Voice
Clawgate Api
By Opensource Repo for the Clawgate.ai api that is used to enable face id and passkey auth for AI agents like OpenClaw. Now Your AI agents can leverage your phones authentication mechanisms for sensitive and high risk actions that require a human-in -the-loop approval step.
Install
npm install
cpREADME
# ClawGate API
Open-source API server that gates AI agent actions behind passkey-verified human approval. Agents request permission via API keys, humans approve or deny with WebAuthn passkeys, and approved agents receive short-lived JWT tokens proving authorization.
> **Want it hosted for you?** [ClawGate](https://clawgate.ai) is the fully managed version of this API with an [iOS app](https://apps.apple.com/us/app/clawgate-ai-agent-security/id6758923726), browser push notifications, subscription tiers, and Apple Sign In β so you can start approving agent actions in minutes without deploying anything. [Get started at clawgate.ai β](https://clawgate.ai)
## What is ClawGate?
ClawGate puts a human in the loop for AI agent actions. When an agent wants to do something sensitive β send an email, make a purchase, deploy code β it asks for your approval first. You verify with a passkey (Face ID, Touch ID, or a hardware key), and the agent gets a short-lived token proving you said yes.
This repo contains the core API server. It's the same code that powers [clawgate.ai](https://clawgate.ai), minus the commercial features (Stripe billing, Apple Sign In, iOS app push, subscription tiers).
## Hosted vs Self-Hosted
| | [clawgate.ai](https://clawgate.ai) (Hosted) | This repo (Self-Hosted) |
|---|---|---|
| API server | β
Managed | β
You deploy |
| iOS app with Face ID | β
[App Store](https://apps.apple.com/us/app/clawgate-ai-agent-security/id6758923726) | β Build your own |
| Apple Sign In | β
Built-in | β Email registration |
| Push notifications | β
iOS + Web | β
Web Push only |
| Subscription tiers | β
Free + Pro | β No limits |
| Stripe billing | β
Built-in | β Not included |
| SSL/domain setup | β
Handled | β You configure |
| Database management | β
Managed | β You manage |
| Updates & patches | β
Automatic | β You pull |
## Quick Start with Docker
```bash
git clone https://github.com/AsteyaTech-com/clawgate-api.git
cd clawgate-api
cp .env.example .env
```
Edit `.env` and set the required secrets:
```bash
openssl rand -base64 32 # Use for JWT_SECRET
openssl rand -base64 32 # Use for API_KEY_SECRET
```
Start everything:
```bash
docker-compose up -d
```
Verify:
```bash
curl http://localhost:3000/health
```
## OpenClaw Plugin
The official plugin enforces approval gates at the infrastructure level β your AI agent literally cannot bypass them.
```bash
openclaw plugins install clawgate
```
The plugin intercepts sensitive tool calls (file deletion, npm publish, database drops, etc.) and requires your Face ID / passkey approval before execution.
- **npm**: [clawgate](https://www.npmjs.com/package/clawgate)
- **Source**: [AsteyaTech-com/clawgate-plugin](https://github.com/AsteyaTech-com/clawgate-plugin)
- **Setup guide**: [clawgate.ai/setup](https://clawgate.ai/setup)
Works with both self-hosted and [clawgate.ai](https://clawgate.ai) hosted service.
## Manual Setup
Prerequisites: Node.js >= 20, PostgreSQL >= 14
```bash
npm install
cp .env.example .env
# Edit .env with your database URL and secrets
npx prisma generate
npx prisma migrate dev
npm run dev
```
## Environment Variables
### Required
| Variable | Description |
|----------|-------------|
| `DATABASE_URL` | PostgreSQL connection string |
| `WEBAUTHN_RP_ID` | Your domain (e.g. `localhost` for dev) |
| `WEBAUTHN_RP_ORIGIN` | Full origin URL (e.g. `http://localhost:3000`) |
| `JWT_SECRET` | JWT signing secret |
| `API_KEY_SECRET` | API key hashing secret |
### Optional
| Variable | Default | Description |
|----------|---------|-------------|
| `PORT` | `3000` | Server port |
| `CORS_ORIGINS` | `http://localhost:3000` | Allowed CORS origins |
| `LOG_LEVEL` | `info` | Pino log level |
| `WEBAUTHN_RP_NAME` | `ClawGate` | Display name for passkey prompts |
| `VAPID_PUBLIC_KEY` | β | Web Push public key |
| `VAPID_PRIVATE_KEY` | β | Web Push private key |
| `VAPID_SUBJECT` | `mailto:[email protected]` | Web Push contact |
## API Endpoints
All routes are prefixed with `/api/v1` unless noted.
