/\_/\
 ( o.o )  ~  zero secrets
  > ^ <
 /|   |\
 (_|   |_)

Secure infrastructure for AI agents

Self-hosted or managed. Zero-trust by default. Your secrets never enter the sandbox.

$ curl -fsSL https://getpaws.dev/install.sh | bash

How it works

Credentials injected, never exposed

  /\_/\
 ( -.- )  zzZ
  > ^ <

Agents run in ephemeral Firecracker microVMs with zero secrets on disk, in env, or in memory. A per-VM TLS proxy intercepts outbound HTTPS and injects credentials on-the-fly.

1

Agent runs in VM

Each session gets a fresh Firecracker microVM restored from a memory snapshot in under a second. No API keys, no tokens, no secrets inside.

2

TLS proxy intercepts

Outbound HTTPS is transparently routed to a per-VM proxy via iptables DNAT. The proxy terminates TLS and reads the target domain from SNI.

3

Credentials injected

If the domain is allowlisted, the proxy injects the configured API keys as HTTP headers and forwards to the real service. The agent never sees them.

Agent in VM: curl https://api.anthropic.com/v1/messages
  |
  |-- VM resolves api.anthropic.com (real IP)
  |-- iptables DNAT rewrites destination --> per-VM proxy
  |-- Proxy terminates TLS, reads SNI
  |
  |-- Domain in allowlist?
  |   |-- YES: inject x-api-key header, forward to real API
  |   |-- NO:  drop connection (TCP RST)
  |
  |-- Agent sees normal HTTPS response
       Never saw the API key. Not in env, not in memory, not on disk.

Get started in minutes

Three lines to your first session

Use our SDK from TypeScript, Python, or the CLI. Create a session, submit a workload, get results. 

import { createClient } from '@paws/sdk';

const paws = createClient({ baseUrl: 'https://your-server:4000', apiKey: 'paws-...' });
const session = await paws.sessions.create({
  snapshot: 'claude-code',
  workload: { type: 'script', script: 'Review this PR and post comments', env: {}  },
});
console.log(session.value.sessionId); // → "a1b2c3..."
<800ms
VM restore from snapshot
5
Concurrent VMs per node
Zero
Secrets in the sandbox
100%
Open source

Features

Built for zero trust

Everything an AI agent needs to run safely, with nothing it shouldn't have.

Zero secrets in the VM

API keys never enter the sandbox. A per-VM TLS proxy injects credentials at the network layer. If compromised, there is nothing to steal.

Sub-second Firecracker boot

Memory snapshots restore full VMs in under a second. Each session gets a fresh, ephemeral microVM — the same isolation model as AWS Lambda.

Port exposure

Agents run fullstack apps inside the VM. Users access them via port exposure with per-port access control: SSO, PIN, or email allowlist.

Per-VM TLS MITM proxy

Every VM gets its own proxy with an ephemeral CA certificate. One proxy per VM, never shared. Spawned with the VM, killed with the VM.

Agent harness

Claude Code pre-installed. Provide a prompt and constraints, the workload runs automatically. Bring your own agent framework or use ours.

Domain allowlisting

The VM can only reach domains you explicitly allow. Everything else gets a TCP RST. No cloud metadata endpoint, no lateral movement, no surprises.

What people build

Daemons for every workflow

Trigger agents on events, schedules, or API calls. Each runs in its own isolated VM with injected credentials.

PR Reviewer

webhook

Claude Code reviews every PR. Runs in isolated VM, posts comments directly to GitHub. Zero API keys in the sandbox.

Security Scanner

schedule

Scheduled weekly scans. Agent audits dependencies, checks for vulnerabilities, files issues automatically.

Deploy Watcher

webhook

Triggered on push to main. Agent runs deployment script, verifies health, rolls back on failure.

Issue Triage

webhook

Webhook on new issues. Agent classifies severity, applies labels, assigns to the right team.

Security architecture

Credential injection flow

  /\_/\
 ( o.o )  < in a box!
 |     |
 +-----+
 |     |
 +-----+

Every outbound request from the VM passes through a per-VM TLS proxy. Credentials are injected at the network layer — never exposed inside the sandbox.

Agent VM

  • SESSION_TOKEN
  • GATEWAY_URL
  • Ephemeral CA cert
  • No API keys
  • No tokens

TLS Proxy (per-VM)

  • iptables DNAT intercept
  • SNI domain check
  • Allowlist validation
  • + x-api-key header
  • + Authorization header

Real API

  • api.anthropic.com
  • api.openai.com
  • github.com
  • Receives full credentials
  • Normal HTTPS

Non-allowlisted domains are blocked

Any outbound request to a domain not in the allowlist gets a TCP RST. No cloud metadata endpoint, no lateral movement, no data exfiltration.

                    API request
                        |
                        v
            +-----------------------+
            |   Control Plane        |     Holds all secrets,
            |   sessions, daemons,   |     credentials, policies
            |   triggers, governance |
            +-----------+-----------+
                        |
              dispatch session
                        |
            +-----------v-----------+
            |       Worker           |     Bare metal, /dev/kvm
            |                       |
            |  +---vm-1-----------+  |
            |  | Firecracker VM    |  |     Zero secrets
            |  | Agent + workload  |  |     Ephemeral, disposable
            |  |   |               |  |
            |  +---|---------------+  |
            |      |                   |
            |  +---v---------------+  |
            |  | TLS Proxy         |  |     Injects credentials
            |  | Per-VM, ephemeral |  |     at the network layer
            |  +-------------------+  |
            +-----------------------+

Open Source

Run it yourself

paws is open source. Deploy on your own infrastructure, audit every line, and own your agent security stack.

Star on GitHub Read the docs