Guides

Everything you need to set up your AI agents and connect them to your favorite platforms. Written for non-technical users — no coding required.

Getting Started

You can have your first AI agent running in under two minutes. No integrations needed — just deploy and start chatting.

1. Create an account at tamalebot.com. Enter your email and you'll get a sign-in code — no password needed.
2. Pick an agent preset. Each preset gives your agent a personality and set of skills:
   • Social Media Manager — creates and publishes content across your platforms.
   • Customer Support — answers questions using your knowledge base.
   • Sales Agent — qualifies leads and follows up automatically.
   • DevOps Agent — automated release engineer: pulls code, runs tests, deploys to staging then production, rolls back on failure.
   • Executive Assistant — manages email, calendar, and daily briefings.
   • Data Analyst — pulls data, generates reports, and tracks trends.
3. Give it a name. This is just for you — pick anything you like.
4. Leave "Managed (Claude)" selected. This uses our hosted AI model, so you don't need to bring your own API key. You can switch to your own key later if you want.
5. Click Deploy. Your agent will be ready in about 30 seconds.
6. Go to My Agents and click on your new agent. Start chatting with it right away to see what it can do.

Use Case Guides

Each guide below shows you what the agent does, which platforms to connect, and exactly what to tell it.

📷 Social Media Manager

What it does: Creates content, publishes across platforms, tracks analytics over time, monitors competitors, manages engagement (comments and replies), and runs a content approval workflow — all on autopilot.

Which platforms to connect

• Instagram — feed posts, Reels, carousels, and Stories
• Facebook — text, photo, and video posts to your Page
• Threads — text, image, and video posts + monitoring
• Twitter/X — tweets with up to 4 images or video. Use the Integrations tab wizard for one-click setup with Simple Connect, or bring your own API keys.
• YouTube — Shorts upload (requires OAuth2 credentials — see setup below)
• TikTok — video posts (created as drafts — you approve them in the TikTok app before they go live)
• OpenAI — for generating images with DALL-E and editing/resizing media
• Slack — for receiving draft notifications and approving posts

Platform notes

• TikTok posts are drafts. Due to TikTok API restrictions, posts are created in draft status. You'll need to open the TikTok app and approve each draft before it goes live. This is a platform limitation, not a TamaleBot limitation.
• YouTube Shorts requires OAuth2. In addition to your YouTube API key, you need a refresh token and Google OAuth client credentials (GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET). The agent uses these to upload videos directly via the YouTube Data API.
• Instagram Stories expire in 24 hours. The agent can post Stories, but they auto-delete after 24 hours per Instagram's rules. Analytics for expired Stories may not be available.

Content approval workflow

By default, the agent does not auto-publish. Instead it follows a draft-review-publish flow:

1. Draft — The agent creates content and saves it as a pending draft.
2. Notify — It sends you a preview via Slack, Telegram, or email with the caption, hashtags, and media.
3. Review — Reply with "approve", "edit [your changes]", or "reject" for each draft.
4. Publish — Approved drafts are published immediately. Edits are updated and re-sent for approval.

Drafts older than 48 hours are flagged as stale. Once you trust the agent's quality, you can tell it to auto-publish.

What the agent can do

Suggested scheduled tasks

Set these up in your agent's Scheduled Tasks section. The agent will run each task automatically at the time you choose.

Example prompts you can use in chat

Tips

• Use the Integrations tab. The quickest way to connect X is the guided wizard in your agent's Integrations tab. It walks you through connecting your account, writing a content strategy, and picking a posting schedule — all in under a minute.
• Start with drafts. Let the agent create posts and send you previews before publishing. Once you trust the quality, switch to auto-publish.
• Use the weekly analytics task to catch trends early. The agent tracks metrics over time, so week-over-week comparisons get more useful the longer it runs.
• Set up the engagement check. Responding to comments quickly boosts your algorithm ranking. The agent handles routine replies and flags anything that needs your attention.
• Add your brand voice to the system prompt. The more context about your business, audience, and tone, the better the posts will be. The X wizard does this for you automatically when you fill in your content strategy.
• Rate limits: The agent automatically retries when a platform rate-limits it, but aggressive schedules (posting every few minutes) can still hit limits. Space tasks at least 30 minutes apart.

