Up and running in 2 minutes
Install the CLI, authenticate with any SaaS provider once, and start dispatching intents immediately.
# No install needed — npx works immediately
npx agentdom@latest setup linear.app # OAuth PKCE
npx agentdom@latest setup resend.com # API key prompt
npx agentdom@latest run "Create a Linear ticket for the login crash"
# For permanent install — fix permissions first (macOS)
mkdir -p ~/.npm-global && npm config set prefix ~/.npm-global
echo 'export PATH="$HOME/.npm-global/bin:$PATH"' >> ~/.zshrc && source ~/.zshrc
npm install -g agentdomdispatch_intent
The single function that makes AgentDOM work. Agents declare what they want — AgentDOM picks the fastest available transport (API › CLI › Browser › Desktop).
// Dispatch a single intent directly
dispatch_intent("issues.create", {
title: "Login crash on iOS 17",
priority: 1,
teamId: "ENG"
}, "linear.app")
// → wallet fetches Keychain token
// → POST https://api.linear.app/graphql
// → { success: true, issue: { id: "ENG-42" } }| Transport | Used when | Latency |
|---|---|---|
api | Provider has REST/GraphQL manifest | ~120ms |
cli | CLI tool available locally | ~200ms |
browser | No API, falls back to CDP web automation | ~300ms |
desktop | Native macOS app via Accessibility API | ~100ms |
Connect to Claude, Cursor, or any MCP client
AgentDOM runs as an MCP server (stdio). Any agent framework that speaks MCP gets 50+ tools automatically.
# Claude Code — add in one command
claude mcp add agentdom-desktop -- node \
$(npm root -g)/agentdom/desktop-mcp-server.js
# claude_desktop_config.json
{
"mcpServers": {
"agentdom": {
"command": "node",
"args": ["$(npm root -g)/agentdom/desktop-mcp-server.js"]
}
}
}| Tool exposed via MCP | What it does |
|---|---|
dispatch_intent | Execute any intent on any connected provider |
wallet_auth | Authenticate a new provider |
wallet_list | List all authenticated providers |
policy_list | Show current policy rules |
memory_recall | Search past agent runs |
clickElement | Click by label — no selectors needed |
typeText | Type into any input field |
observe | Read desktop state, clipboard, running apps |
The only step that needs a human
Run agentdom setup once per provider. It handles OAuth, device flow, or API key prompts automatically — then stores the token in your OS Keychain. After this, agents run forever without any human involvement.
# One-time setup — run this once per provider, then agents run forever
agentdom setup linear.app # opens browser → OAuth PKCE → refresh token stored
agentdom setup github.com # device flow → enter code at github.com/login/device
agentdom setup resend.com # prompts for API key → stored in Keychain
agentdom setup openrouter.ai --key=sk-or-v1-xxx # non-interactive
# Check what's set up
agentdom setup --list
# After setup — package credentials for your agent
agentdom wallet export --base64 --providers=linear.app,resend.com
# → AGENTDOM_WALLET_B64=eyJ3YWxsZXQi... (single env var)OAuth PKCE
Browser opens once. Approve. Refresh token stored forever.
Device Flow
Enter code at URL. No redirect. Works in any terminal.
API Key
Paste once. Encrypted in Keychain. Never asked again.
Tokens that never leave your machine
One consent per provider. Tokens stored in your OS Keychain (macOS Keychain Access, Windows Credential Manager, Linux libsecret). Auto-refreshed 5 minutes before expiry.
OAuth 2.0 PKCE
Opens browser for user consent. No client secret needed. PKCE secured.
Device Flow
For GitHub and headless environments. No browser required.
API Key
Prompts once, stores securely in Keychain. Never in plaintext.
Auto-refresh
Background scheduler refreshes tokens 5 min before expiry silently.
Give credentials to your agent
After agentdom setup, export your wallet and inject it into any agent — Docker container, serverless function, CI job, or remote server. Three delivery methods, zero human interaction at runtime.
# 3 ways to give an agent its wallet — no human at runtime
# Option 1: Base64 (Docker / serverless / CI)
export AGENTDOM_WALLET_B64=$(agentdom wallet export --base64 --providers=resend.com)
docker run -e AGENTDOM_WALLET_B64=$AGENTDOM_WALLET_B64 your-agent
# Option 2: File path (server / multi-agent)
agentdom wallet create --agent=email-bot --providers=resend.com
AGENTDOM_WALLET_PATH=~/.agentdom/email-bot.wallet.json agentdom goal "..."
# Option 3: Env vars (GitHub Actions / Doppler / Vercel)
agentdom wallet env # prints these:
export AGENTDOM_RESEND_COM_KEY=re_xxx
export AGENTDOM_LINEAR_APP_KEY=lin_xxx| Command | Purpose |
|---|---|
agentdom wallet list | Show all stored credentials |
agentdom wallet export --base64 | Single env var for Docker/CI |
agentdom wallet create --agent=id | Scoped wallet per agent identity |
agentdom wallet import <file|b64> | Load wallet from file or string |
agentdom wallet env | Print shell export lines |
agentdom wallet token <host> | Print raw token for a provider |
Publishers issue tokens directly to agents
A new M2M auth standard built on top of .well-known/agentdom.json. Publishers declare an agent_tokens endpoint. Agents call it with their master credential and receive a short-lived, scoped token — no browser redirect, no human approval.
