Open Source ยท Apache 2.0

2FA for AI Agents

One command. Any agent. Unbypassable.

MCP is how agents use tools. ACP is how humans control agents.

terminal
$ npm install -g @acp/cli
$ acp init --channel=telegram
$ acp run -- openclaw gateway
# โœ“ Agent wrapped. Approval required for sensitive actions.
Get Started View on GitHub
The Problem

Agents have unlimited power

AI agents can send emails, run shell commands, transfer money, and deploy to production โ€” but there's no universal way to ensure a human said "yes" first.

Every agent framework has its own half-baked "human-in-the-loop" that the agent can bypass. Give an agent shell access, and it has the same power as root.

๐Ÿ’€

Shell Access = Root

An agent with exec() can run anything. Install packages, delete files, exfiltrate data. No guardrails.

๐Ÿ“ง

Credential Theft

API keys in environment variables? The agent can read them. And send them anywhere.

๐Ÿ’ธ

Financial Risk

Stripe keys, bank APIs, payment webhooks. One bad tool call could cost real money.

๐Ÿ”“

Bypassable Controls

Framework-level "approval" lives in the same process as the agent. It can be skipped programmatically.

How It Works

Network-level agent containment

ACP sits between your agent and the real world. Every sensitive action requires your explicit approval. The agent literally cannot bypass it.

๐Ÿค– Agent
โ†’
๐Ÿ›ก๏ธ ACP Proxy
โ†’
๐Ÿ“ฑ Human Approval
โ†’
โšก Real Tools
1

Wrap Your Agent

ACP creates a sandboxed environment. Your agent runs inside it with no direct access to credentials or network.

2

Get Notified

When the agent tries something sensitive โ€” shell commands, API calls, file writes โ€” you get a Telegram notification with full context.

3

Approve or Deny

One tap on your phone. The agent waits for your decision. No approval = no execution. It's that simple.

A
ACP Agent Control
bot ยท online
๐Ÿ”” Action Requires Approval

Tool: exec
Command: rm -rf ./build && deploy.sh prod
Risk: โš ๏ธ High
Agent: claude-dev-agent

Tap below to approve or deny this action.
โœ“ Approve
โœ• Deny
Why ACP

Not another framework plugin

ACP works at the infrastructure level. It doesn't care what framework, language, or model you use.

Feature LangGraph CrewAI MCP ACP
Works with any agent โœ• โœ• โœ• โœ“
Agent can bypass Yes Yes N/A No
Network enforced โœ• โœ• โœ• โœ“
Needs code changes Yes Yes Yes No
Credential isolation โœ• โœ• โœ• โœ“
Progressive Complexity

Start simple. Scale when ready.

From zero-config to production hardening in three levels.

Level 1

Try It

30 seconds

Interactive terminal prompts. Zero configuration. Just wrap your command and approve in the terminal.

  • Zero config needed
  • Terminal-based approval
  • Works immediately
Level 2

Mobile Approval

2 minutes

Connect Telegram. Approve actions from your phone. One environment variable to set up.

  • Telegram integration
  • Approve from anywhere
  • Rich action context
Level 3

Production

10 minutes

Full network isolation. Credential vault. Audit trail. Policy engine. Enterprise-ready.

  • Network isolation
  • Credential vault
  • Custom policies & audit trail
Quick Start

Up and running in 60 seconds

1

Install

bash 
$ npm install -g @acp/cli
2

Initialize with Telegram

bash 
$ acp init --channel=telegram
3

Store your secrets

Credentials go in the vault โ€” the agent never sees them directly.

bash 
$ acp secret set OPENAI_API_KEY=sk-...
4

Run your agent

Wrap any command. ACP handles the rest.

bash 
$ acp run -- python my_agent.py
โญ The Killer Feature

Make your agent install its own leash

Copy this prompt and paste it into any AI agent with shell access. The agent will install ACP on itself. One paste, and you're in control.

Agent Setup Prompt

I need you to install and configure ACP (Agent Consent Protocol) on this system. ACP adds human approval to your tool calls so I can authorize sensitive actions. Steps: 1. Run: npm install -g @acp/cli 2. Run: acp init --channel=telegram 3. When prompted for bot token, use: [YOUR BOT TOKEN] 4. When prompted for chat ID, use: [YOUR CHAT ID] 5. Verify it works: acp run -- echo "ACP is working" 6. Now configure ACP to wrap your main process. Update your startup command to: acp run -- [your current startup command] After this, any sensitive tool calls you make will require my approval via Telegram before executing. You cannot bypass this โ€” it's enforced at the network level. Test it by trying to run a shell command. I should receive an approval request on Telegram.
Policy Engine

Fine-grained control rules

Define exactly what your agent can and can't do. Allow reads, gate shell access, block financial actions โ€” all in a simple YAML config.

yaml โ€” acp-policy.yml 
default_action: ask

rules:
  - match: { category: read }
    action: allow

  - match: { tool: exec }
    action: ask
    level: high

  - match: { category: financial }
    action: deny

How policies work

ACP evaluates rules top-to-bottom. The first matching rule wins. Unmatched actions fall through to the default.

  • โœ“ allow โ€” Action executes immediately, no prompt
  • โš  ask โ€” You get a notification and must approve
  • โœ• deny โ€” Blocked unconditionally. Agent gets an error.

Combine with level: high to require extra confirmation for dangerous operations.