Nothing humbles you like telling your OpenClaw “confirm before acting” and watching it speedrun deleting your inbox. I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.
Access control for AI agents
AgentWall proxies every API call your AI makes. You define what's allowed, what needs approval, and what's blocked. Your credentials never leave your server.
12:04:11 allow messages.list — claude-agent
12:04:12 allow messages.get — claude-agent
12:04:14 gate messages.send — claude-agent
waiting for approval...
12:04:18 approved via telegram — @kiryl
12:04:19 forwarded messages.send — 200 OK
12:04:22 deny messages.trash — random-script
THIS ACTUALLY HAPPENED
Even with “confirm before acting” enabled, the agent speedran through deletions. No policy engine. No kill switch. No audit log. Just raw OAuth access and hope.
AgentWall makes this impossible. Destructive operations are blocked by default. Everything else goes through your rules.
THE PROBLEM
Scopes are too coarse
gmail.modify grants read, write, and delete. You can't separate them at the OAuth level.
Prompt injection is real
A malicious email body could hijack your agent into forwarding data, deleting threads, or sending phishing links.
Zero audit trail
No record of what the agent did. No logs. When something breaks, you have nothing to investigate.
Binary access model
Either hand over your full token or don't connect at all. There's no way to say “read only, ask before writing.”
HOW IT WORKS
Link Gmail, Calendar, or other services via OAuth. AgentWall encrypts your tokens with AES-256-GCM. Your credentials never leave your infrastructure.
Set rules per operation: allow reads, gate sends, block deletes. Assign different permissions to different agents. Use presets or write custom rules.
Point your agent at AgentWall instead of the real API. Same URL format, same responses. High-risk actions trigger a Telegram notification — approve or deny with one tap.
FEATURES
Allow messages.list but gate messages.send and block messages.trash. Every Gmail API operation is individually controllable.
Risky operations trigger an instant Telegram message with context. Approve or deny with one tap.
Every proxied request logged — operation, decision, gate result, response status, duration. Append-only, no delete endpoint.
Each agent gets its own key with scoped permissions. Claude reads freely, GPT gets gated, unknown scripts get denied.
Same Gmail API, different base URL. Add an Authorization header. No SDK, no wrapper library, no agent code changes.
OAuth tokens encrypted with AES-256-GCM. The encryption key never leaves your server. Agents only see an opaque proxy key.
INTEGRATION
# Before — agent holds your raw Google token
curl -H "Authorization: Bearer ya29_REAL_TOKEN" \
https://gmail.googleapis.com/gmail/v1/users/me/messages
# After — agent calls through AgentWall
curl -H "Authorization: Bearer aw_AGENT_KEY" \
https://your-server/proxy/CONNECTOR_ID/gmail/v1/users/me/messages
Same response. Reads are logged. Writes need approval. Deletes are blocked.
USE CASES
Developers
Building agents that call Gmail, Calendar, or Slack? Give users control over what your agent does with their data. Ship trust as a feature.
Power users
Running Claude, GPT, or custom agents with your personal accounts? Define exactly what they can touch. Get notified before anything destructive happens.
Open source. Self-hosted. Your tokens stay on your server.
Nothing humbles you like telling your OpenClaw “confirm before acting” and watching it speedrun deleting your inbox. I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.