πŸ›‘οΈ The trust layer for AI agents

Let your agent work. Keep your credentials safe. πŸ«†

When your AI agent needs access to Google Calendar, Drive, or Gmail, TapAuth handles the connection β€” so your agent never sees your passwords or long-lived credentials. You approve what it can access, for how long, and revoke anytime.

Get Started β€” FreeView Documentation β†’

Add TapAuth to your agent

One command. Your agent can request OAuth tokens immediately.

Claude Code / Cursor / Codex
npx skills add tapauth/skill
OpenClaw
clawhub install tapauth

Works with any agent that supports Agent Skills.

TapAuth ❀️ OpenClaw

Running AI agents with OpenClaw? TapAuth is the trust layer that gives them secure, scoped OAuth access to GoogleΒ Workspace, Slack, and moreΒ β€” approved by the user, revocable anytime.

Read the Docs β†’See How It Works

Integrations

Connect your agent to the tools you already use.

Google, GitHub, Linear, Slack, Notion, Vercel, Asana, Sentry, Discord, Apify β€” all live today. Every connection is scoped and time-limited, so your agent only gets the access it needs.

Google Calendar logoGoogle Calendarβœ“ Live
Slack logoSlackβœ“ Live
Notion logoNotionβœ“ Live
Asana logoAsanaβœ“ Live
Discord logoDiscordβœ“ Live
Gmail logoGmailComing Soon
Google Drive logoGoogle DriveComing Soon
Google Contacts logoGoogle ContactsComing Soon
+
+ More comingRequest a provider

How It Works

Three steps. Zero OAuth configuration.

1

Agent requests access

Your agent calls the API β€” or just runs $(tapauth google calendar.readonly). TapAuth returns an approval link.

POST /api/v1/grants
{
"provider": "google",
"scopes": ["calendar.readonly"]
}
2

User taps to approve

Your user receives a clean approval link. They see exactly what access is requested, choose an expiry, and approve with one tap.

TapAuth

"MyAgent" wants to read your Google Calendar

⏱ Expires: 7 days

Approve
3

Agent gets a scoped token

Your agent retrieves the token using Bearer auth with the grant_secret. The CLI does this automatically with caching and refresh.

GET /api/v1/grants/{id}
Authorization: Bearer gs_xK9m...
β†’
ya29.a0AfH6SM...

Try It

Ship in 5 minutes. Seriously.

No SDK. No npm install. Just curl β€” or one CLI command.

Terminal
# 1. Request Google Calendar access for your agent
curl -X POST https://tapauth.ai/api/v1/grants \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "google",
    "scopes": ["calendar.readonly", "calendar.events"]
  }'

# Response:
# {
#   "grant_id": "grant_abc123",
#   "grant_secret": "gs_xK9m...",
#   "approval_url": "https://tapauth.ai/approve/abc123",
#   "status": "pending_registration"
# }

# 2. Send the approval_url to your user. They tap it.

# 3. Get the token with Bearer auth (poll until approved)
curl https://tapauth.ai/api/v1/grants/grant_abc123 \
  -H "Authorization: Bearer gs_xK9m..."

# Response:
# {
# ya29.a0AfH6SM...

# 4. Use the token directly with Google Calendar API
curl https://www.googleapis.com/calendar/v3/calendars/\
  primary/events?maxResults=10 \
  -H "Authorization: Bearer ya29.a0AfH6SM..."

Security

Security isn't a feature. It's the architecture.

Your agent never sees your client secrets or refresh tokens. Every grant is scoped to exactly what's needed, time-limited, and revocable with one click. That's not a policy β€” it's how the system is built.

πŸ”’

Encrypted at rest

Every token is encrypted with AES-256-GCM using per-connection derived keys. Master keys never touch the database.

⏱

User-controlled expiry

Users choose how long access lasts: 1 hour, 1 day, 7 days, or forever. Revoke anytime with one click.

πŸ”„

Transparent refresh

Access tokens are refreshed automatically behind the scenes. Your agent always gets a valid token. Zero refresh logic needed.

πŸ“‹

Full audit trail

Every grant creation, token retrieval, and revocation is logged. See exactly which agent accessed what, and when.

🎯

Least privilege scoping

Our scope vocabulary maps to the minimum OAuth scopes needed. "Calendar read" means calendar.readonly β€” nothing more. Agents can't escalate beyond what the user approved.

πŸ›‘οΈ

Grant-secret authentication

Each grant gets a unique grant_secret shown once at creation. Only the agent that created the grant can retrieve its token.

Why TapAuth

Connect once. Stay in control.

Link each service to TapAuth one time. After that, when an agent needs access you've already approved, it's one tap. New requests go through a full approval flow β€” you always see exactly what an agent is asking for. And every grant is revocable with one click.

πŸ“…

User's Google Calendar

(linked once)

Tracyβœ“
Caseyβœ“
Bot 3βœ“

← each gets one-tap approval

Give your agent access β€” without giving away your keys. πŸ«†

Scoped access. Time-limited grants. Revocable anytime. Set up in under 5 minutes.

Get Started β€” Free β†’