curl + schlussel
is all you need
The local authentication runtime for agents. Codify how users authenticate, guide them through the right steps, and keep sessions safe with native storage and locked refreshes.
Why Schlussel?
Fast
Agents query a formula and get everything: auth flow, API endpoints, headers, specs. No searching the web. Just authenticate and call.
No More Race Conditions
Cross-process locking prevents multiple agents from refreshing the same token simultaneously. One refresh, shared result.
Formula-Driven
All platform knowledge lives in portable JSON recipes. OAuth flows, API keys, PATs. Add new platforms without code changes.
CLI-Native
Agents shell out to Schlussel. No SDKs, no daemons, no servers. Just a binary that does one thing well.
Cross-Platform
Works on macOS, Linux, and Windows. x86_64 and ARM64. Built in Zig for zero dependencies.
Local-First
Credentials never leave your machine. Schlussel is not a cloud service. Your auth, your control.
How It Works
Agent Needs Auth
Your agent (Claude, Codex, custom script) needs to call GitHub, Linear, or any API. Instead of managing tokens itself, it asks Schlussel.
Schlussel Handles the Flow
Schlussel auto-selects a public client and method when available, checks for existing tokens, refreshes if needed (with locking), or guides the user through OAuth. All based on the formula for that platform.
Agent Gets a Token
The agent receives a valid access token. It can now make API calls. Schlussel handles the complexity, the agent stays simple.
The Auth Narrow Waist for Agents
Not every service on the internet exposes an API. Many are hesitant, watching how a new layer of agentic applications and LLMs might extract value from their platforms the same way tech giants once built empires on top of telecommunications infrastructure. The fear is real: become the "dumb pipe" while others capture the margin.
Others do expose APIs, but they are not productized beyond their own SPAs. Browser-generated cookies, CORS restrictions, sessions tied to web flows. The API exists, but it was never meant for you. It was meant for their frontend.
But this tension is not new. TCP/IP became the narrow waist of networking, a simple contract that enabled everything above and below it to evolve independently. The shipping container standardized global trade. HTTP standardized the web. Each time, the "dumb" layer unlocked exponential value for everyone.
Agents talking to APIs is inevitable. The question is not if, but how. Schlussel is our bet on what that narrow waist looks like: a simple contract where authentication flows are codified in portable formulas, sessions are managed locally, and every agent speaks the same language to every API.
We are not building a platform. We are building the shipping container between agents and the services they need to access.
If you are building a service, consider adopting OAuth 2.0 Dynamic Client Registration (RFC 7591) and Device Authorization Grant (RFC 8628). These are the most agent-friendly standards: no browser redirects, no pre-registered clients, just a code on a screen and a polling loop. Perfect for headless environments where LLMs operate.
Built-in Formulas
Schlussel ships with curated formulas for popular platforms. Each formula knows the OAuth endpoints, scopes, and even includes public client credentials when available. Formulas are actively maintained and verified for accuracy. When a formula has a public client, Schlussel auto-selects it. Just run and authenticate.