Stop giving your AI agents your API keys.

Factorly is a local runtime for agent tool chains. It proxies agent tool calls, injects credentials from an encrypted vault, enforces governance rules, and logs everything.

Install it, import a template, and your agent has safe access to GitHub, Slack, Stripe, and 30+ more services, plus any CLI or MCP server, in under a minute.

View on GitHub Get started

Setting up a new Factorly config.
Install a tool template? github
  GitHub — Code hosting, issues, pull requests, and repositories
  Auth: bearer (credential found in vault)
  ✓ GITHUB_TOKEN already configured
  Created 8 tools:
    github.list_repos              List repositories for a user
    github.get_repo                Get repository details
    github.list_issues             List issues for a repository
    github.create_issue            Create an issue
    ...and 4 more
  Connect to your AI agent now? y
  ✓ Claude Code    → .mcp.json updated
  ✓ Cursor         → .cursor/mcp.json updated
One command. 8 tools. Your agent is ready.

The problem

Right now, your agent has your keys.

Most MCP setups today expose secrets too broadly. API keys in .env files, OAuth tokens in config, credentials inherited from your user permissions. That means weak isolation, inconsistent policy enforcement, and incomplete audit trails.

Exposed credentials

One compromised tool, one leaked prompt, and every API key your agent can see is in the open.

No oversight

Your agent can call any tool, make any write, hit any API. No approval flow. No rate limit. No kill switch.

No audit trail

When something breaks, or when someone asks what your agents are doing, there's nothing to show them.

The solution

One endpoint. Every tool. Nothing exposed.

Your Agent

Knows tool names
Knows parameters
Makes request to Factorly

Never sees

API keys
Tokens
Credentials

Factorly

Injects authorization headers
Injects API keys from vault
Injects base URLs

Logs every call
Blocks calls that shouldn't be made
Rate-limits and detects loops

Your Tools

GitHub, Slack, Stripe, ...
REST APIs
MCP servers
CLI commands

Returns

Only data. Never secrets.

request →

→ runtime call →

← data only

Your agent connects to Factorly as a single MCP server. Factorly runs every call through its runtime — injecting credentials server-side, enforcing policy, logging everything. The agent never handles secrets. The agent never bypasses your oversight.

How it works

What changes when you put Factorly in front.

Credentials never reach the agent.

Your API keys, OAuth tokens, and secrets live in Factorly's fully encrypted local vault, using AES-256-GCM with per-entry encryption. Keys stay on your device. The agent sees tool names and data. Never secrets. Not abstracted. Not obscured. The agent process never has access to the decrypted credentials. They are injected server-side at call time.

# Store a secret: encrypted on disk, decrypted on demand

$ factorly vault set GITHUB_TOKEN

Enter value: ••••••••••••••••

# Reference it in any tool config

token: "{{vault:GITHUB_TOKEN}}"

# Your agent calls a tool and Factorly injects the secret

Agent sees: data

Agent never sees: ghp_xxxx...

36 templates. Working tools in 30 seconds.

$ factorly tools import templates github

$ factorly vault set GITHUB_TOKEN ghp_xxxxxxxxxxxx

$ factorly sync

Pre-built configs for GitHub, Slack, Stripe, Linear, Gmail, Notion, Jira, HubSpot, Salesforce, and 30+ more. Wrap any existing CLI or MCP server out of the box. One command installs. One command connects to Claude Code, Cursor, or Codex.

Already using an MCP server?

Wrap it with zero config:

$ factorly wrap -- npx @modelcontextprotocol/server-github

Same tools, same interface. Now every call is logged, output is compressed, loops are detected, and calls are rate-limited.

Oversight that's actually useful.

shadow:

deny: [delete_repository, delete_branch]

confirm: [merge_pull_request, create_release]

rate_limit: 100/hour

Block destructive operations. Require confirmation before writes. Rate-limit calls. Loop detection is always on. Factorly fingerprints identical calls and blocks runaway agents after 12 repeats. Built-in tools block dangerous patterns like rm -rf, curl | sh, and DROP TABLE out of the box. Write and delete templates ship with confirm: true by default.

# Agent tries to run a destructive command

$ factorly call shell --command "rm -rf /"

✗ blocked: command matches deny pattern "rm -rf"

# Logged and denied. The command never executed.

One runtime, every protocol.

MCP servers, REST APIs, CLI commands. One config, one endpoint, one audit log. Factorly proxies every protocol — your agent connects once and sees all its approved tools.

Workflows. Not just proxied calls.

Chain tools into governed pipelines. Steps run sequentially with variable passing, conditional branching, and state persistence. One call replaces many.

Full audit trail.

Every tool call logged: who called what, when, with what parameters, what was returned, what was blocked. Per-agent identity tracking for multi-agent setups. Query with factorly logs --tool github --status blocked or follow in real time with factorly logs -f.

Output compression.

Agent tools return too much data. Factorly compresses JSON, deduplicates log output, and truncates to head + tail, saving tokens without losing signal. Savings tracked per-call in the audit log.

Focused

What Factorly is not.

Factorly doesn't replace your tools. It wraps them. Your MCP servers, APIs, and CLIs stay exactly as they are.

Not Composio or Zapier.

Composio and Zapier replace your integrations with theirs. Factorly wraps what you already have. Your credentials never leave your machine.

Not an agent framework.

Works with Claude Code, Cursor, Codex, LangChain, CrewAI, or anything that speaks MCP and CLI.

Not a tool marketplace.

Your tools. Your config. Factorly just makes them safe.

Open source

Run it yourself. Right now.

$ npm install -g factorly # or: pip install factorly

$ factorly init

Open source & free software. Runs local. Written in Go.
Install via npm, pip, or go installand your agent has governed access to tools in under a minute.

View on GitHub Read the docs

Stay updated

Don't miss a release.

New templates, governance features, and runtime capabilities ship regularly. Get notified when they land.

JavaScript is required for the signup form. Sign up here instead.

Release announcements only. No spam.