toolsSource-backedReview first Safety ✓ Privacy ✓
Authsome
Local credential broker for AI agents. Log in once via OAuth2 or API key, encrypted local vault stores credentials, and a local proxy injects them at request time so agents never see raw secret values.
by Agentr·added 2026-05-25·
CLI
HarnessCLI
Review first — review before installing
Open the source and read safety notes before installing.
Safety notes
- Installs and runs a local daemon plus a local HTTPS proxy (`authsome run`) on loopback (`127.0.0.1`). Both processes are long-running and intercept outbound HTTPS to matched provider hostnames.
- The proxy injects credentials into outbound requests by adding `Authorization` headers; it does not modify request bodies. Agents running behind it will perform live, authenticated API calls against the provider (send emails, post to Slack, charge Stripe, write to GitHub, etc.) using the user's real credentials.
- The daemon performs background OAuth2 token refresh by contacting each provider's token endpoint. Refresh failures or network outages can leave a provider in a stale state until `authsome login <provider>` is re-run.
- Network access is required for OAuth flows, background token refresh, and the agent's provider API calls. The proxy itself only listens on loopback; outbound provider traffic leaves the host normally.
- Installable via `uv tool install authsome` or `pip install authsome`. Standard package-install risk profile applies; verify the package source on PyPI (`authsome`) and the upstream repository (`agentrhq/authsome`) before installing.
Privacy notes
- Credentials are stored locally in an encrypted vault under `~/.authsome`. They are not transmitted to any Agentr- or Authsome-hosted service.
- When the agent calls a provider, the local proxy injects the matching OAuth2 token or API key into the outbound request and sends it to that provider (e.g. github.com, openai.com). Credentials reach the provider you authenticated with, by design, since the provider call requires them.
- OAuth2 access tokens are refreshed in the background by the local daemon, which contacts the provider's token endpoint. Refresh tokens remain in the local vault and are not sent anywhere other than the provider's token endpoint.
- First-time login uses browser PKCE, device code, or a local browser bridge for API key entry. The browser flow sends user credentials to the provider's own authorization endpoint, not to Agentr.
- Telemetry is opt-in and respects `DO_NOT_TRACK=1`, `POSTHOG_DISABLED=1`, and `AUTHSOME_ANALYTICS=0`.
Prerequisites
- Python 3.13+ runtime on the host.
- Install authsome locally via `uv tool install authsome` (recommended), `pip install authsome`, or `uvx authsome@latest`. Package source is PyPI under the name `authsome`.
- A user account with each external provider you intend to connect (GitHub, Google, OpenAI, Linear, Slack, Notion, Resend, Stripe, etc.). For OAuth2 providers, the first-time login opens a browser; some providers also support device code flow for headless setup.
- Network access on the host for the initial OAuth2 / API-key registration and for live API calls the agent makes through the proxy.
- A Claude Code (or other agentskills.io-compatible agent) session that can reach `127.0.0.1` for the loopback proxy. The agent must trust the local proxy endpoint authsome configures.
- Acceptance that authsome installs a long-running local daemon and a local HTTPS proxy on loopback. Both must be running while the agent makes provider API calls.
Schema details
- Install type
- cli
- Troubleshooting
- No
Source repository stats
- Scope
- Source repo
Tool listing metadata
- Website
- https://authsome.ai
- Pricing
- free
- Disclosure
- editorial
- Application category
- DeveloperApplication
- Operating system
- macOS, Linux, Windows
Full copyable content
uv tool install authsomeAbout this resource
Editorial notes
Authsome fits agent builders that want OAuth2 and API key handling without sending credentials to a third-party service. Login once via browser PKCE or device code, the encrypted vault sits at ~/.authsome, and a local HTTPS proxy injects credentials at request time so the agent's process env never holds raw secrets. 45 providers ship bundled (14 OAuth2, 31 API key) including GitHub, Google, OpenAI, Linear, Slack, Notion, Resend, and Stripe. MIT licensed, Python 3.13+.
Disclosure
Editorial listing. No paid placement or affiliate link is used.
Content outline
#credentials#agent-auth#agents
Source citations
Signals
Loading live community signals…
More like this, weekly
A short, calm digest of reviewed Claude resources. Unsubscribe any time.