💬 Customer Support

What it does: An AI-powered customer support agent that answers questions from your docs, handles common requests, and escalates tricky issues to your team. Deploy it as an embeddable chat widget on your website, connect it to Slack or Discord for internal support, or both.

Deployment modes

• Website Widget — embed a chat bubble on your website so visitors can get instant answers 24/7
• Internal Agent — connects to Slack, Discord, WhatsApp, Telegram, or Email for team and customer channels
• Both — widget on your site + chat integrations for full coverage

How to deploy an AI customer chat widget

Get a working AI support chat on your website in under 5 minutes:

1. Upload your docs. Go to your TamaleBot dashboard → Knowledge Base. Upload your FAQs, product docs, pricing pages, return policies — anything your customers ask about. Supported formats: PDF, Word, text, markdown, images.
2. Go to Deploy and select Customer Support Agent.
3. Choose "Website Widget" (or "Both") as the deployment mode.
4. Customize your widget — set a greeting message (e.g. "Hi! How can I help you?"), pick your brand color, and set a daily conversation cap.
5. Add your agent name (e.g. acme-support) and click Deploy Agent.
6. Copy the embed code shown after deployment. It looks like this:

7. Paste it into your website just before </body>. Works with any site — Shopify, WordPress, Squarespace, Webflow, static HTML, React, Next.js, etc.
8. Done. A chat bubble appears in the bottom-right corner. Your customers can ask questions and get instant answers from your documentation.

Which integrations to connect

• Slack or Discord — for escalation notifications when the agent can't answer a question
• Notion — connect your wiki or internal docs as an additional knowledge source
• Shopify (optional) — lets the agent look up orders, products, and customer accounts
• Stripe (optional) — lets the agent check payment status, subscriptions, and charges
• Email (optional) — for receiving support requests via email

What the agent can do

Scheduled tasks

• Unresolved Issue Review (9 AM weekdays) — reviews questions the agent couldn't answer in the past 24 hours, summarizes gaps, and suggests documentation updates
• Weekly Support Summary (Monday 9 AM, optional) — total conversations handled, most common topics, resolution rate, escalation count

Widget features

• Session persistence — visitors can refresh the page or come back later and continue their conversation
• Mobile responsive — full-width on phones, compact panel on desktop
• Shadow DOM isolation — the widget's styles never conflict with your site's CSS
• Customizable — brand color, greeting message, and position (left or right)
• "Powered by TamaleBot" badge — included on all plans
• Rate limiting — built-in protection against abuse (20 messages/hour per visitor, configurable daily cap)

Example prompts

Estimated costs

TamaleBot charges for hosting ($5/mo base) plus per-message credits. Here's what to expect at different volumes:

LLM costs depend on conversation length. Short FAQ answers cost less; multi-turn troubleshooting costs more. Using managed mode (Claude, included), costs are billed at Anthropic's rates plus a small service fee for convenience. BYOK mode (bring your own API key) means LLM costs go directly to your provider and are not included above. Estimates assume ~3 messages per conversation on average.

Compare: Intercom starts at $39/mo (1 seat) with per-resolution charges. Zendesk starts at $55/agent/mo. A TamaleBot support widget at startup volume costs about what you'd spend on a coffee subscription.

Tips

• Upload everything your customers ask about. The agent can only answer from what it has access to. PDFs, markdown files, text docs, and images all work.
• Set clear escalation rules in your system prompt. Tell the agent exactly when to hand off: billing issues, account access, security concerns, anything outside the docs.
• Use the daily unresolved review. It surfaces gaps in your documentation. If the agent keeps getting questions it can't answer, that's a signal to add more docs.
• Connect Shopify or Stripe if your customers ask about orders or payments. The agent can look up specific orders and give real answers instead of generic instructions.
• Start with a low daily cap (e.g. 100) and increase it as you verify the agent handles questions well. This prevents unexpected costs during testing.
• Test before going live. Send the widget a few questions yourself to verify it finds the right answers from your docs. Check that escalation messages land in your Slack/Discord channel.

