ClawGate API

Open-source API server that gates AI agent actions behind passkey-verified human approval. Agents request permission via API keys, humans approve or deny with WebAuthn passkeys, and approved agents receive short-lived JWT tokens proving authorization.

Want it hosted for you? ClawGate is the fully managed version of this API with an iOS app, browser push notifications, subscription tiers, and Apple Sign In — so you can start approving agent actions in minutes without deploying anything. Get started at clawgate.ai →

What is ClawGate?

ClawGate puts a human in the loop for AI agent actions. When an agent wants to do something sensitive — send an email, make a purchase, deploy code — it asks for your approval first. You verify with a passkey (Face ID, Touch ID, or a hardware key), and the agent gets a short-lived token proving you said yes.

This repo contains the core API server. It's the same code that powers clawgate.ai, minus the commercial features (Stripe billing, Apple Sign In, iOS app push, subscription tiers).

Hosted vs Self-Hosted

	clawgate.ai (Hosted)	This repo (Self-Hosted)
API server	✅ Managed	✅ You deploy
iOS app with Face ID	✅ App Store	❌ Build your own
Apple Sign In	✅ Built-in	❌ Email registration
Push notifications	✅ iOS + Web	✅ Web Push only
Subscription tiers	✅ Free + Pro	❌ No limits
Stripe billing	✅ Built-in	❌ Not included
SSL/domain setup	✅ Handled	❌ You configure
Database management	✅ Managed	❌ You manage
Updates & patches	✅ Automatic	❌ You pull

Quick Start with Docker

git clone https://github.com/AsteyaTech-com/clawgate-api.git
cd clawgate-api
cp .env.example .env

Edit .env and set the required secrets:

openssl rand -base64 32  # Use for JWT_SECRET
openssl rand -base64 32  # Use for API_KEY_SECRET

Start everything:

docker-compose up -d

Verify:

curl http://localhost:3000/health

OpenClaw Plugin

The official plugin enforces approval gates at the infrastructure level — your AI agent literally cannot bypass them.

openclaw plugins install clawgate

The plugin intercepts sensitive tool calls (file deletion, npm publish, database drops, etc.) and requires your Face ID / passkey approval before execution.

• npm: clawgate
• Source: AsteyaTech-com/clawgate-plugin
• Setup guide: clawgate.ai/setup

Works with both self-hosted and clawgate.ai hosted service.

Manual Setup

Prerequisites: Node.js >= 20, PostgreSQL >= 14

npm install
cp .env.example .env
# Edit .env with your database URL and secrets
npx prisma generate
npx prisma migrate dev
npm run dev

Environment Variables

Required

Variable	Description
DATABASE_URL	PostgreSQL connection string
WEBAUTHN_RP_ID	Your domain (e.g. localhost for dev)
WEBAUTHN_RP_ORIGIN	Full origin URL (e.g. http://localhost:3000)
JWT_SECRET	JWT signing secret
API_KEY_SECRET	API key hashing secret

Optional

Variable	Default	Description
PORT	3000	Server port
CORS_ORIGINS	http://localhost:3000	Allowed CORS origins
LOG_LEVEL	info	Pino log level
WEBAUTHN_RP_NAME	ClawGate	Display name for passkey prompts
VAPID_PUBLIC_KEY	—	Web Push public key
VAPID_PRIVATE_KEY	—	Web Push private key
VAPID_SUBJECT	mailto:admin@example.com	Web Push contact

API Endpoints

All routes are prefixed with /api/v1 unless noted.

