Build on AgentBee
Put a human in the loop for the actions that matter. Your agent asks the bee, a person flips the APPROVE switch, and you get a signed, verifiable receipt. Authorization, not authentication โ it sits alongside your login, it does not replace it.
claude mcp add agentbee -- npx -y @agentbee/mcp01 Quickstart
One command wires AgentBee into Claude as an MCP server. After this, your agent can ask for human approval on any critical action, and you can verify the receipt it gets back.
# add the MCP server to Claude Code claude mcp add agentbee -- npx -y @agentbee/mcp # no hardware yet? run the simulator โ same crypto, sample key AGENTBEE_MODE=simulator claude mcp add agentbee -- npx -y @agentbee/mcp
Then just ask your agent to do something risky. The bee lights up, you flip APPROVE, the action proceeds with a signature. Ignore it and the action is blocked.
02 The MCP tools
The server exposes two tools. request_approval gates an action behind a human approval; verify_receipt checks a returned receipt against the device public key.
// your agent calls this before doing anything critical request_approval({ action: "wire_transfer", scope: "$5,000 to Northwind Ltd", risk: "high" }) // -> { approved: true, receipt: { fp, sig, ts }, signed: true } // or { approved: false } if no one approved in time verify_receipt({ receipt }) // -> { valid: true, action, ts }
Configure with env: AGENTBEE_MODE (simulator | usb), AGENTBEE_THRESHOLD (graduated trust level that triggers a prompt), AGENTBEE_PORT (serial port for a real device).
03 Auto-gate with a PreToolUse hook
Want approval enforced automatically, without your agent having to remember to ask? Drop in the PreToolUse hook. It classifies risky tool calls โ rm -rf, DROP TABLE, git push --force, writes to .env / .ssh, payment and delete MCP tools โ and fails closed: no approval, no action.
// .claude/settings.json { "hooks": { "PreToolUse": [{ "matcher": "*", "hooks": [{ "type": "command", "command": "npx -y @agentbee/hook" }] }] } }
Critical calls now pause for your approval on the bee. Everything else runs untouched. The hook is fail-closed by design โ if the bee is unreachable, the action is denied, not allowed.
04 The SDK (any agent, any stack)
Not on Claude? The SDK gives you the same gate in plain code โ one call, works with any framework or your own loop.
import { AgentBee } from "@agentbee/sdk" const bee = new AgentBee() // auto-detects device or simulator const ok = await bee.approve({ action: "deploy", scope: "v2.4.0 -> production" }) if (!ok.approved) throw new Error("blocked by human") deployToProd() // only runs after you approve await bee.verify(ok.receipt) // anyone can verify, later
05 What people gate
Real critical actions worth a human decision. Some you approve, some you stop cold.
Payments
Wire transfers, refunds, payouts above a threshold.
Production data
Drop tables, delete buckets, truncate a live database.
Deploys & releases
Ship to production, change infra, rotate DNS.
Secrets & egress
Read .env, exfiltrate keys, email data outside.
Source control
Force-push, overwrite main, delete branches.
Access & IAM
Grant admin scope, mint API keys, add users.
06 Community
Building something with the bee? Come make noise. Share what you gate, ship integrations, help shape the standard.
Discord โ
Builders, support, and show-and-tell.
Showcase โ
What the community is gating in the wild.
awesome-agentbee โ
Integrations, recipes, and templates.
Authorization, not authentication. AgentBee approves actions; it does not log you in. It complements YubiKey and your IdP โ it does not replace them. Your signing key is generated on the device and never leaves it. We store no keys, no device data, and no email.