Coding agents run on their own for low-risk work. When one hits something irreversible, a production deploy, a destructive command, a force-push, Ony phones you to approve or deny in one keypress.
Works with
Incoming, Ony
claude-code, prod-api repo
Approval requested
An agent is asking to deploy to production.
Enter your 6-digit code to confirm.
1
Approve
2
Deny
Decision signed and verified on your device
Coding agents work for hours, in parallel, sometimes overnight or headless. Most of what they do is low-risk and does not warrant constant supervision. But a single irreversible action, a production deploy, a dropped table, a force-push over main, is the one moment you would want a say.
Ony gives you exactly that say, and nothing more: full autonomy on the safe path, a phone call on the irreversible one.
Three steps, fully automatic. You only show up for the decisions that matter.
A PreToolUse hook classifies every tool call. Reads and safe edits pass instantly. A deploy, a destructive command, a force-push, a schema change, or a secret access gets gated.
The server re-derives the real risk (the agent's own hint is never trusted) and places a call. You hear the action and its risk, never the raw command or your secrets.
Press 1 to approve, 2 to deny. High-risk actions also ask for your 6-digit code. The verdict is signed, verified on your device, and delivered back in seconds.
/ony ongates high-risk steps,/ony awaycalls you for every step,/ony offsteps aside.Your agent pauses on the risky step exactly like a normal approval prompt. The difference is that the approval reaches you wherever you are.
# agent is ready to run:
$ terraform apply -auto-approve
[ony] high-risk action detected: production deploy
[ony] calling +1 (***) ***-4821 ...
[ony] waiting for your decision _
[ony] approved by you, signature verified
Apply complete! Resources: 3 added, 1 changed.Reads, searches, and ordinary edits run ungated. Anything that ships, deletes, or touches production is classified server-side and routed to you.
terraform applyProduction deploy
git push --force origin mainForce-push
rm -rf ...Destructive command
alembic upgrade headDatabase migration
kubectl apply -f prod/Infra change
DROP TABLE ...Prod DB change
read .env / rotate secretSecret access
stripe / payment settingsPayment change
The kill switch, the audit trail, and the ergonomics that make running agents unattended practical.
/ony on gates only high-risk steps. /ony away calls you for every actionable step (remote control). /ony off steps out of the way.
Run Claude Code and Codex in parallel across repos. Each handoff binds to a stable agent session, so approvals never cross wires.
Enroll more than one phone. Decisions are attributed to whoever approved, and every device verifies signatures independently.
Safe tool calls are never delayed. Only gated actions wait, and only until you press a key. Timeouts fail closed, never silently open.
Every verdict is HMAC-signed per device and bound to the exact request. Forged or replayed approvals are rejected by the connector.
Every decision lands in a keyed, hash-chained, append-only log. Rewrite one event and the chain breaks. The dashboard shows it verified.
The whole point is to be the authority an autonomous agent can't talk its way around. So the trust boundary is the server and your device, never the agent.
The agent can claim a call is low risk. Ony ignores the hint and classifies from a server-owned action taxonomy. Unknown actions fail closed to critical.
Every verdict is HMAC-signed per device and bound to the exact request. The local connector verifies the signature before honoring it.
Decisions are recorded in a keyed, hash-chained, append-only log. Rewrite one event and the chain breaks, end to end.
If Ony is unreachable, a signature can't be verified, or a deadline passes, the action is never silently allowed.
Same product, two ways to get it. The open-source edition is fully featured. Ony Cloud just removes the ops.
Self-host the whole stack. Own your data and your phone line.
pip install ony plus a one-command Docker stackThe managed path. Zero ops, dedicated numbers, ready in minutes.
Signed per device and verified on-device before it is honored.
If a decision cannot be reached or verified, the action is never allowed.
Claude Code and OpenAI Codex today, on one normalized event model.
No. Only gated actions wait, and only until you respond. Reads, searches, and ordinary edits run at full speed, ungated.
No. The agent's own risk hint is ignored. Risk is classified server-side, and the verdict is signed and verified on your device. Unknown actions fail closed.
The action and its risk classification, not your raw commands or secrets. You self-host the whole stack if you want zero third parties in the loop.
Claude Code via a PreToolUse hook, and OpenAI Codex via its app-server. The event model is agent-agnostic, so adding a connector means mapping its events, not rewriting the core.
Both. The open-source edition is fully featured and self-hostable under AGPL-3.0. Ony Cloud is the same product, managed, with dedicated numbers and team features.
Through a telephony provider (SignalWire). Self-host with your own number and keys, or let Ony Cloud provision a dedicated number for your organization.
Install the connector, wire your agent, and get your first call in minutes.