💰 Sales Agent

What it does: An AI-powered sales agent that qualifies incoming leads, answers pricing and product questions, manages your HubSpot CRM pipeline, tracks revenue in Stripe, and sends personalized follow-up emails automatically. It handles the repetitive parts of your sales process — lead qualification, data entry, follow-ups, and reporting — so you can focus on closing deals. Works standalone or with your full CRM stack.

Getting started

1. Go to Deploy and select Sales Agent. It works immediately — no integrations required to start qualifying leads.
2. Upload sales documents to the Knowledge Base — pricing sheets, case studies, product specs, objection-handling guides, email templates.
3. Connect HubSpot (recommended) in Settings → Integrations for full CRM pipeline tracking. Without it, the agent saves lead data locally. See HubSpot setup guide.
4. Connect Stripe (optional) for revenue tracking — MRR, churn, failed charges. See Stripe setup guide.
5. Connect Slack, Telegram, or Email so you can chat with the agent on the go — ask about pipeline status, request lead summaries, or have it draft follow-up emails from your phone. Scheduled reports are saved to the agent workspace + Notion; to push them to a channel, configure the Webhook add-on.
6. Set up scheduled tasks (see below) to automate daily lead follow-ups and weekly pipeline reviews.

Which integrations to connect

• HubSpot (recommended) — your CRM for managing contacts, deals, and pipeline stages. Without HubSpot, the agent saves lead data locally and still qualifies leads conversationally.
• Stripe (recommended) — for tracking payments, subscriptions, and revenue metrics
• Slack (recommended) — chat with the agent from Slack: ask about open deals, request lead summaries, trigger follow-up drafts. For proactive pushes (e.g., "alert me when a payment fails in Stripe"), add the Webhook add-on to route scheduled-task output to a Slack webhook URL.
• Email (optional) — for sending personalized follow-up emails directly from the agent
• Notion (optional) — for maintaining sales playbooks, meeting notes, and deal briefs

What the agent can do

Scheduled tasks

Example prompts

Estimated costs

TamaleBot charges for hosting ($5/mo base) plus per-message credits. Here's what to expect at different lead volumes:

LLM costs depend on task complexity. Simple lead qualification costs less; multi-step prospect research with web browsing costs more. Using managed mode (Claude, included), costs are billed at Anthropic's rates plus a small service fee. BYOK mode (bring your own API key) means LLM costs go directly to your provider and are not included above.

Compare: HubSpot Sales Hub starts at $20/seat/mo (Starter) and goes up to $150/seat/mo (Professional) for sequences, automation, and forecasting. A TamaleBot sales agent handles lead qualification, follow-ups, and reporting at a fraction of the cost.

Tips

• Use it as a front-line responder. The agent can answer pricing, feature, and comparison questions on its own — deploy it on your website widget or connect it to email so prospects get instant, accurate answers 24/7.
• Upload your pricing docs and case studies. The agent references these when crafting follow-up emails, so richer materials mean more relevant outreach.
• Set up the daily lead follow-up task first. This is the highest-impact automation — no lead sits uncontacted for more than a day.
• Start with a Stripe test key if you want to explore revenue tracking without connecting your live account. Switch to production when you're ready.
• Configure your deal stages in HubSpot first. The agent uses your existing pipeline stages to move deals and flag stalled opportunities, so make sure they match your actual sales process.
• Use web research for prospect enrichment. Before a call, ask the agent to look up the company. It saves 10-15 minutes of manual research per prospect.
• Use Slack or Telegram to talk to the agent from your phone. Ask about pipeline status, request follow-ups, have it research a new lead — same capabilities as the dashboard, accessible wherever you are. For scheduled alerts (e.g., "when a Stripe payment fails, notify me"), combine with the Webhook add-on to post to a Slack webhook URL.

🚀 DevOps Agent ~15 minutes

What it does: Automated release engineer. Pulls code from Git, runs tests, deploys to staging, verifies, promotes to production, and rolls back on failure. Runs the full CI/CD pipeline for you — from git push to live app with no human in between when things go well, and a fast rollback when they don't.

