No accounts · No database · End-to-end encrypted

Let your AI agent ask a human — on your phone.

One MCP tool, request_approval, that blocks your agent until a human approves, declines, chooses, or replies — on a phone PWA. It never auto-approves.

Open the app View on GitHub

Add it to your agent.

No account, no API key, nothing to configure. Paste this into your MCP client config and your agent can reach you. npx @askahuman/mcp serve fetches a single static binary on first run and talks to ask-a-human.ai out of the box — zero config.

mcp.json 
{
  "mcpServers": {
    "ask-a-human": {
      "command": "npx",
      "args": ["-y", "@askahuman/mcp", "serve"]
    }
  }
}
For the curious

Pairing is a magic wormhole.

You type a short code; it becomes a strong shared key. That handshake is SPAKE2, a password-authenticated key exchange — the same trick Magic Wormhole uses to beam files between two machines with three words. A passive or active relay can never read or forge the channel — and even if the short code leaks, an attacker still gets only one online guess against the live handshake. From there every approval is sealed with NaCl secretbox — end to end, your machine to your phone.

How ask-a-human pairs and seals approvals Your agent and your phone derive a shared key from a short code via SPAKE2; the relay in the middle only ever forwards ciphertext. The relay only forwards ciphertext. base64(nonce‖ciphertext) + which room talks to which — never the data sealed sealed Your agent MCP · holds the key Relay content-blind Your phone holds the key SPAKE2 — short code → a key the relay never learns
SPAKE2 · RFC 9382 ristretto255 · RFC 9496 magic-wormhole Abdalla–Pointcheval, CT-RSA 2005

The server never sees your data.

The MCP server runs locally next to your agent (Cursor, Claude, Codex). Everything that crosses the network is sealed — the relay is a dumb pipe that just passes bytes between two rooms.

Content-blind relay

The server only ever sees base64(nonce‖ciphertext) and which room talks to which. It is a dumb relay — never the data, never a decision.

SPAKE2 pairing

A short pairing code becomes a strong shared key via a Magic-Wormhole-style SPAKE2 handshake. No relay-in-the-middle can read or forge it.

End-to-end encrypted

Your agent and your phone hold the keys. Approvals are sealed on one side and opened on the other — nowhere in between.

No DB, open-source

RAM-only, no accounts, no database. Restart means re-pair. Self-host the relay and web with a flag, or read every line on GitHub.