A Anthropic Partner Network

Every CLI. Pre-authenticated. Driven by Claude.

OpsAgents CLI Gateway is a remote, secured command layer. Claude runs gcloud, gh, firebase, trello, shopify, bq and 20+ more over MCP — no local installs, no key sprawl, every call governed by SOSA.

Get access → See how it works
24+
CLIs, pre-authed
0
local installs
MCP
native tool calls
claude → mcp__cli-gateway
# Claude calls a tool — no shell on its side
gcloud_exec ["run","services","list","--region=me-west1"]
authed as cli-gateway-sa@opsagent-prod · 1.9s
 
gh_exec ["pr","list","--repo","OpsAgentsAI/opsagent"]
3 open PRs · token from Secret Manager
 
trello_exec ["move","<card>","<list>"]
card → Code Review
 
⛔ gcloud projects delete — blocked by deny-list
How it works

Claude calls a tool. The gateway runs the real CLI.

No local toolchain, no copy-pasted credentials. Claude invokes an MCP tool; the gateway executes the authenticated binary on Cloud Run and streams the result back.

🤖

Claude (MCP)

Calls <cli>_exec with an args array

🛡️

CLI Gateway

Cloud Run · secrets mounted · SOSA deny-list

⚙️

Real CLI

gcloud / gh / firebase / trello… authed, executed

Why teams use it

The command layer for AI operators

Give an agent real hands on your stack — safely, auditable, and without handing it a laptop full of secrets.

🔌

24+ CLIs, pre-authed

gcloud, bq, gh, firebase, shopify, trello, notion, netlify, az, aws, paypal, gws, toggl & more — already logged in.

☁️

Remote on Cloud Run

Zero local installs or version drift. Dual-region, always current, scales to zero.

🧩

MCP-native

Each CLI is an MCP tool Claude calls directly — args in, structured output back.

🛡️

SOSA security

Narrow per-CLI deny-list blocks the truly destructive verbs (project delete, key revoke). Everything logged.

🔐

Secrets stay server-side

Credentials live in Secret Manager, never in the prompt or the agent's context.

🩺

Health & status built in

cli_status / cli_health_check report auth + version for every CLI at a glance.

Supported today

One gateway, your whole toolbox

gcloudbqghfirebaseshopifytrellonotionnetlifyazawslinkedinwppaypalgwstogglicountsheetsoutlookzohomailgeminimappspsqlopenclawsecret-manager+ more
Secured by design

Agent hands, with guardrails

SOSA — Supervised, Orchestrated, Secured, Auditable. The gateway is the enforcement point.

Destructive deny-list

Per-CLI blocks on the highest-impact verbs — projects delete, auth revoke, s3 rb, and more.

📋

Every call audited

Exit codes, args, and timing captured — a full trail of what the agent ran.

🎯

Least privilege

Scoped service accounts and per-route tokens, not a god-mode key.

Pricing

Start free. Scale when your agent does.

Serverless under the hood, so pricing stays simple and fair-use limits keep it fast for everyone.

Free trial

$0
  • 1 CLI
  • 100 calls · first month only
  • 1 seat
  • Then choose a plan
Start free

Starter

$29/mo
  • Core CLIs
  • 2,000 calls / mo
  • 1 seat · 10 req/min
  • Email support
Choose Starter
Most popular

Pro

$99/mo
  • All 24+ CLIs + typed routes
  • 25,000 calls / mo
  • 3 seats · 30 req/min
  • Add-ons at member rate
Choose Pro

Scale

$299/mo
  • Everything in Pro
  • 250,000 calls / mo
  • 10 seats · SSO
  • Audit export · dedicated tenant
Talk to us
Need something we don't support yet?We'll build the integration for you — one-time fee.
$19 one-time
Any CLI not yet implemented
$49 one-time
Any MCP server
$99 one-time
Any API integration

Usage-metered with fair-use limits per tier. SOSA-governed · add-ons via PayPal · subscriptions via Shopify.

Give your agent real hands — safely.

Book a walkthrough of OpsAgents CLI Gateway on your stack.

Get access → Explore OpsAgents AI