01
Any model, one adapter
OpenRouter routes to ~200 cloud models — Claude, GPT, Gemini, Llama, DeepSeek, Mistral, Qwen. Ollama runs anything you've pulled locally. Switch providers per agent.
Open Source · Apache-2.0 · Self-host
Open-source managed agents.
A self-hostable runtime for AI agents. Persistent memory, packaged skills, multimodal input, multi-agent coordinator/worker threads, goal-driven outcomes — bring any cloud model via OpenRouter, or local via Ollama. Spin up the full stack with docker compose up.
$ docker compose up --build
[+] Building 8.4s ... done
[+] Running 4/4
✔ Container postgres-1 Healthy
✔ Container linchpin-connector-1 Started
✔ Container linchpin-api-1 Started
✔ Container linchpin-console-1 Started
$
$ curl -sX POST localhost:8000/v1/sessions \
-H "Authorization: Bearer $KEY" \
-d '{"agent_id":"a1","environment_id":"e1"}'
{"id":"0cd24b30","status":"running","container_id":"ab7e…"}
$ curl -sX POST .../sessions/0cd24b30/events \
-d '{"type":"user.message",
"payload":{"text":"Say hi in 5 words"}}'
$
$ curl -N .../sessions/0cd24b30/stream
event: session.status_running
event: agent.message_delta
data: Hello, dear friend, how are you?
event: session.status_idle
data: {"usage":{"input":73,"output":8}}
$
01 · Install
02 · Create session
03 · Stream events
§ Trusted by engineers from
amazon
NETFLIX
Morgan Stanley
Google
What's inside
§ 01 / Capabilities · v0.1 → v0.7
02
Sandboxed sessions
Every session gets its own Docker container — Python, Node, git, ripgrep preinstalled. Networking is per-environment: none for tight, unrestricted for open egress.
03
Eight built-in tools
bash · read · write · edit · glob · grep · web_fetch · web_search. They run inside the container the model can’t escape.
04
MCP & HTTP tools
Plug in Model Context Protocol servers two ways: stdio subprocesses for community servers, or HTTP-streamable URL transport (v0.5) for SaaS MCPs like GitHub Copilot and Linear. Plus any HTTP endpoint as a custom tool.
05
Credential vaults
Fernet-encrypted credential store. Reference secrets by name from agent configs; they decrypt at session start and never hit disk in plaintext.
06
Event streaming
Append-only event log per session with cursor pagination. Subscribe over SSE — replays anything past your cursor, then streams live. Perfect for live UIs.
07
Memory stores v0.3
Persistent, workspace-scoped filesystem state mounted at /mnt/memory/<name>/. Path-addressed, 100 KB cap per memory, immutable versions with 30-day retention. The agent reads + writes naturally; the runtime mirrors changes back to durable storage.
08
Skills v0.4
Packaged expertise — SKILL.md + scripts in a .tar.gz. Mounted at /mnt/skills/<name>/. Progressive disclosure: metadata always in the system prompt, instructions on trigger, scripts on demand. Max 8 per agent. CLI: linchpin skill build.
09
Multimodal input v0.5
Send images (JPEG, PNG, GIF, WebP) and documents (PDF, text, markdown) inside user.message.content[]. Sources: base64 inline, URL, or a Files-API reference. The orchestrator routes to multimodal-capable models and surfaces clean errors for unsupported combos.
10
Git repository resources v0.5
Mount any HTTPS git remote into a session: git_repository resource clones at session start, caches per environment so repeat sessions skip the network, and rotates tokens without re-cloning. Works with GitHub, GitLab, Bitbucket, Gitea — anything that speaks HTTPS git.
11
Outcomes v0.6
Declare a goal on a session — a free-text definition, a weighted rubric, and an agent grader. The runtime evaluates and auto-terminates when the score crosses your threshold. Goal-driven execution without writing your own grading harness.
12
Multi-agent threads v0.6
Coordinator agents spawn worker sub-sessions via POST /v1/sessions/{id}/threads. Each thread runs its own agent in its own sandbox, but every event mirrors up into the coordinator's stream with a thread_id tag — one interleaved view of the whole team.
13
Dreams v0.7 · research preview
Async memory curation. Point a Dream at a memory store + a slice of past sessions and a "dreamer" agent produces a new store with the cruft removed — duplicates merged, contradictions resolved, stale entries dropped. Original store is untouched. Opt in by setting LINCHPIN_DREAMER_AGENT_ID.
Quickstart
§ 02 / Installation
01
Clone and configure
Set your API key, an encryption key for the vault, and an OpenRouter key (or skip it if you only use Ollama).
# Clone $ git clone https://github.com/linchpinhq/linchpin.git $ cd linchpin # Configure $ cat > .env <<EOF LINCHPIN_API_KEY=$(openssl rand -hex 24) VAULT_ENCRYPTION_KEY=$(python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())") OPENROUTER_API_KEY="sk-or-v1-..." EOF
02
Bring up the stack
One command spins up the API, the connector, the Postgres database, and the web console.
$ docker compose up --build # Services # → http://localhost:8000 API # → http://localhost:3000 Console # → http://localhost:8001 Connector (internal)
03
Create an agent, start a session
Or open the console at http://localhost:3000 and do it in the UI.
$ curl -sX POST http://localhost:8000/v1/agents \ -H "Authorization: Bearer $LINCHPIN_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "name": "coder", "model": { "provider": "openrouter", "id": "anthropic/claude-sonnet-4" }, "system": "You are a careful engineer.", "tools": [{"name": "bash", "permission": "always_ask"}] }'
How it works
§ 03 / Architecture
The orchestrator loop
One async task per live session. Builds context from the event log, calls the model, emits agent.message / agent.tool_use events. On tool use it evaluates policy: always_allow runs immediately; always_ask blocks on LISTEN/NOTIFY until a confirmation event arrives.
The sandbox
Each session is a Docker container the API spawns via docker-py. Three pre-created networks — linchpin-none, linchpin-open, linchpin-limited — pick the egress posture per environment. Files, memory stores, skills, and git repositories bind-mount under /mnt/<kind>/<name>/.
The event log
Append-only. Each event has a monotonic sequence and an opaque cursor. SSE replays everything after the client's cursor before going live. Crash recovery replays the log to put non-terminal sessions back into the right state. Multi-agent threads mirror their events up into each ancestor's stream with a thread_id tag.
The vault
Fernet-encrypted per-vault credential store. Sessions bind to one or more vault IDs; credentials are decrypted in-process and passed as api_key to the provider or as env vars to MCP subprocesses. Nothing on disk in plaintext.
Deeper details: ARCHITECTURE.md.
§ 04 / Ownership
Your agents. Your infrastructure. Your bill.
Most managed-agent platforms route every call through their hosted control plane. Linchpin runs end-to-end on your VM. The API key is yours. The Postgres database is yours. The containers spawn on your Docker daemon. Your prompts go straight to the model provider you chose — no broker.
The codebase is small enough to read in an afternoon. Two Python services, a React console, and a Postgres schema. Apache-2.0.