AGENT SAFETY · CUSTODIAN PROTOCOL · WEBAUTHN

Security infrastructure for every AI agent.

One custodian protocol. Two products. SafeClaw the app gives users biometric approval over every sensitive agent action — live today. SafeClaw SDK lets developers drop the same safety layer into any agent — coming soon.

Our ProductsOur paper
For Users · For Developers

Two products. One mission.

LIVE NOW
SafeClaw
For users

Your AI agent gets your face or fingerprint approval before any sensitive action — sending email, moving money, reading files. Built for individuals whose data and authority matter.

COMING SOON
SafeClaw SDK
For developers

A drop-in safety layer for any AI agent. Three lines of code adds biometric approval, credential isolation, and audit logging to your stack — without rewriting your agent.

Join waitlist →
Who Needs This

Is SafeClaw (the app) for you?

You're a high-value professional
Lawyers, entrepreneurs, fund managers, professors — a single email could be worth millions, one mistake could trigger a lawsuit.
Your work involves sensitive data
Client records, contracts, medical files, financial statements — a single leak is an irreversible disaster.
You care deeply about data privacy
You don't want AI companies, cloud providers, or even us to see your data. E2E encryption isn't optional — it's the baseline.
You give AI real-world access
Sending emails, calling APIs, making payments, reading files — when AI can touch your money and data, losing control is a cost you can't afford.
Getting Started

Two minutes to set up. Zero trust required.

01 · Register your biometric

Passkey derives encryption keys directly from your biometric. No master password, no recovery backdoor — only your face or fingerprint unlocks the vault.

02 · Connect your services

Add your API keys and service credentials. Everything is encrypted on your device before upload — the server only sees ciphertext, and AI never touches plaintext.

03 · Approve to execute

Your AI agent gets to work. Whenever it encounters a sensitive action — sending emails, reading files, calling APIs — it pauses and waits for your face scan. Full audit trail.

Security

Proof, not promises

Even if we turn rogue, your agent goes rogue, servers are hacked, or disks are stolen — your keys stay safe

All credentials are encrypted on your device with your biometric. The server only stores ciphertext. Without your face, nobody — not the SafeClaw team, not your AI agent, not the cloud provider, not an attacker — can decrypt.

Technical details

Uses WebAuthn PRF extension to derive a 32-byte key from authenticator output. Vault contents are encrypted with AES-GCM-256 before any network transmission. The server stores only ciphertext — decryption is impossible without the passkey.

AI never sees your actual credentials

When AI needs to call your services, the proxy injects credentials at runtime. The AI's context window and tool outputs contain no credential material whatsoever.

Technical details

The proxy intercepts outbound requests and injects credentials at runtime. The agent's context window and tool outputs contain no credential material. Locking the vault instantly wipes keys from memory.

Each vault is fully isolated. Stop it and it's gone.

Each vault runs in its own virtual machine with network isolation and zero shared state. Stop the VM and all decrypted state is destroyed instantly.

Technical details

Each vault provisions a dedicated VM with restricted network egress. The relay uses ECIES (P-256 ECDH + AES-GCM) to encrypt data in transit. Instances are ephemeral — stop the VM and decrypted state is gone.

Seamless Integration

🦞OpenClaw+SafeClaw

SafeClaw adds a security layer to OpenClaw, so your agent stays capable and under your control.

Sending & Deleting Emails
🦞OpenClaw alone
The agent drafts, sends, and can bulk-delete emails.
Approval flows through the messaging channel — channel access equals approval rights.
With SafeClaw
Every sensitive action is intercepted by SafeClaw.
Released only after your face or fingerprint.
Managing API Credentials
🦞OpenClaw alone
API keys sit in plaintext in local config files.
The agent sees them all — reliant on its own restraint.
With SafeClaw
Encrypted at rest by your passkey.
Decrypted only when you approve, wiped instantly after.
Payments & Assets
🦞OpenClaw alone
Private keys sit in plaintext for the agent to use.
The agent sees them all — one breach and money could move unnoticed.
With SafeClaw
Cryptographically secured — even a hacked machine or stolen disk can't unlock it.
Vanishes after use — no trace left on your machine.
Reading Files
🦞OpenClaw alone
The agent picks which files to read within its authorized scope.
Any sensitive file in that scope can be read in passing.
With SafeClaw
Every read is gated by SafeClaw.
You approve each file read.
Architecture

