agentcookie

agentcookie is an open-source macOS CLI tool built by Matthew Van Horn that solves a specific friction point in agentic AI workflows: the agent running on a second Mac needs to be authenticated to every site and API the developer is already logged into on their primary machine. It handles this by continuously replicating Chrome cookies, per-CLI bearer tokens, and API keys from the source Mac to the sink Mac, encrypted over a Tailscale tailnet, with no cloud middleman and no per-site re-authentication.

What It Is

agentcookie is a peer-to-peer session-state synchronization tool for macOS. It watches Chrome's Cookies SQLite file and a parallel secrets bus using fsnotify, diffs the state, and ships encrypted payloads to a second Mac the moment anything changes. The receiving side (the "sink") is a macOS LaunchAgent that delivers cookies and secrets across four surfaces: Chrome's own Cookies database (re-encrypted for the sink's Keychain), a plaintext sidecar at ~/.agentcookie/cookies-plain.db, per-CLI adapter session files, and optionally the cmux embedded WebKit browser via RPC injection. Agent runtimes like OpenClaw or Hermes pointed at the second Mac wake up authenticated without any login steps.

How the Sync Architecture Works

The tool operates on a source/sink model. On the source Mac, agentcookie source --watch decrypts Chrome's Safe Storage key via the macOS Keychain, applies a blocklist filter, folds in the secrets bus payload, and pushes diffs over HTTPS on the Tailscale tailnet using AES-256-GCM encryption with replay defense and per-peer pairing-derived keys. On the sink Mac, a LaunchAgent receives the payload and fans it out to all configured delivery surfaces simultaneously. The pairing flow uses a 64-bit code and a rate-limited pair endpoint; listeners bind only to the tailnet interface.

The secrets bus carries non-cookie auth: bearer tokens, API keys, and KEY=VALUE blobs land at ~/.agentcookie/secrets/<cli>/secrets.env (mode 0600) on the sink. CLIs consume them via environment variables, the in-process pkg/agentcookiesecret Go library, or an agentcookie.toml manifest that agentcookie discover auto-detects. The README notes compatibility with Printing Press CLIs including Stripe, Linear, Notion, Granola, Slack, Kalshi, ElevenLabs, Mercury, and others.

Agent Browser Integration

Beyond the two-machine model, agentcookie ships two browser sync loops. The cmux-sync loop injects cookies into cmux's embedded Apple WebKit browser via its RPC socket, either continuously on the same machine (local loop, on by default when cmux is detected) or as a sink surface on the second Mac. The agent-sync loop targets Chromium-based automation browsers — specifically browser-use and vercel-labs agent-browser — by launching a dedicated Chrome instance on a loopback CDP debug port and injecting cookies live into every browser context via CDP. The README explains why this works where cold-profile copying fails: live CDP injection bypasses Chrome 127+ App-Bound Encryption and correctly carries httpOnly and persistent session cookies that Playwright's addCookies rejects.

Device-Bound Sessions and Honest Limits

The README is explicit about what agentcookie cannot do. Chrome's Device Bound Session Credentials (DBSC) tie a session to one machine's Secure Enclave, so a copied cookie from a DBSC-protected site stops working on the sink once its short-lived window lapses. As of the README's writing, the primary broad adopter of DBSC is Google's own account and Workspace cookies. agentcookie flags suspect cookies in agentcookie doctor output and offers a --skip-dbsc-suspect flag to drop them rather than ship cookies that will not survive. The secrets bus — bearer tokens, API keys, OAuth refresh tokens — is entirely outside DBSC's scope and replicates normally.

Update: v0.15.0

The GitHub repository shows v0.15.0 published on June 6, 2026, with the repository created in May 2026 and last pushed the same day as the release. The project has accumulated 219 stars and 8 forks in its first weeks. The README documents a detailed version history through v0.13 runbooks covering universal delivery via a one-password Safe Storage partition open, v0.12 security hardening with sealed master keys and Developer ID signing, and v0.11 adapter cookie push. The codebase covers 520+ unit tests across 26 packages. Planned items include a Python reader library, signature verification on adoption manifests, live key rotation via agentcookie pair --rotate, and one-to-many fan-out from a single source Mac to multiple sink Macs.