# Authsome > Local credential broker for AI agents. Log in once via OAuth2 or API key. Authsome keeps tokens fresh and injects them at runtime. ## Docs - [Changelog](https://authsome.agentr.dev/docs/changelog.md): Curated release history. For the full per-commit log, see CHANGELOG.md in the repository. - [Compared to alternatives](https://authsome.agentr.dev/docs/compared.md): Authsome vs hardcoded environment tokens, SaaS secrets managers, DIY auth code, and OS keychains. Pick the right tool. - [Architecture](https://authsome.agentr.dev/docs/concepts/architecture.md): Five layers · identity, policy, vault, auth, audit · composed by an explicit orchestrator. - [Credential storage](https://authsome.agentr.dev/docs/concepts/credential-storage.md): How authsome encrypts, namespaces, and locks the per-profile credential vault. - [Profiles vs connections](https://authsome.agentr.dev/docs/concepts/profiles-vs-connections.md): When to use a profile and when to use a connection. The two namespaces, why they're different, and the rule of thumb. - [Provider registry](https://authsome.agentr.dev/docs/concepts/provider-registry.md): How authsome resolves provider definitions from bundled JSON, user overrides, and registered custom providers. - [Proxy injection](https://authsome.agentr.dev/docs/concepts/proxy-injection.md): How `authsome run` injects auth headers into outbound HTTP requests without exposing secrets to the child process. - [The local daemon](https://authsome.agentr.dev/docs/concepts/the-daemon.md): How authsome's local HTTP daemon on port 7998 holds in-memory auth sessions and serves the dashboard. - [Custom providers](https://authsome.agentr.dev/docs/guides/custom-providers.md): Add any OAuth2 or API-key service that authsome doesn't ship as a bundled provider. - [Headless setup with device code](https://authsome.agentr.dev/docs/guides/headless-device-code.md): Authenticate over SSH or in CI without a local browser by using the OAuth2 Device Authorization Grant. - [Log in with OAuth](https://authsome.agentr.dev/docs/guides/login-with-oauth.md): Use the PKCE browser flow to authenticate with GitHub, Google, Linear, and other OAuth2 providers. - [Multiple connections per provider](https://authsome.agentr.dev/docs/guides/multiple-connections.md): Keep two or more accounts on the same provider side by side. Personal vs work GitHub, team vs personal OpenAI, and similar. - [Profiles and identities](https://authsome.agentr.dev/docs/guides/profiles.md): How authsome scopes credentials after server-registered identities. - [Run agents with the proxy](https://authsome.agentr.dev/docs/guides/run-agents-with-proxy.md): Use `authsome run` to inject auth headers into outbound requests without exposing secrets to the child process. - [Use API keys](https://authsome.agentr.dev/docs/guides/use-api-keys.md): Authenticate with OpenAI, Anthropic, and other API-key providers through a secure browser bridge. - [Introduction](https://authsome.agentr.dev/docs/index.md): Local auth for AI agents. Log in once via OAuth2 or API key. Authsome keeps the credentials fresh for every agent. - [Installation](https://authsome.agentr.dev/docs/installation.md): Install authsome with pip, uv, or uvx. No build step, no system dependencies beyond Python 3.13. - [Anthropic SDK](https://authsome.agentr.dev/docs/integrations/agents/anthropic-sdk.md): Use authsome to manage ANTHROPIC_API_KEY. Run agents under the proxy or pass the key at construction. - [Claude Code](https://authsome.agentr.dev/docs/integrations/agents/claude-code.md): Use authsome from inside Claude Code via the bundled skill. One login, then Claude runs your agents with fresh tokens for every provider. - [Codex](https://authsome.agentr.dev/docs/integrations/agents/codex.md): Use authsome from OpenAI's Codex CLI. Run agents under the auth proxy so credentials never enter the agent's environment. - [Cowork](https://authsome.agentr.dev/docs/integrations/agents/cowork.md): Run multi-agent Cowork workflows with per-agent credential isolation using authsome profiles. - [Cursor](https://authsome.agentr.dev/docs/integrations/agents/cursor.md): Wire Cursor's IDE agent into authsome. MCP servers, shell commands, and inline Python all share one