Under the hood

E2E Encryption Architecture
Client (Your Device)
WebAuthn PRF
→ HKDF-SHA256
→ 32-byte vault key
↓ AES-GCM-256
Plaintext credentials
→ encrypt(vault_key)
ciphertext blob
ECIESP-256 ECDH+ HKDF+ AES-GCM
Server (Zero Knowledge)
Stores ONLY:
• encrypted_blob
• ephemeral_pubkey
• iv + auth_tag
No vault_key
No plaintext
No recovery key
RuntimeInjection
Isolated VM
Proxy Layer
Intercepts outbound
Injects creds at runtime
Agent sees nothing
Ephemeral — stop VM
memory wiped
keys destroyed
One Vault, One VM — Complete Isolation
VAULT A — VM-001
Agent Runtime
Credential Proxy
Network Egress Filter
Ephemeral Storage
🔒 Restricted egress
VAULT B — VM-002
Agent Runtime
Credential Proxy
Network Egress Filter
Ephemeral Storage
🔒 Restricted egress
VAULT C — VM-003
Agent Runtime
Credential Proxy
Network Egress Filter
Ephemeral Storage
🔒 Restricted egress
Each vault = Dedicated VM · Isolated network · Isolated storage · Zero shared state
Sensitive Action Approval Protocol
1
AGENT → PROXY
Agent issues outbound request (e.g., Gmail API: send email)
2
PROXY → INTERCEPT
Proxy classifies action risk level (Low / Medium / High)
3
RELAY → USER DEVICE
Push notification with action details + expiry countdown
4
USER → BIOMETRIC APPROVAL
Face ID / Touch ID → WebAuthn assertion → ECIES-encrypted approval
5
PROXY → EXECUTE + LOG
Inject credentials → Execute request → Immutable audit log entry
Compatibility

Works with major AI models and the services you use

AI Models
Anthropic
OpenAI
Google
DeepSeek
Groq
Mistralsoon
OpenRoutersoon
Ollamasoon
+ Any OpenAI-compatible endpoint
Connected Services
Gmail
Google Drive
Google Calendar
Telegram
WeChat
NodPay
Discordsoon
GitHubsoon
Slacksoon
Notionsoon
Twiliosoon
Brave Searchsoon
+ More rolling out
Pricing

Simple, transparent pricing

All plans include the full security stack: one-click deploy, private server, E2E encryption, biometric approval, audit logs.

Starter
$50 /mo
Bring your own tokens (API Key / Claude Code / Codex subscription)
Full security infrastructure
Private server deployment
End-to-end encryption
Biometric approval
Full audit trail
Subscribe
POPULAR
Standard
$70 /mo
Includes OpenAI / Claude basic subscription (value far exceeds $20)
Everything in Starter
AI basic subscription included
All major models supported
Subscribe
Pro
$150 /mo
Includes Claude Pro / OpenAI Plus subscription (value far exceeds $100)
Everything in Starter
Claude Pro / OpenAI Plus included
Switch between models freely
Subscribe
Enterprise
$250 /mo
Includes Claude Max / OpenAI Pro subscription (value far exceeds $200)
Everything in Starter
Claude Max / OpenAI Pro included
Team collaboration
Unlimited model access
Subscribe
Extra fees go entirely toward your AI subscriptions. SafeClaw takes no markup. Actual subscription value far exceeds the price difference.
For Developers

SafeClaw SDK — drop-in custodian for any AI agent

Three lines of code. Same security guarantees. Coming soon — get notified.

from safeclaw import Custodian

custodian = Custodian(api_key="...")
agent.use(custodian)  # every sensitive action now waits for approval
Preview API · subject to change before launch.

Get notified when the SDK opens up.

Finally, you can have your AI assistant.
Don't worry about security.

Two-minute setup. Enterprise-grade encryption.

Open source. Auditable. Self-hostable.