Setup — 15 minutes

1. Deploy the devops preset from the Deploy page. Name it something like release-bot or ci-agent.
2. Connect your Git repo (GitHub is the easiest path). Paste a GitHub personal access token in the GitHub integration card. Scope it to just the repos the agent deploys.
3. Connect Slack or Telegram for deploy notifications. Slack setup →
4. Set up SSH access to your deploy targets. Same flow as the IT agent — Tailscale if the targets are on a private network, plus an SSH Key. Install the agent's pubkey on every server it deploys to.
5. Upload your deploy runbook to the Knowledge Base if you have one. The agent will reference it before running non-trivial deploys so it follows your team's process, not its own idea of "best practices."
6. Set "Allowed Git Repos" on the deploy page (or agent settings). The agent refuses to deploy anything outside that list.

Try it

Which integrations to connect

• GitHub (or GitLab / Bitbucket) — required. Agent reads commits, PRs, CI status; optionally watches webhooks.
• Tailscale + SSH Key — required if deploy targets are on a private network. Setup →
• Slack or Telegram — for deploy success/failure notifications.
• Knowledge Base — optional but strongly recommended. Upload your deploy runbook, architecture diagram, rollback checklist. The agent references these before acting.

Deployment pipeline (what the agent actually does)

Every deploy follows five stages. The agent won't skip a stage even if you ask it to — that's a safety feature.

1. Pre-deploy checks — confirms target env, fetches git, verifies CI status is green, summarizes what's changing since last deploy.
2. Build + test — runs your project's test suite. Failures abort the deploy and report verbatim.
3. Staging deploy — ships to staging, runs smoke tests. If smoke fails, rolls back staging and stops.
4. Production deploy — creates a rollback point (DB dump, previous container tag), deploys, watches error rate + health checks for 60–300s.
5. Post-deploy — summary to Slack/Telegram with commit SHA, timing, any warnings. Tags the release in git.

If anything goes sideways in stage 4, the agent auto-rolls-back within seconds and alerts you with what failed.

Suggested scheduled tasks

Example prompts you can type in chat

Use cases where this shines

• Solo dev / small team deploy bot. You don't want to run a separate Jenkins / GitHub Actions setup — deploys happen when you tell the agent on Slack. It handles the test/deploy/verify loop.
• "Boring release Friday" safety net. The agent enforces the staging-first rule, refuses destructive migrations without dry-run, and blocks Friday-afternoon prod pushes without confirmation. Saves you from yourself.
• Hotfix responder. An on-call engineer tells the agent "deploy hotfix-auth-bug to prod right now, risk-accepted" — agent still runs tests, creates a rollback point, and deploys. The human saved 10 minutes of manual steps.
• Multi-env release manager. You deploy the same service to 5 environments (dev / staging / prod-us / prod-eu / canary). Agent runs the matrix in the right order with health checks between each.

Hard rules (agent refuses to violate)

• Never skips staging. No staging env? Agent stops and tells you to set one up.
• Never deploys directly to production on a Friday after 3 PM without explicit confirmation in chat.
• Never runs destructive DB migrations (DROP TABLE / DROP COLUMN / ALTER ... DROP) without a dry-run and your approval.
• Never force-pushes to main, master, or production.
• Never deploys without a rollback plan. If it can't prepare a rollback point, it stops and escalates.

Tips

• Give the agent its own GitHub user with access scoped to the repos it deploys. You'll get a clean audit trail — every deploy commit and release tag shows as authored by the agent.
• Keep deploy scripts idempotent. The agent will re-run steps if something fails mid-pipeline. If your scripts break when run twice, fix that first.
• Start with staging-only deploys for the first week. Watch what the agent does, tune your runbook, then enable production promotion.

🖥 IT Department ~15 minutes

What it does: An always-on AI sysadmin that SSHes into your servers, runs health checks, investigates problems, performs safe fixes, and alerts you when something needs a human. Runs in its own isolated container with a stable identity so it can reach your private infrastructure — home lab, office VLAN, colo, or hundreds of managed devices.

