Quick Start

Get TameFlare running in under 5 minutes. The proxy model requires zero code changes to your agent.

Prerequisites

| Requirement | Version | Check | |---|---|---| | Node.js | ≥ 18 | node --version |

That's it. The CLI is installed via npx - no git clone, no build step.

OS support: Linux, macOS, Windows. All CLI commands work in PowerShell, CMD, and Bash.

Getting started (recommended)

Use the hosted dashboard at tameflare.com - no installation required.

1. Create an account

Go to tameflare.com/register. The first user becomes org owner.

2. Create a gateway

Go to Gateways → Create gateway. The wizard walks you through:

  1. Select connectors - GitHub, OpenAI, Anthropic, Stripe, Slack, MCP, or Generic HTTP
  2. Set access rules - per connector: Allow all, Read only, Require approval, or Custom patterns
  3. Add credentials - paste API keys into the encrypted vault

3. Install the CLI and run your agent

npx @tameflare/cli run --name "DevOps Bot" python my_agent.py

All outbound HTTP traffic from my_agent.py is now routed through the TameFlare proxy. The agent never sees real API keys.

4. Monitor and approve

Open the Traffic page in the dashboard for live requests, or use the CLI:

npx @tameflare/cli status                  # Gateway stats
npx @tameflare/cli logs                    # Live traffic log
npx @tameflare/cli approvals list          # Pending approvals
npx @tameflare/cli approvals approve <id>  # Approve a held request
Tip
The proxy works with any process that makes HTTP calls - Python, Node.js, Go, shell scripts, LangChain, CrewAI, n8n, Claude Code, etc. No SDK integration required.
Note
Your gateway runs on your infrastructure - only configuration and audit data are stored in the hosted dashboard. TameFlare is source-available under the Elastic License v2.

How the proxy works

tf run --name "Bot" python agent.py
  │
  │  Sets HTTP_PROXY / HTTPS_PROXY → all traffic routed through gateway
  ▼
┌──────────────────────────────────────────────────┐
│  TameFlare Gateway (Go binary, localhost:9443)          │
│                                                  │
│  domain → connector → parse action → check perm  │
│                                                  │
│  allowed:          inject creds → forward        │
│  denied:           return 403                    │
│  require_approval: hold connection → wait        │
└──────────────────────────────────────────────────┘
  │
  ▼
External APIs (GitHub, Stripe, AWS...)

Key concepts:

  • Deny-all default - no connector configured = no access. The agent cannot reach any domain you haven't explicitly set up.
  • Connectors parse raw HTTP requests into structured actions (e.g., github.pr.merge).
  • Permissions are per-agent, per-connector, per-action. Most specific rule wins.
  • Credential vault stores API keys encrypted (AES-256-GCM). Injected by the proxy at request time.
  • Kill switch blocks all traffic instantly. Supports scoping to a connector or agent.

Troubleshooting

Dashboard shows no data - Create a gateway and run a process, or use the demo sandbox on the Overview page.

CLI can't connect - Make sure you're logged in: npx @tameflare/cli status. If the gateway isn't running, the CLI will show an error.

Gateway not executing - Make sure your connector API keys are configured in the gateway wizard.

Slack notifications not sending - Check that Slack is configured in Settings → Integrations and the bot is invited to the channel.