Open SourceApache 2.0

Your agent's integration layer,
with guardrails built in.

Use with your existing AI personal assistant 🦞
Just add the new skill.md.

View on GitHubRead the docs
Backed by Y Combinator

Works with the tools you already use

Slack
Linear
GitHub
Gmail
Notion
Jira
Trello
Asana
Discord
Stripe
Shopify
Salesforce
HubSpot
Intercom
Zendesk
Twilio
Slack
Linear
GitHub
Gmail
Notion
Jira
Trello
Asana
Discord
Stripe
Shopify
Salesforce
HubSpot
Intercom
Zendesk
Twilio

Guardrails in the code, not the prompt.

Every other guardrail can be bypassed by the agent. Corsair's can't — the permission layer is in the API, not the instructions.

Other AI tools

Guardrails are instructions to the agent. A sufficiently motivated or confused agent can work around them.

Corsair

Guardrails are permissions in the API layer. The action hits a hard stop. No instruction can override it.

How approval works

1

Your agent calls Gmail

"Send Sarah the Q1 numbers"

2

Corsair intercepts

Send action detected

Hard stop

Cannot proceed without approval

4

Review link sent

Expires in 10 minutes

5

You review the email

Looks right — tap Approve

Email is sent

When you approve

How it works.

When your agent calls a Corsair endpoint, four things happen.

01

Resolves the credential

The credential for that integration is fetched from the encrypted database. The agent never sees raw keys or tokens.

02

Checks the permission policy

Reads pass through immediately. Writes and destructive actions are evaluated against the configured mode for that integration.

03

Executes or pauses

Allowed actions run immediately and return typed results. Actions that require approval are held and a review link is sent to you.

04

Handles retries and errors

Rate limits, transient failures, and auth errors are handled automatically with configurable retry strategies.

Built for agent stacks.

Everything you need to give your agent safe access to the outside world.

Permission modes

Cautious, strict, open, or readonly — set per integration. GitHub strict, Slack cautious. Override individual endpoints as needed.

Encrypted credentials

Stored with envelope encryption. A KEK you control encrypts per-tenant data keys, which encrypt the actual secrets. Nothing leaves your database.

Review links

Risky actions are paused and sent to you as a review link. You approve or deny it, and your agent cannot get around it.

Multi-tenancy

Scope every call and credential to an individual tenant. Isolated credentials, data storage, and permission evaluation per tenant.

Webhook handlers

Typed, signature-verified webhook handlers ship alongside every API endpoint. React to real events — new PR, deal created, incoming email.

Plugin system

Any REST API works. Scaffold a full plugin — schemas, endpoints, webhook handlers, and key builder — with one command.

Pre-built integrations.

15 more in development. Need one that's not here? Ask your coding agent to build a Corsair plugin — any REST API works.

Slack
GitHub
Linear
Gmail
HubSpot
Resend
PostHog
Google Sheets
Google Drive
Google Calendar
Discord
+ Tavily (Web Search)
+ 15 more in development

Permission modes.

Set GitHub to strict and Slack to cautious based on how much you trust each surface. Each integration gets its own mode.

Mode
Reads
Writes
Destructive
cautious

Instant

Instant

Approval required

strict

Instant

Approval required

Blocked

open

Instant

Instant

Instant

readonly

Instant

Blocked

Blocked

Override individual endpoints — lock down releases.create while keeping issues.create open.

Give your agent the keys. Keep the control.

Corsair is open source. Drop it into any agent stack and stop doing the work yourself because you're too scared to hand it off.

View on GitHubJoin Discord