Nothing humbles you like telling your OpenClaw “confirm before acting” and watching it speedrun deleting your inbox. I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.
Agent access control
A proxy that sits between your AI agent and your accounts. Gmail and Telegram today. You set the rules — what's allowed, what needs approval, what's blocked.
12:04:11 allow gmail messages.list — claude
12:04:12 allow tg dialogs.list — claude
12:04:14 gate gmail messages.send — claude
waiting for approval...
12:04:18 approved via telegram — @user
12:04:19 allow tg messages.send — agent-2
12:04:22 deny gmail messages.trash — rogue-bot
THIS ACTUALLY HAPPENED
“Confirm before acting” was on. Didn't matter. The agent blew through deletions faster than the user could react. No kill switch. No undo.
With AskFirst, deletes are blocked by default. The agent never even gets the chance.
THE PROBLEM
One token, unlimited power
OAuth tokens and session keys give agents full access. Read, write, delete — there's no granularity.
Prompt injection is real
A malicious email or message can hijack your agent into forwarding data, deleting content, or acting on your behalf.
No audit trail
Your agent read 500 messages and sent 3 replies? You'll never know. There's no log of what happened.
No approval step
Agents act instantly. There's no pause button, no review step, no way to intervene before damage is done.
HOW IT WORKS
Link your Gmail or Telegram. Credentials are encrypted — your agent never sees them.
Allow reads, gate writes, block deletes. Different rules per agent, per account.
Point your agent at AskFirst instead of the real API. Same interface, but every action goes through your policy engine.
FEATURES
messages.list? Auto-allow. messages.send? Needs approval. messages.delete? Blocked. Granular control for every operation.
Risky action? You get a Telegram message with full context. Approve or deny with one tap.
Every request logged — what was called, which agent, what happened. Filterable. Permanent.
Different agents get different permissions. Revoke any key instantly.
If it calls an API, it works with AskFirst. Claude, GPT, custom scripts — change one URL.
Your OAuth tokens and Telegram sessions are encrypted at rest. Agents get proxy keys — never real credentials.
INTEGRATION
# Before — agent holds your raw Google token
curl -H "Authorization: Bearer ya29_REAL_TOKEN" \
https://gmail.googleapis.com/gmail/v1/users/me/messages
# Gmail — same API, through AskFirst
curl -H "Authorization: Bearer aw_AGENT_KEY" \
https://api.askfirst.io/proxy/CONN/gmail/v1/users/me/messages
# Telegram — read last messages
curl -H "Authorization: Bearer aw_AGENT_KEY" \
https://api.askfirst.io/proxy/CONN/telegram/v1/dialogs/CHAT/messages?limit=10
Same response. Reads are logged. Writes need approval. Deletes are blocked.
INTEGRATIONS
We're building connectors for all the services your agents use. Gmail and Telegram are live — the rest are coming soon.
Gmail
Read, send, and manage email with full policy control
LiveTelegram
Read chats, send messages, manage contacts — all with policy controls
LiveTwitter / X
Post tweets, read DMs, manage your timeline
Coming soonGitHub
Create issues, push code, manage repos
Coming soonDiscord
Send messages, manage servers, create channels
Coming soonGoogle Drive
Upload files, share documents, manage folders
Coming soonGoogle Calendar
Create events, manage invites, check availability
Coming soonOpen Proxy
Proxy any REST API with custom rules
Coming soonUSE CASES
Developers
Building agents that handle email or messaging? Ship with built-in access control. Your users set the policies.
Power users
Running Claude or GPT with your accounts? Read freely, approve before sending, block deletes. Get a Telegram ping before anything risky.
Nothing humbles you like telling your OpenClaw “confirm before acting” and watching it speedrun deleting your inbox. I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.