Docs / Getting Started

Start here: install the tools, set up API keys, and follow the safe loop (dry-run → apply → verify).

Qwayk — Safe API tools for AI agents

Start here (what Qwayk is / isn’t)

Qwayk is a set of small command-line tools I built to let AI agents work with real APIs (Ghost, WordPress, Freepik, Plausible, plus tools like Mercury, Pinterest, Unsplash, Statuspage, and Amazon PA‑API) without “guessing edits”.

Qwayk is not a hosted SaaS, and it does not promise rankings, traffic, or outcomes. You run the tools locally (or in your own CI/server). You provide the API keys and choose permissions. The tools are provided “as is”.

Quick links: - Tools: Tools - Safety model: Safety model - Terms: Terms - Privacy: Privacy

The safety model in 1 minute

Qwayk uses a two-layer safety model:

1) The tool is deterministic: dry-run first, refuses when unsure, and verifies after any change. 2) The reviewer (you, or Codex) checks intent: “Is this the right change for the real goal?”

The “golden path” looks like this:

1) Dry-run generates a plan (no changes). 2) Review the plan. 3) Re-run with --apply (and --yes for risky actions). 4) The tool verifies and produces a receipt. 5) Review the receipt against the plan.

If the tool isn’t sure, it should refuse (do nothing) rather than guess.

If your agent is reachable from an inbox (important)

Some people use an “inbox agent” setup where the agent can be messaged from Slack/Discord/WhatsApp (or similar).

That changes the risk profile: - Unknown senders and group chats are untrusted input by default. - Prompt injection risk goes up because the agent is exposed to messy, adversarial content.

Recommended guardrails (plain English): 1) Use allowlists (who is allowed to talk to the agent). 2) Require explicit mentions in groups (don’t let ambient chat trigger actions). 3) Run non-owner sessions in a sandbox when possible. 4) Keep dangerous capabilities off by default (host shell, browser automation, device controls). 5) Keep Qwayk as the “deterministic safety layer”: plan → review → apply → verify.

If you don’t know whether your agent setup is “inbox exposed”, assume it is and keep things strict until you verify.

Pricing / memberships (current status)

Right now (soft launch): paid memberships are not enabled yet.

If/when I enable paid: - it’ll be obvious in Ghost Portal (checkout will be live), - and I’ll update the Pricing page with the exact tiers and license boundaries.

Pricing page: Pricing

How to run tools locally (blessed path)

Most Qwayk tools are small Python CLIs, packaged separately. Always follow the README in the specific tool repo you’re using.

Recommended steps:

1) Clone the repo to your machine. 2) Create and activate a virtual environment. 3) Install the tool in editable mode. 4) Run the safe smoke checks (--version, and the tool’s auth check / status command if it exists).

Config basics: - Create a local .env from .env.example (when provided). - Tools load secrets from a local .env file (gitignored). - Never commit .env to git. - Don’t paste secrets into chat; share only redacted logs.

Tip: if a tool supports --env-file, use it to keep per-project configs separate.

What I don’t want (and don’t need): - Do not send me your API keys. Keep keys local and choose the minimum permissions needed.

Common commands (generic)

These vary per tool, but the pattern is consistent:

  • --help to see commands and flags
  • --version for quick smoke checks
  • Dry-run first (no writes), then --apply when you’re ready
  • Some risky actions also require --yes

“Safety contract” checklist (use this every time)

Before you let any tool write:

  • Use least-privilege API keys/scopes.
  • Run dry-run first and review the plan.
  • Use explicit apply gates (--apply, plus --yes for risky/batch actions).
  • Require verification after writes (read-back, and when it fits: re-run a dry-run and confirm it shows 0 changes).
  • Keep receipts/audit logs (with secrets redacted).

If anything feels ambiguous, stop and do a read-only check first.

If you’re using Codex (or another assistant), treat it as the reviewer:

Use it to review the plan and receipt against your real goal.

Rule: never paste secrets into prompts (API keys, tokens, cookies).

Troubleshooting

Auth fails when I run a tool

Common causes: - Missing .env file or missing required keys. - Using the wrong base URL (cloud vs self-hosted). - Insufficient scopes/permissions on the API key.

How to share logs safely: - Redact tokens/keys (replace values with [REDACTED]). - Do not include HTTP Authorization headers.

Support (email-only)

Email support@qwayk.com.

Include: - which tool you’re using and its version - what you tried (the exact command is fine) - the redacted output/error

Boundaries: - Support is best-effort and async. - No guarantees, and no responsibility for changes made through your keys.