PathwayRequest access

Local proxy for AI agents · macOS

Let your agent use your accounts,
without ever giving it your keys.

Pathway is a local proxy between your AI agent and your real services. The agent does the work. Your credentials never leave your Mac, and OpenAI and Anthropic never see them.

See how it works ↓
Works with+ any MCP client

Right now you have two options. Both are bad.

You want your agent to do something real: check a balance, categorize charges, pull a report. To do that, it needs into a high-stakes account. Today that means choosing between:

option a

Give the agent everything

Paste an API key into the chat. Now it lives in the model's context, the provider's logs, and every tool call. One prompt injection from disaster.

option b

Use nothing

Keep the agent in a sandbox and do the task by hand. The capability stays a demo. The useful work goes undone.

Pathway is the third option.

How it works

The key is injected inside the proxy, on your Mac.

The agent talks to Pathway. Pathway talks to your service. The credential lives in the middle and never crosses into the agent.

  1. 1

    Add a service

    Pick a curated service or add your own with an OpenAPI spec.

  2. 2

    Store the credential

    It goes into your Mac's Keychain, hardware-backed and gated by Touch ID.

  3. 3

    Enable only what you want

    Choose the exact operations the agent can call. Read, write, or sensitive.

  4. 4

    Your agent connects

    Over MCP, it sees the enabled operations, never the credential.

  5. 5

    Pathway makes the call

    It injects the secret at call time, strips secrets from the response, and hands back the answer.

The two guarantees

Everything reduces to two promises.

The agent never gets your keys

Credentials are resolved at call time, inside the proxy, never in the prompt, a tool call, a response, or a provider's logs. They live in Apple's hardware-backed Keychain, gated by Touch ID. There is no Pathway server.

Answers: “my credentials will leak.”

The agent can only do what you allow

You choose, per operation: read, write, or sensitive. A prompt injection can't widen it, because the limit is code in the proxy, not a sentence in the prompt.

Answers: “a prompt injection makes my agent do something terrible.”

Granularity

Not “access to Stripe.” Access to this, and nothing else.

Every operation is classified read, write, or sensitive. You enable them one by one. Sensitive operations take a type-to-confirm before they can be turned on.

Stripe3 of 5 operations enabled
  • GET/v1/balanceread✓ on
  • GET/v1/chargesread✓ on
  • GET/v1/customersread✓ on
  • POST/v1/refundswriteoff
  • POST/v1/transferssensitiveoff

The agent can read your balance and charges. It cannot issue a refund or move money; those operations aren't in its reach, no matter what the prompt says.

Compare

“Isn't this just a password manager?”

A vault hands your agent the key, carefully. Pathway never hands it over at all. Both make agent access safer; they draw the trust boundary in different places.

A vault that shares the key
e.g. Proton Pass access tokens		Pathway
Where the credential ends upRetrieved into the agent to useNever leaves the proxy
Does the model provider ever see the raw secret?Yes, once the agent uses itNo
What you controlWhich credentials (read-only on the vault)Which operations (read / write / sensitive)
Can an injected agent take a dangerous action?Yes, if the credential allows itNo, disabled operations aren't reachable
Where data livesEncrypted cloud vaultOn your Mac · no Pathway server

Their “read-only” means the agent can't edit your vault, but once it holds your Stripe key, it can do anything Stripe allows. Pathway's control is on the service itself: read the balance, never reach the transfer.

Security

Built so you don’t have to trust us.

A security tool should show its work. Here’s what holds mechanically, not because we promise it, but because of where the credentials live and what the code can and can’t do.

You hold the keys, literally

Your credentials sit in your macOS Keychain, on your machine. We can’t see them, can’t recover them, and can’t be compelled to hand them over, because we never have them.

Biometric-gated

Reading a stored key requires Touch ID and your Mac’s unlock, backed by the Secure Enclave. Not something the agent can trigger on its own.

Nothing phones home

Pathway makes exactly one kind of outbound connection: the API call you explicitly enabled. No analytics, no telemetry, no servers of ours in the loop.