Method	Path	Auth	Description
GET	/health	—	Health check
POST	/api/v1/auth/register	—	Register with email
GET	/api/v1/auth/me	JWT	User profile
POST	/api/v1/auth/api-keys	JWT	Create API key
GET	/api/v1/auth/api-keys	JWT	List API keys
DELETE	/api/v1/auth/api-keys/:id	JWT	Revoke API key
POST	/api/v1/passkey/register/start	JWT	Start passkey registration
POST	/api/v1/passkey/register/complete	JWT	Complete passkey registration
POST	/api/v1/passkey/authenticate/start	—	Start passkey auth
POST	/api/v1/passkey/authenticate/complete	—	Complete passkey auth
GET	/api/v1/passkey	JWT	List passkeys
DELETE	/api/v1/passkey/:id	JWT	Delete passkey
POST	/api/v1/approval/request	API Key	Request approval
GET	/api/v1/approval/status/:id	API Key	Poll approval status
POST	/api/v1/approval/approve/:id	Passkey	Approve request
POST	/api/v1/approval/deny/:id	JWT	Deny request
GET	/api/v1/approval/pending	JWT	Pending approvals
GET	/api/v1/approval/history	JWT	Approval history
POST	/api/v1/approval/verify-token	—	Verify approval token
POST	/api/v1/push/subscribe	JWT	Subscribe to Web Push
POST	/api/v1/push/unsubscribe	JWT	Unsubscribe

What You'd Need to Build a Full ClawGate Replica

This repo gives you the API server. To replicate the full clawgate.ai experience, you'd also need:

1. A Client App (Web or Mobile)

The API handles passkey ceremonies server-side, but you need a frontend to:

• Register users and manage passkeys (calls the WebAuthn browser API)
• Display pending approval requests
• Trigger passkey authentication when approving (Face ID, Touch ID, etc.)
• Show approval history and manage API keys

This could be a web app (React, Next.js, etc.) or a native mobile app. The WebAuthn API is supported in all modern browsers and iOS/Android.

2. HTTPS and a Domain

WebAuthn requires a secure context. You need:

• A domain name with SSL (Let's Encrypt works great)
• WEBAUTHN_RP_ID set to your domain
• WEBAUTHN_RP_ORIGIN set to your full HTTPS origin

3. Web Push Setup (Optional)

For real-time notifications when agents request approval:

• Generate VAPID keys: npx web-push generate-vapid-keys
• Set VAPID_PUBLIC_KEY, VAPID_PRIVATE_KEY, VAPID_SUBJECT in your env
• Implement a service worker in your client app to receive push notifications

4. Production Infrastructure

• PostgreSQL database (managed services like RDS, Supabase, or Neon work well)
• Container hosting (Railway, Fly.io, AWS ECS, or any Docker host)
• Reverse proxy with SSL termination (nginx, Caddy, or a cloud load balancer)
• Database backups and monitoring

5. Agent Integration

Your AI agents need to:

1. Store an API key (created via the dashboard)
2. Call POST /api/v1/approval/request when they need permission
3. Poll GET /api/v1/approval/status/:id until approved/denied/expired
4. Use the returned JWT token as proof of authorization

How the Approval Flow Works

Agent                          ClawGate API                    User
  |                                |                             |
  |-- POST /approval/request ----->|                             |
  |<---- { requestId } -----------|-- push notification -------->|
  |                                |                             |
  |-- GET /approval/status ------->|                             |
  |<---- { status: PENDING } -----|                             |
  |                                |<-- passkey authenticate ----|
  |                                |<-- POST /approval/approve --|
  |-- GET /approval/status ------->|                             |
  |<---- { status: APPROVED,      |                             |
  |        token: "jwt..." } -----|                             |
  |                                |                             |
  |-- POST /verify-token --------->|                             |
  |<---- { valid: true } ---------|                             |

Tech Stack

• Express 5, TypeScript, Prisma, PostgreSQL
• @simplewebauthn/server for WebAuthn/FIDO2
• Pino for structured logging
• Zod for input validation
• Helmet, rate limiting, input sanitization for security
• web-push for VAPID notifications

License

Apache License 2.0 — see LICENSE for details.

---

Built by Asteya Technologies. If you'd rather not deal with infrastructure, clawgate.ai handles everything for you.