Cookey

Cookey: Securely Bridge Mobile Sessions to Your AI Agents

Overview

Cookey is an innovative open-source tool designed to empower AI agents by allowing them to securely access web applications. It achieves this by capturing browser sessions initiated on a mobile device via a QR code scan and securely transferring them to your terminal. This enables agents to perform actions on websites as if they were logged in by a human user, without compromising security.

Key Features

• Seamless Session Transfer: Scan a QR code on your phone to log in, and Cookey relays the encrypted browser session (cookies, localStorage, session data) directly to your terminal.
• Agent Integration: Designed for AI agents, Cookey can be installed as a tool, providing them with the necessary session data to interact with web applications.
• End-to-End Encryption: All session data is encrypted on your phone using the CLI's public key before transmission, ensuring that the relay server never sees plaintext data.
• Zero Registration: Cookey operates without accounts, device enrollment, or push tokens. It generates its own key pair on the first run for immediate use.
• Self-Hostable Relay: For enhanced privacy and control, you can self-host the Cookey relay server using a single Docker image. The relay is memory-only and data auto-expires.
• Playwright Compatibility: The captured session data is exported in a format compatible with Playwright's storageState.

How It Works

1. Agent Installs Cookey: The AI agent integrates cookey as a tool.
2. QR Code Prompt: When a login is required, Cookey displays a QR code.
3. Mobile Scan & Login: Scan the QR code with the Cookey mobile app and complete the login on your phone.
4. Session Delivery: The encrypted session data is securely sent to the agent's terminal.

Use Cases

• Automated Web Interactions: Allow AI agents to log in to platforms for data collection, form submission, or other automated tasks.
• Testing: Facilitate end-to-end testing scenarios where an agent needs to interact with a logged-in user session.
• Secure Access for Agents: Provide a secure method for agents to access services that require user authentication, without storing user credentials directly.

FAQ

Why can't I use passkeys or security keys in the in-app browser?

Apple restricts Passkey, WebAuthn, and FIDO2 security key APIs in WKWebView (used by Cookey) for security reasons, as embedded browsers could be a phishing risk. Use alternative login methods like passwords or email links within Cookey.

Can the relay server see my session data?

No. Session data is encrypted on your phone using the CLI's public key before it leaves the device. The relay only forwards encrypted data and deletes it after delivery or expiry.

What data does Cookey capture?

Cookey captures cookies and localStorage for the specific site you logged into. It does not capture passwords, autofill data, or indexedDB content.

Do I need an account to use Cookey?

No, Cookey does not require any accounts, registration, or device enrollment. It generates its own key pair locally upon first use.

Can I self-host the relay?

Yes, Cookey is self-hostable. You can run your own relay server using a single Docker image for maximum privacy and control.

Is Cookey open source?

Yes, Cookey is open source, and its source code is available on GitHub.