Your accounts, your channels, your tools
Three kinds of integration, one security model for all of them: credentials go into an encrypted vault, every call exits through the guarded proxy, and every action is risk-classified before it can run.
Connections
One OAuth click each on the provider's own consent screen. The token goes straight into the vault — the AI model never sees it, by architecture.
Gmail
Watches for growth-relevant mail, drafts and sends replies as you — from your own address, not a stranger's domain.
Reading is free (T0). Drafting is logged (T1). Sending is gated (T2) — approved by you or a standing policy you wrote.
Google Calendar
Reads availability, proposes times, and books meetings with Meet links when a prospect says yes.
Reads and free/busy are T0. Creating an event is T2 — it lands on your calendar only with approval or a standing rule.
Meta Ads
Campaign results and lead webhooks flow in; budget operations run inside your hard daily cap.
Reading insights is T0. Budget changes are T2 with your cap enforced in the proxy. The cap defaults to $0 until you raise it.
Stripe
Revenue signal for the loop: which campaigns produce paying customers, not just clicks.
Read-only. The agent sees payment events; it cannot move money — financial actions are T3, always human-approved.
Channels
Where the agent reports and where you decide. No new inbox to check — briefs and approvals arrive where you already work.
Slack
One-click install. Briefs, questions, and approval cards arrive in the channel you pick; approve with a button.
Telegram
Tap a link, get a bot that talks business. Same briefs, same one-tap approvals, on your phone.
Daily briefs and approval requests in your inbox. Reply to respond — no dashboard required.
Tools, via MCP
The curated catalog is pre-audited: known tools, known risk tiers, one-click connect. Every tool — curated or yours — is classified T0–T3 and its description is scanned for prompt injection before the agent can use it.
Wavetable
Contact system of record: dedup, claims, sequences, suppression.
7 tools · Built in · pre-audited risk map
Ayrshare
Unified social posting + DMs across X, LinkedIn, Instagram, and more.
4 tools · API key · pre-audited risk map
Apollo
B2B contact enrichment: emails, socials, phones, titles.
3 tools · API key · pre-audited risk map
Hunter
Email finder and verifier.
3 tools · API key · pre-audited risk map
Firecrawl
Scrape and crawl sites and newsletters into clean markdown.
3 tools · API key · pre-audited risk map
Instantly
High-volume cold email with warmed inboxes and reply detection.
3 tools · API key · pre-audited risk map
Dropbox Sign
E-signatures: send quotes, estimates, proposals, and engagement letters for signature; chase until signed.
5 tools · API key · pre-audited risk map
Google Business Profile
Local presence: read and respond to reviews, update hours, publish posts. The highest-ROI channel for local SMBs.
6 tools · OAuth · pre-audited risk map
QuickBooks Online
The books: AR aging, invoices, and expense categorization drafts. Pairs with the Stripe money layer for invoice chasing.
5 tools · OAuth · pre-audited risk map
Jobber
Field service system of record: clients, quotes, jobs, and scheduling for home-services businesses.
5 tools · OAuth · pre-audited risk map
Mailchimp
List-based broadcast email.
3 tools · OAuth · pre-audited risk map
Any MCP server
Point the agent at any MCP server by URL — OAuth or API key. Its tools are discovered, risk-classified conservatively, scanned for tool poisoning, and re-checked on every sync so a server can't quietly change what its tools do.
Anything flagged is deactivated until you review it.
The connection list grows steadily — the connections docs and tools docs are always current. Waveguide also operates the broader Wave platform — ads, creative, pages, and content products it composes on your behalf.
One security model for everything
- Vaulted credentials: every token — OAuth, API key, MCP auth — is envelope-encrypted with per-tenant keys. The model composes requests; the proxy injects the credential after the request leaves the sandbox.
- Risk tiers on every call: reads run freely, writes are logged, external sends are gated, and financial or irreversible actions always require a human.
- Default-deny networking: each integration declares the hosts it's allowed to reach; everything else is refused at the proxy.
The full model is on the security page.
Connect once, compound forever
Every account and tool you connect makes the agent more useful — and none of it ever touches the model.
Card required · nothing charged until day 15 · cancel in one click