1
Install & start the daemon
$ curl -fsSL https://cl-auth.com/install.sh | bash $ clauth init $ clauth start
One-time setup. Runs locally on your machine — nothing leaves your network.
Your agents make API calls.
They should never see your keys.
Clauth is a local daemon that sits between your AI agents and the APIs they call. It holds your credentials in an encrypted vault and injects them at request time — so agents get the job done without ever touching a secret.
Encrypted vault (AES-256-GCM)
Per-agent scope enforcement
Behavioral anomaly detection
Tamper-proof audit log
Up and running in 60 seconds
Install, store your credentials once, and every agent you run is automatically protected.
2
Store your credentials
$ clauth vault add github --secret ghp_xxx $ clauth vault add openai --secret sk-xxx $ clauth vault add stripe --secret sk_xxx
Encrypted at rest with AES-256-GCM. You set the passphrase, nobody else.
3
Grant scoped access to skills
$ clauth grant my-agent github:read $ clauth grant my-agent openai:chat $ clauth grant my-agent stripe:charges
Each agent gets only the permissions it needs. Nothing more.
For skill developers
Your skill never sees a credential. Just tell Clauth what you need — it handles the rest.
my-skill.ts
import { ClauthClient } from "clauth/client"; const clauth = new ClauthClient({ skillId: "my-agent", skillToken: process.env.CLAUTH_SKILL_TOKEN }); // Make an API call — Clauth injects credentials const repos = await clauth.fetch({ provider: "github", endpoint: "https://api.github.com/user/repos", method: "GET", scope: "github:read" }); console.log(repos.body); // Your repos. No token in sight.
Zero credential exposure
Your code never handles secrets. Clauth injects auth headers at the network boundary.
Scoped by default
Request only what you need. Clauth enforces least-privilege — unauthorized calls are blocked and logged.
One line integration
Drop in the SDK. Works with any provider — GitHub, OpenAI, Slack, Stripe, and everything else.
Behavioral protection
Clauth watches for anomalies — unusual endpoints, rate spikes, off-hours activity — and blocks them automatically.
Built for trust
Clauth is designed so you don't have to trust Clauth. Everything is local, auditable, and under your control.
Runs on your machine
No cloud service, no SaaS, no third-party servers. Clauth is a local daemon. Your credentials never leave your network.
Zero dependencies
No npm packages. No supply chain risk. Everything is built on Node.js built-in modules. You can read every line of code.
Tamper-proof audit log
Every request, every grant, every anomaly — hash-chained and append-only. You always know exactly what happened.
Open source
MIT licensed. Audit the source, fork it, self-host it. Security through transparency, not obscurity.
Emergency kill switch
One command revokes every grant instantly. Compromised skill? Shut it down in seconds, not hours.
Security advisory monitoring
Clauth polls public advisory feeds and auto-revokes affected credentials before you even hear about the breach.
Under the hood
Explore the architecture, see a request flow in action, or compare the before and after.
Documentation
Everything you need to get started, integrate your skills, and harden your setup.
Quick Start
Install, store your first credential, and grant scoped access to a skill in under a minute.
SDK Reference
ClauthClient API for skill developers — brokered fetch, identity verification, and health checks.
API Endpoints
Full reference for the daemon HTTP API — proxy, admin, identity broker, and status routes.
Security Model
Vault encryption, scope enforcement, behavioral anomaly detection, and audit integrity.
Configuration
Transport modes, hardening options, alert routing, advisory feeds, and OAuth provider setup.
Identity Broker
Private identity verification without public posting — OAuth, email, and signed challenge flows.