credential vault. - [Agent frameworks](https://authsome.agentr.dev/docs/integrations/agents/index.md): Drop authsome into any agent framework. Claude Code, Cursor, OpenCode, LangChain, LlamaIndex, and others. - [LangChain](https://authsome.agentr.dev/docs/integrations/agents/langchain.md): Use authsome with LangChain. Pull fresh tokens at agent construction or run the whole chain under the proxy. - [LlamaIndex](https://authsome.agentr.dev/docs/integrations/agents/llamaindex.md): Use authsome with LlamaIndex data loaders, LLM clients, and retrievers. - [NanoClaw, OpenClaw, HermesAgent](https://authsome.agentr.dev/docs/integrations/agents/nanoclaw.md): Lightweight Python agent runners. Use authsome via the proxy or the library. - [OpenAI Agents SDK](https://authsome.agentr.dev/docs/integrations/agents/openai-agents-sdk.md): Replace OPENAI_API_KEY env-var management with authsome. The Agents SDK works unchanged. - [OpenCode](https://authsome.agentr.dev/docs/integrations/agents/opencode.md): Run OpenCode agents under authsome. Same proxy and library patterns as the rest of the CLI. - [Generic Python agent](https://authsome.agentr.dev/docs/integrations/agents/python.md): Any Python script that calls third-party APIs. Run it under the proxy; drop to the library only when embedding. - [Ahrefs](https://authsome.agentr.dev/docs/integrations/api-key/ahrefs.md): Store and use your Ahrefs API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Apollo](https://authsome.agentr.dev/docs/integrations/api-key/apollo.md): Store and use your Apollo API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Ashby](https://authsome.agentr.dev/docs/integrations/api-key/ashby.md): Store and use your Ashby API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Beehiiv](https://authsome.agentr.dev/docs/integrations/api-key/beehiiv.md): Store and use your Beehiiv API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Brevo](https://authsome.agentr.dev/docs/integrations/api-key/brevo.md): Store and use your Brevo API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Buffer](https://authsome.agentr.dev/docs/integrations/api-key/buffer.md): Store and use your Buffer API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Calendly](https://authsome.agentr.dev/docs/integrations/api-key/calendly.md): Store and use your Calendly API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Clearbit](https://authsome.agentr.dev/docs/integrations/api-key/clearbit.md): Store and use your Clearbit API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Dub.co](https://authsome.agentr.dev/docs/integrations/api-key/dub.md): Store and use your Dub.co API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [G2](https://authsome.agentr.dev/docs/integrations/api-key/g2.md): Store and use your G2 API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Hunter](https://authsome.agentr.dev/docs/integrations/api-key/hunter.md): Store and use your Hunter API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [API-key providers](https://authsome.agentr.dev/docs/integrations/api-key/index.md): Every API-key provider authsome ships out of the box. 31 services with long-lived secrets behind a secure browser bridge. - [Instantly](https://authsome.agentr.dev/docs/integrations/api-key/instantly.md): Store and use your Instantly API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Intercom](https://authsome.agentr.dev/docs/integrations/api-key/intercom.md): Store and use your Intercom API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Keywords Everywhere](https://authsome.agentr.dev/docs/integrations/api-key/keywords-everywhere.md): Store and use your Keywords Everywhere API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Klaviyo](https://authsome.agentr.dev/docs/integrations/api-key/klaviyo.md): Store and use your Klaviyo API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Lemlist](https://authsome.agentr.dev/docs/integrations/api-key/lemlist.md): Store and use your Lemlist API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Livestorm](https://authsome.agentr.dev/docs/integrations/api-key/livestorm.md): Store and use your Livestorm API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Mailchimp](https://authsome.agentr.dev/docs/integrations/api-key/mailchimp.md): Store