AWP gives your agent a work permit: choose which tools it can use, what emails it can see, and how long the access lasts. Full audit trail. One-click revoke. Works with any MCP-compatible agent.
Works with: Claude, Cowork, ChatGPT, OpenClaw, n8n, or any MCP agent.
Your agent reads unread emails every morning and summarizes what needs attention. It can't see the rest of your inbox.
is:unread · 30 daysYour agent prepares reply drafts. They sit in your Drafts folder. You review and hit send. The agent can't send on its own.
send_draft · 7 daysGet alerted the moment your lead investor or key client emails you. The agent sees emails from that address only.
from:name@fund.com · 90 daysEach permit is a concrete object: it has an agent, a scope, authorized tools, an expiration, and a live audit trail. You create it in seconds. You revoke it in one click.
Agent: claude-cowork
Setup takes about 2 minutes. You connect Gmail, create a permit, and paste the token into your agent.
Sign in with Google. AWP encrypts your OAuth tokens with Google Cloud KMS (AES-256-GCM) and stores them. No agent will ever see these credentials.
Choose which tools the agent can use, set the search scope, pick a duration (1h to 90 days). Use a template or configure from scratch.
Copy the permit token into your agent's MCP config. Works with Claude, Cowork, ChatGPT, OpenClaw, n8n, or any MCP client.
Watch the audit log live. Every action is logged: allowed and denied. Suspend or revoke in one click. Permits auto-expire on schedule.
Your agent can read everything it sees.
AWP decides what it sees.
You don't hand an intern the company credit card on day one. Same logic for agents. Each rung is a permit. Moving up or down takes one click.
The agent searches your inbox but can't read content. It reports what's there: how many unread, who's writing, what subjects.
search_threads only · scope: is:unread · 7 daysThe agent reads full threads within its scope. Summarizes, extracts action items, flags urgent messages. Still can't write or send.
search_threads + read_thread + list_labels · scope: is:unread · 30 daysThe agent prepares replies. Drafts sit in your Gmail. You review, edit, and hit send yourself. The agent proposes. You decide.
search + read + create_draft · blocked: send_draft · 7 daysAll tools. The agent can send what it drafted within the same session. Still scoped, time-bound, IP-locked, and fully audited. Revocable in one click.
Each rung is a permit. The ladder is the product.
7 Gmail tools: search_threads, read_thread, create_draft, send_draft, list_labels, get_attachment, read_contacts. Whitelist exactly the ones the agent needs. Everything else returns a deny with a logged reason.
Search restrictions are injected by AWP before reaching Gmail. is:unread, from:alice@company.com, label:Urgent. The agent sends its query; AWP appends the scope. The agent can't modify or strip it.
Every permit has a deadline: 1 hour, 1 day, 1 week, up to 90 days. When it expires, the token stops working. No manual cleanup. No stale credentials left behind.
The first agent to use the token binds it to its IP. Any subsequent request from a different IP is rejected with a 403 and logged. Enabled by default.
Pause a permit without revoking it. The agent gets a clear "suspended" response. Resume when ready. Useful for debugging or temporary pauses.
Every action is logged: tool called, allowed or denied (with reason), timestamp, source IP, agent ID. No email content is ever stored. Viewable live from the dashboard.
"Inbox triage" (read-only, unread, 30 days), "Full assistant" (all tools, 7 days), "Read-only monitor" (search only, specific sender, 90 days). Start from a template, save your own.
AWP is an MCP server. It works with any MCP-compatible agent: Claude Desktop, Cowork, ChatGPT, OpenClaw, n8n, Cursor, or your own custom agent. No vendor lock-in.
Zero-trust by design. Your agent never gets close to your Google credentials.
AWP holds your Google OAuth tokens, encrypted via KMS. The agent receives a permit token that references the permit, not the inbox. Even if the permit token leaks, the attacker gets a scoped, time-bound, IP-locked token. Not your Google credentials.
Google OAuth tokens encrypted with AES-256-GCM via Google Cloud KMS. Permit tokens hashed with SHA-256. A complete database dump gives an attacker encrypted blobs and hashes.
The scope is injected server-side before the Gmail API call. The agent's search query is rewritten to include the permit's restrictions. The rest of the inbox is not accessible through the permit.
Audit logs record: which tool was called, whether it was allowed or denied, timestamp, source IP, agent ID, and metadata. No email subject, body, attachment, or recipient is stored.
Backend on Fly.io CDG (Paris). KMS keys on Google Cloud europe-west9. No data leaves the EU.
Scoped access isn't just good practice. GDPR requires it.
| AWP | Raw OAuth | Gmail ext. | Zapier / Make | |
|---|---|---|---|---|
| Temporary access | ✓ | ✗ Permanent | ✗ | ✗ |
| Per-tool scope | ✓ | ✗ | ~ | ~ |
| Server-side search restrictions | ✓ | ✗ | ✗ | ✗ |
| IP binding | ✓ auto | ✗ | ✗ | ✗ |
| One-click revocation | ✓ | ~ | ✗ | ~ |
| Real-time audit | ✓ | ✗ | ✗ | ~ |
| MCP-native | ✓ any agent | ~ | ✗ | ~ |
| Zero-content logging | ✓ | n/a | ✗ | ✗ |
| GDPR data minimization | ✓ by design | ✗ | ✗ | ✗ |
The full product is free. You pay when your usage grows and the audit history becomes business-critical.
AWP proxies API calls between the agent and Gmail. Email content flows through AWP's servers in Paris (Fly.io CDG) but is never stored, logged, or cached. AWP reads the API response only to enforce scope and count results. The content is passed to the agent and discarded.
AWP stores: your encrypted Google OAuth tokens (AES-256-GCM via KMS), your permit configurations, and audit log entries (metadata only: tool called, allowed/denied, timestamp, IP, agent ID). AWP never stores email subjects, bodies, attachments, or recipient addresses.
If the token is IP-bound (default), it only works from the original agent's IP. An attacker with the token from a different IP gets a 403 and both IPs are logged. You can also revoke any permit in one click from the dashboard. And all permits auto-expire.
No. The scope is injected server-side by AWP before the Gmail API call. If the permit says is:unread, AWP appends that to every search query. The agent can't modify, strip, or bypass it. If the agent tries to read a thread by ID that doesn't match the scope, AWP blocks the request.
It depends on the setup. If your agent runs on a fixed egress IP (most VPS, most Docker deployments), IP binding works perfectly. If your agent is on a serverless platform with rotating IPs, you can disable IP binding per permit (marked "not recommended") or use a fixed egress proxy. We're also working on agent instance attestation as an alternative binding method.
About 2 minutes. Connect Gmail (standard Google OAuth), create a permit (or use a template), copy the token into your agent's MCP config. No server to deploy. No dependencies to install.
Microsoft Outlook / Exchange via the Graph API is next. The permit model is the same: scoped, temporary, auditable, revocable. Same architecture, different email provider.
Not yet. We plan to open-source the MCP permit specification so other providers can implement the same model. The AWP product itself will remain a hosted service.
Scoped access to your inbox. Not a blank check.
Get early access