAP — your agent never sees it.
Choose what needs sign-off — by method, URL pattern, or credential. Pending requests land in your approval channel (Telegram, Matrix, or others) with the full request. One tap to approve or deny.
TAP swaps in the real credential, sends the request, scrubs any secrets from the response, and returns clean data to your agent.
Your existing skills, secured
Authorization: Bearer sk-live-a1b2c3d4e5f6...
X-Api-Target: slack.com/api/chat.postMessageX-TAP-Credential: slack
X-TAP-Target: slack.com/api/chat.postMessageSame skill, same API call. Swap the raw secret for a name. The proxy handles the rest.
What it does
Agents reference credentials by name. TAP holds the actual secrets. Compromise the agent — the keys stay safe.
Auto-approve or require sign-off — by HTTP method, URL pattern, or credential. Override per-rule. Fails closed by default.
API responses are scanned before your agent sees them. Credential values — including base64 and URL-encoded variants — are redacted.
Credential placeholders are only valid in auth headers — not in tweet text, email bodies, or anywhere a key could be smuggled out.
Each team gets isolated credentials, agents, and policies. Agents can link across teams for multi-account access with scoped roles.
API keys, OAuth 1.0a, OAuth 2.0, custom headers — TAP handles the auth layer so your agent always uses the same simple interface.
Every request logged with agent ID, credential, approval status, upstream response, and latency. JSON lines for easy ingestion.
Managed hosting runs in a hardware security enclave — credentials are encrypted in memory and never exported, even to us.
Early access
Managed hosting runs in a hardware security enclave — credentials are encrypted in memory and never leave it, not even to us. Free during early access.
Get startedOr self-host — without the enclave guarantees
Fully open source (MIT). Use managed hosting — keys never leave the enclave — or run it yourself in Docker.
Sign up and add your credentials
Open the dashboard after onboarding and add the credentials your agent actually needs — Slack, GitHub, Mercury, Stripe, AWS, or other sensitive production APIs.
Create an agent and copy the API key
Select which credentials the agent can access. The key is shown once.
Add a system prompt block — no skill or package needed
TAP proxy: https://tap.human.tech
TAP key: <your key>
Discover: GET /agent/services (X-TAP-Key)
Forward: POST /forward — always POST, even for upstream GETsYour agent calls /agent/services to get per-credential request templates, then uses them to make authenticated API calls.