and use your Mailchimp API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Mention Me](https://authsome.agentr.dev/docs/integrations/api-key/mention-me.md): Store and use your Mention Me API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [OpenAI](https://authsome.agentr.dev/docs/integrations/api-key/openai.md): Store and use your OpenAI API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Optimizely](https://authsome.agentr.dev/docs/integrations/api-key/optimizely.md): Store and use your Optimizely API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Postmark](https://authsome.agentr.dev/docs/integrations/api-key/postmark.md): Store and use your Postmark API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Resend](https://authsome.agentr.dev/docs/integrations/api-key/resend.md): Store and use your Resend API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Rewardful](https://authsome.agentr.dev/docs/integrations/api-key/rewardful.md): Store and use your Rewardful API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [SavvyCal](https://authsome.agentr.dev/docs/integrations/api-key/savvycal.md): Store and use your SavvyCal API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [SEMrush](https://authsome.agentr.dev/docs/integrations/api-key/semrush.md): Store and use your SEMrush API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [SendGrid](https://authsome.agentr.dev/docs/integrations/api-key/sendgrid.md): Store and use your SendGrid API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Tolt](https://authsome.agentr.dev/docs/integrations/api-key/tolt.md): Store and use your Tolt API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Typeform](https://authsome.agentr.dev/docs/integrations/api-key/typeform.md): Store and use your Typeform API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Wistia](https://authsome.agentr.dev/docs/integrations/api-key/wistia.md): Store and use your Wistia API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Zapier](https://authsome.agentr.dev/docs/integrations/api-key/zapier.md): Store and use your Zapier API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment. - [Atlassian](https://authsome.agentr.dev/docs/integrations/oauth/atlassian.md): Log in to Atlassian from authsome via OAuth2. Tokens are stored locally and refreshed automatically. - [Discord](https://authsome.agentr.dev/docs/integrations/oauth/discord.md): Log in to Discord from authsome via OAuth2. Tokens are stored locally and refreshed automatically. - [GitHub](https://authsome.agentr.dev/docs/integrations/oauth/github.md): Log in to GitHub from authsome with OAuth2 PKCE or the device code flow. Tokens are stored locally and refreshed automatically. - [GitLab](https://authsome.agentr.dev/docs/integrations/oauth/gitlab.md): Log in to GitLab from authsome via OAuth2. Tokens are stored locally and refreshed automatically. - [Google](https://authsome.agentr.dev/docs/integrations/oauth/google.md): Log in to Google from authsome via OAuth2. Tokens are stored locally and refreshed automatically. - [HubSpot](https://authsome.agentr.dev/docs/integrations/oauth/hubspot.md): Log in to HubSpot from authsome via OAuth2. Tokens are stored locally and refreshed automatically. - [OAuth providers](https://authsome.agentr.dev/docs/integrations/oauth/index.md): Every OAuth2 provider authsome ships out of the box. PKCE, device code, and DCR flows. - [Klaviyo (OAuth)](https://authsome.agentr.dev/docs/integrations/oauth/klaviyo-oauth.md): Log in to Klaviyo (OAuth) from authsome via OAuth2. Tokens are stored locally and refreshed automatically. - [Linear](https://authsome.agentr.dev/docs/integrations/oauth/linear.md): Log in to Linear from authsome via OAuth2. Tokens are stored locally and refreshed automatically. - [Microsoft](https://authsome.agentr.dev/docs/integrations/oauth/microsoft.md): Log in to Microsoft from authsome via OAuth2. Tokens are stored locally and refreshed automatically. - [Notion](https://authsome.agentr.dev/docs/integrations/oauth/notion.md): Log in to Notion from authsome via OAuth2. Tokens are stored locally and refreshed automatically. - [Notion (DCR)](https://authsome.agentr.dev/docs/integrations/oauth/notion-dcr.md): Log in to Notion (DCR) from authsome via OAuth2. Tokens are stored locally and refreshed automatically. - [Postiz](https://authsome.agentr.dev/docs/integrations/oauth/postiz.md): Log in to Postiz from authsome via OAuth2. Tokens are stored locally and refreshed automatically. - [Slack](https://authsome.agentr.dev/docs/integrations/oauth/slack.md): Log in to Slack from authsome via OAuth2. Tokens are stored locally and refreshed automatically. - [X (Twitter)](https://authsome.agentr.dev/docs/integrations/oauth/x.md): Log in to X (Twitter) from authsome via OAuth2. Tokens are stored locally and refreshed automatically. - [Quickstart](https://authsome.agentr.dev/docs/quickstart.md): Install authsome, log in to a provider, and run an agent with injected credentials. - [Audit log format](https://authsome.agentr.dev/docs/reference/audit-log.md): The schema of ~/.authsome/audit.log. One JSON object per line, append-only, written from the CLI and the auth service. - [Bundled providers](https://authsome.agentr.dev/docs/reference/bundled-providers.md): Every provider authsome ships out of the box. 14 OAuth2 and 31 API-key providers, 45 total. - [CLI reference](https://authsome.agentr.dev/docs/reference/cli.md): Every authsome command, flag, and exit code. - [HTTP daemon API](https://authsome.agentr.dev/docs/reference/daemon-api.md): Every route the local authsome daemon exposes on 127.0.0.1:7998. Health, auth sessions, connections, providers, proxy resolution, dashboard UI. - [Environment variables](https://authsome.agentr.dev/docs/reference/environment-variables.md): Variables authsome reads, writes, and injects into subprocesses. - [Filesystem layout](https://authsome.agentr.dev/docs/reference/file-layout.md): What lives under ~/.authsome. Every file, its purpose, and its permissions. - [Provider schema](https://authsome.agentr.dev/docs/reference/provider-schema.md): Every field in a provider JSON definition. - [Python library](https://authsome.agentr.dev/docs/reference/python-library.md): Use authsome from Python. AuthService is the public entry point; AuthLayer composes the building blocks. - [Roadmap](https://authsome.agentr.dev/docs/roadmap.md): What's landed, what's next, and what's deliberately out of scope. The layered architecture's planned layers and the open questions behind them. - [Daemon trust boundary](https://authsome.agentr.dev/docs/security/daemon-trust-boundary.md): What the loopback-only daemon model protects against in v1, and what it doesn't. - [Responsible disclosure](https://authsome.agentr.dev/docs/security/disclosure.md): How to report a security issue in authsome. - [Encryption at rest](https://authsome.agentr.dev/docs/security/encryption.md): How authsome encrypts credentials in the local vault. AES-256-GCM, key wrap, and the two backends. - [Hosted deployment model](https://authsome.agentr.dev/docs/security/hosted-deployment.md): Running a shared authsome daemon on a trusted private network. The constraints, the env vars, and what's still missing. - [Threat model](https://authsome.agentr.dev/docs/security/threat-model.md): What authsome protects against, what it doesn't, and where the trust boundaries sit. - [Daemon issues](https://authsome.agentr.dev/docs/troubleshooting/daemon-issues.md): Diagnose port 7998 conflicts, lost sessions on restart, and broken daemon discovery. - [Diagnose with `doctor`](https://authsome.agentr.dev/docs/troubleshooting/doctor.md): Run health checks on directory layout, encryption, and provider parsing, and read the output. - [OAuth callback errors](https://authsome.agentr.dev/docs/troubleshooting/oauth-callbacks.md): Diagnose `redirect_uri_mismatch`, port-in-use, browser-not-opening, and timeout errors during PKCE login. - [Proxy networking](https://authsome.agentr.dev/docs/troubleshooting/proxy-networking.md): Diagnose TLS errors, certificate trust, pinned-cert SDKs, and corporate proxy interactions. - [Token refresh failures](https://authsome.agentr.dev/docs/troubleshooting/token-refresh.md): Diagnose why a stored OAuth2 token failed to refresh and recover the connection. ## OpenAPI Specs - [openapi](https://authsome.agentr.dev/docs/api-reference/openapi.json)