# Publisher declares in .well-known/agentdom.json:
{
"auth": {
"method": "api_key",
"agent_tokens": {
"issue": "POST https://api.yourapp.com/agent-tokens",
"revoke": "DELETE https://api.yourapp.com/agent-tokens/{id}",
"rotate": "POST https://api.yourapp.com/agent-tokens/{id}/rotate",
"scopes": ["emails:send", "domains:read"],
"max_ttl_seconds": 86400
}
}
}
# Agent provisions its own scoped token — no human needed:
agentdom agent-token resend.com --scopes=emails:send --ttl=3600
# → POST /agent-tokens with master key → scoped token stored → auto-rotates
# dispatch_intent uses it automatically:
dispatch_intent("emails.send", { to, subject, html }, "resend.com")
# → secrets.resolve() tries agent_tokens protocol first
# → master key never exposed to agent runtimeAuto-rotation
Tokens rotated 5 min before expiry. Agent never handles stale credentials.
Scoped access
Agent gets only the permissions it needs. Master key stays in vault.
Zero human steps
After one-time setup, agents provision and rotate their own tokens forever.
Publisher-native
Publishers add 5 lines to their manifest. Works with any existing token issuance system.
Human-in-the-loop when it matters
Every intent is classified by side effect before execution. You control which effects need approval, which are auto-allowed, and which are always denied.
// ~/.agentdom/policy.json
{
"per_class": {
"read": "allow",
"external": "prompt", // API writes need approval
"send": "prompt", // emails need approval
"delete": "deny", // never auto-delete
"payment": "deny" // never auto-charge
}
}
// Approve / deny from CLI
agentdom policy show
agentdom approve abc123
agentdom deny abc123Agents that learn and plan
AgentDOM includes two runtime layers that make agents reliable across sessions.
Episodic Memory
Cross-session JSONL store. Agents recall what worked and what failed per provider. Query with agentdom memory recall.
Plan-Execute-Verify
Goals are broken into explicit JSON plans. Each step is policy-checked, executed, and verified. Failures trigger automatic replanning.
Make your API agent-native in 6 steps
Publish a .well-known/agentdom.json manifest and every AgentDOM agent can instantly discover and use your product — no per-framework integration needed.
# Step 1: Generate manifest from your OpenAPI spec
npx agentdom-publisher init \
--openapi=./openapi.json \
--host=api.yourapp.com
# Step 2: Validate locally
npx agentdom-publisher validate
# Step 3: Deploy .well-known/agentdom.json to your server
# Step 4: Verify live
npx agentdom-publisher verify --host=api.yourapp.com
# Step 5: Test a real dispatch
npx agentdom-publisher test \
--host=api.yourapp.com --token=sk-... --intent=contacts.list
# Step 6: Submit to public registry
npx agentdom-publisher submit --host=api.yourapp.com.well-known/agentdom.json
The open standard. Agents fetch this once, cache it, and call your API directly.
{
"version": "1.0",
"host": "api.yourapp.com",
"auth": {
"method": "api_key",
"key_header": "Authorization",
"key_format": "Bearer {token}"
},
"capabilities": [{
"intent": "contacts.create",
"transport": "api",
"method": "POST",
"endpoint": "https://api.yourapp.com/contacts",
"side_effects": ["external"]
}]
}| side_effect value | Meaning | Default policy |
|---|---|---|
read | GET data, no mutation | auto-allow |
external | Write to external service | prompt |
send | Send email / notification | prompt |
delete | Delete a record | deny |
payment | Charge a card | deny |
write_local | Write to local filesystem | allow |
12 built-in polyfill providers
These manifests are bundled with AgentDOM and also served from agentdom.dev/manifests/. Agents work with all of them on day one — no vendor action required.
| Provider | Auth | Intents | Covers |
|---|---|---|---|
linear.app | OAuth2 | 8 | issues, teams, comments |
hubspot.com | OAuth2 | 8 | contacts, deals, companies |
vercel.com | API Key | 8 | deployments, projects, env vars |
slack.com | OAuth2 | 6 | messages, channels, reactions |
notion.so | OAuth2 | 6 | pages, databases, blocks |
supabase.com | API Key | 7 | projects, secrets, SQL |
resend.com | API Key | 5 | emails, domains |
cal.com | OAuth2 | 6 | bookings, availability |
github.com | Device | 811 | repos, issues, PRs, and more |
stripe.com | API Key | 442 | payments, customers, subscriptions |
openai.com | API Key | 5 | chat, embeddings, images |
anthropic.com | API Key | 2 | messages, models |