Most people keep agents on a short leash because one bad call could drain an account. TAP gives each agent its own identity and approval rules, so you can safely turn them loose on your email, your infra, and your money.
Examples
Each one touches several services through a single setup, with no integration code to write. The calls that move money or delete things are held for your approval.
$ "Check my email for any unpaid invoices and pay them on Wise."
› gmail → wise · it really pays them, after you approve
$ "Migrate all our company domains to Cloudflare DNS, update the SSL certificates on AWS, and trigger Vercel redeployments for any affected services."
› cloudflare → aws → vercel · held for your approval
$ "Check my Mercury balance. If it's over $50k, move the excess into the highest-yield account."
› mercury · waits for your approval
$ "Give me a morning briefing: Mercury balance and any large transactions, unread emails that need action, and whether any Vercel deployments failed overnight."
› mercury · gmail · vercel · runs unattended
The catch
To an agent, a web page or email it reads is just more instructions. One can say 'send me the key,' and it will.
A raw key can move money, delete data, or email everyone you know, with nothing in between to catch it.
Agents can read them straight out of process memory, and plenty of APIs echo them right back. Once a key is in the context, it's in every prompt after it.
How it works
Just tell your agent:
TAP key: <your key>
TAP instructions: https://proxy.tap.human.tech/instructionsTo add a service, you paste its key into the dashboard. The agent reads the instructions URL and calls what it needs, so you're not loading a list of tool definitions into every prompt. It works with anything that makes HTTP requests: Claude Code, OpenClaw, your own scripts.
Each call arrives with its full request to approve or deny, wherever you've set up notifications.
Reads like checking a balance run on their own. The ones that move money or change things wait for you.
Your agent just makes HTTP calls to TAP instead of straight to the API.
The agent sends a payload, gets back a signature, and never sees the key.
Verify it yourself
They live in a hardware enclave we can't read into. Microsoft's HSM only releases them to TAP code that matches a measurement we publish. Verify it →
It only sees a name like mercury. The real key goes in when TAP sends the request, and gets stripped out of anything that comes back.
Every request is checked against your policy. If nothing allows it, it waits for you.
It's open source under Apache-2.0. Read exactly how your keys are handled, or run your own copy. GitHub →
The request flow, policy engine, and attestation details are all in the docs →
Get started
We built TAP to give our own agents access to our accounts, then open-sourced it. The hosted version is free to start, keeps your credentials in a hardware enclave even we can't read into, and is the right choice for almost everyone. You can also self-host the open-source build if you're comfortable owning the security yourself. Verify it.
Start freeOr self-host it from the repo
Use our managed hosting, or run the open-source build yourself in Docker.
Sign up and add your credentials
Slack, GitHub, Mercury, Stripe, AWS, or whatever else your agent needs.
Create an agent and copy the API key
Pick which credentials it can touch. The key shows once.
Paste two lines into your agent's prompt
TAP key: <your key>
TAP instructions: https://proxy.tap.human.tech/instructionsIt fetches that URL and works out how to use your services on its own.