Zero third-party dependencies

Pathway has no external code libraries, so the entire supply-chain attack surface that affects most apps simply doesn’t exist here.

Locked down at the OS level

App Sandbox, Hardened Runtime, and library validation are all on, with only two entitlements. Pathway can’t load unsigned code and can’t be injected into.

Secrets are never echoed back

Even if an upstream API mistakenly returns your key in an error message, Pathway strips it before the agent ever sees the response. Logs record shapes, never values.

Independently audited

No credential has ever been committed anywhere in our codebase, our design skills are SHA-256 pinned, and we run regular security audits, and publish the results.

No Pathway in the path

There is no Pathway cloud between your agent and your service. Nothing to subpoena, nothing to breach, no vendor in the chain by design.

And every build reaches you only through Apple’s reviewed, signed pipeline. There’s no silent path from us to your Mac. More in the FAQ →

Services

Start with the accounts that matter most.

Pathway is launching around money, the place the “give it everything or nothing” problem bites hardest. Connect a curated service, or add your own with an OpenAPI spec.

  • Stripe
  • Coinbase
  • Robinhood
  • Wise
  • Revolut
  • PayPal
  • + your own

Curated services are being added during early access.

FAQ

The questions we need to asks first.

Can my agent dump Pathway’s memory and read the keys?

No. Pathway runs as its own process, so your agent can’t read its memory any more than it can read your password manager’s. Credentials live encrypted in the macOS Keychain, are resolved only at the moment of an API call, are never passed back to the agent, and the bytes are wiped from memory the instant the call is built. We treat process memory as part of the threat model, not an afterthought, and we will publish exactly how.

What if a rogue agent or prompt injection tries to do more than I allowed?

The blast radius is bounded by what you switched on. Pathway is default-deny: every endpoint is off until you enable it, and a disabled endpoint isn’t just blocked. It’s invisible, never offered to the agent at all. Read endpoints can’t be turned into writes, and sensitive actions (trades, transfers, payments) stay off until you deliberately enable them. Nothing leaves your Mac except the one explicit API call you allowed.

What if Pathway itself has a bug?

We design so that one matters as little as possible, and we don’t ask you to take that on faith. Pathway ships with zero third-party code dependencies, runs inside Apple’s App Sandbox with the Hardened Runtime and only two entitlements (sandbox + outbound network), and has been through an independent security audit. We publish our threat model and audit findings rather than just asserting “trust us.”

What if your team is compromised, couldn’t you push a malicious update?

This is the right question to ask any tool that holds your credentials, and we’ve designed so that the answer is “no silent path.” Pathway is distributed only through the Mac App Store. Every version goes through Apple’s pipeline (upload, review, notarization, and Apple-signed distribution) and your Mac verifies that signature before it runs. We can’t hand a specific user a special build, we can’t push an update outside that reviewed channel, and we deliberately removed our own auto-updater so that no stolen key of ours could bypass it. A malicious build would also still be boxed in by the same App Sandbox and two entitlements every release ships with. Broadening that is a visible, reviewable change, not something we could sneak past. And if something ever did slip through, Apple can pull it and there’s a public record of every version. Our integrity doesn’t rest on trusting us. It rests on a distribution path neither we nor an attacker can quietly route around.

Which agents and clients work?

Anything that speaks MCP: Claude Desktop and Cursor today, more over time. You copy a small config into your client and Pathway shows up as a set of tools.

macOS only?

Yes for now. The on-device, Keychain-backed model is core to the trust claim, so we built it natively on macOS first, using the Secure Enclave, Touch ID, and per-app Keychain access controls directly. Other platforms come once the model is proven.

What does it cost?

Free for now, and invite-only while we’re in early access. We’ll figure out pricing down the road. For now, request access and we’ll be in touch.

Give your agent access. Not your keys.

Pathway is in early access on macOS (TestFlight).
Leave your email and we'll let you in.