| Method | Path | Auth | Description |
|--------|------|------|-------------|
| GET | `/health` | β | Health check |
| POST | `/api/v1/auth/register` | β | Register with email |
| GET | `/api/v1/auth/me` | JWT | User profile |
| POST | `/api/v1/auth/api-keys` | JWT | Create API key |
| GET | `/api/v1/auth/api-keys` | JWT | List API keys |
| DELETE | `/api/v1/auth/api-keys/:id` | JWT | Revoke API key |
| POST | `/api/v1/passkey/register/start` | JWT | Start passkey registration |
| POST | `/api/v1/passkey/register/complete` | JWT | Complete passkey registration |
| POST | `/api/v1/passkey/authenticate/start` | β | Start passkey auth |
| POST | `/api/v1/passkey/authenticate/complete` | β | Complete passkey auth |
| GET | `/api/v1/passkey` | JWT | List passkeys |
| DELETE | `/api/v1/passkey/:id` | JWT | Delete passkey |
| POST | `/api/v1/approval/request` | API Key | Request approval |
| GET | `/api/v1/approval/status/:id` | API Key | Poll approval status |
| POST | `/api/v1/approval/approve/:id` | Passkey | Approve request |
| POST | `/api/v1/approval/deny/:id` | JWT | Deny request |
| GET | `/api/v1/approval/pending` | JWT | Pending approvals |
| GET | `/api/v1/approval/history` | JWT | Approval history |
| POST | `/api/v1/approval/verify-token` | β | Verify approval token |
| POST | `/api/v1/push/subscribe` | JWT | Subscribe to Web Push |
| POST | `/api/v1/push/unsubscribe` | JWT | Unsubscribe |
## What You'd Need to Build a Full ClawGate Replica
This repo gives you the API server. To replicate the full [clawgate.ai](https://clawgate.ai) experience, you'd also need:
### 1. A Client App (Web or Mobile)
The API handles passkey ceremonies server-side, but you need a frontend to:
- Register users and manage passkeys (calls the WebAuthn browser API)
- Display pending approval requests
- Trigger passkey authentication when approving (Face ID, Touch ID, etc.)
- Show approval history and manage API keys
This could be a web app (React, Next.js, etc.) or a native mobile app. The WebAuthn API is supported in all modern browsers and iOS/Android.
### 2. HTTPS and a Domain
WebAuthn requires a secure context. You need:
- A domain name with SSL (Let's Encrypt works great)
- `WEBAUTHN_RP_ID` set to your domain
- `WEBAUTHN_RP_ORIGIN` set to your full HTTPS origin
### 3. Web Push Setup (Optional)
For real-time notifications when agents request approval:
- Generate VAPID keys: `npx web-push generate-vapid-keys`
- Set `VAPID_PUBLIC_KEY`, `VAPID_PRIVATE_KEY`, `VAPID_SUBJECT` in your env
- Implement a service worker in your client app to receive push notifications
### 4. Production Infrastructure
- PostgreSQL database (managed services like RDS, Supabase, or Neon work well)
- Container hosting (Railway, Fly.io, AWS ECS, or any Docker host)
- Reverse proxy with SSL termination (nginx, Caddy, or a cloud load balancer)
- Database backups and monitoring
### 5. Agent Integration
Your AI agents need to:
1. Store an API key (created via the dashboard)
2. Call `POST /api/v1/approval/request` when they need permission
3. Poll `GET /api/v1/approval/status/:id` until approved/denied/expired
4. Use the returned JWT token as proof of authorization
## How the Approval Flow Works
```
Agent ClawGate API User
| | |
|-- POST /approval/request ----->| |
|<---- { requestId } -----------|-- push notification -------->|
| | |
|-- GET /approval/status ------->| |
|<---- { status: PENDING } -----| |
| |<-- passkey authenticate ----|
| |<-- POST /approval/approve --|
|-- GET /approval/status ------->| |
|<---- { status: APPROVED, | |
| token: "jwt..." } -----| |
| | |
|-- POST /verify-token --------->| |
|<---- { valid: true } ---------| |
```
## Tech Stack
- Express 5, TypeScript, Prisma, PostgreSQL
- @simplewebauthn/server for WebAuthn/FIDO2
- Pino for structured logging
- Zod for input validation
- Helmet, rate limiting, input sanitization for security
- web-push for VAPID notifications
## License
Apache License 2.0 β see [LICENSE](./LICENSE) for details.
---
Built by [Asteya Technologies](https://asteyatech.com). If you'd rather not deal with infrastructure, [clawgate.ai](https://clawgate.ai) handles everything for you.
voice
Comments
Sign in to leave a comment