What the agent can actually do

Here's the output from a real health check the agent ran over Tailscale into a private Ubuntu box:

Seven SSH commands, one coherent summary. It tried to read error logs but correctly reported "sudo needs a password" instead of faking the data — that honesty matters for real ops work.

Setup — 15 minutes

Steps marked one-time per Tailscale/server are reusable across every IT agent you deploy later.

1. Deploy the it-sysadmin preset. On the Deploy page, pick the IT Sysadmin blueprint. Give the agent a name like homelab-ops or office-it. Deploy it and wait ~30 seconds for the container to boot.
2. Connect Slack or Telegram (for alerts). On the agent's dashboard, open the integration card for Slack or Telegram and paste the token — same flow as any other agent. Telegram setup → / Slack setup →
3. Connect the agent to your private network with Tailscale. The agent lives in a Cloudflare container, so it can't reach your 10.0.0.x or 192.168.x.x servers directly. Tailscale puts the agent on the same private network as your servers. Tailscale setup → (one-time per tailnet)
4. Give the agent a stable SSH identity. Generate an ed25519 keypair in the dashboard, then install the public key on every server the agent should reach. SSH Key setup →
5. Grant the agent passwordless sudo (optional but recommended). Without this, the agent can read most diagnostics but can't restart services, tail protected logs, or install packages. See SSH Key setup → "Give the agent sudo".
6. Tell the agent which hosts to manage. In the agent's chat, say: "You manage these servers: web-1, db-1, build-2. User is ops. Use Tailscale MagicDNS hostnames." It'll save that to memory and use it for future requests.

Try it

From the agent chat, ask:

If it works, you're done. If SSH times out or permission-denies, use the SSH Diagnostics card on the agent's Integrations tab — enter the hostname + user, click Run, and it tells you exactly which step is broken (network, SSH auth, or sudo) with the one-line fix for each.

Maximum simplicity: Least Friction Mode

On the Deploy page there's a Least Friction Mode checkbox. Toggling it flips every security hardening off in one shot: no web sandboxing, no outbound allowlist, no exfiltration blocking, no vault guard. The agent can reach any host, run any command, fetch any URL. Recommended only for home-lab / solo-trusted setups where you own every machine the agent touches. It's reversible any time from the agent's Settings → Security Hardening section.

Which integrations to connect

• Tailscale — required for reaching servers on private networks. Skip this only if all your servers have public SSH (rare).
• SSH Key — required. Use the dashboard's "Generate" button so the key survives container restarts.
• Slack or Telegram — for alerts and asking the agent to run things on your phone.
• Knowledge Base — optional. Upload your runbooks (incident playbooks, company-specific procedures) and the agent will reference them when handling alerts.
• Email — optional. Useful if you want the agent to parse inbound monitoring alerts from Nagios/UptimeRobot/PagerDuty.

Suggested scheduled tasks

Example prompts you can type in chat

Use cases — where this actually shines

• Home lab / self-hosted stack. Run a TrueNAS, Proxmox, Home Assistant, media server. The agent checks them daily, restarts the Plex container when it OOMs, cleans up old snapshots, and texts you when the RAID is degrading.
• Small business IT (5–50 devices). The agent is your after-hours helpdesk — it takes Slack messages from employees ("my VPN won't connect"), SSHes into the target machine, runs diagnostics, and either fixes it or escalates to you with the full context so you're not starting from scratch.
• MSP managing hundreds of devices. Use the Tailscale SSH path — one agent, one ACL, access to every customer device with a central audit trail. The agent runs nightly compliance checks across the whole fleet and flags drift.
• DevOps bridge. Not a replacement for your on-call engineer, but an excellent first responder. It triages alerts, does the initial investigation, and either resolves or pages the human with "here's what I found, here's what I tried, here's what I think it is."

Safety: what the agent will and won't do

The it-sysadmin preset ships with an SRE-flavored system prompt that enforces safe defaults. The agent:

• Always tries read-only diagnostics first before any write operation.
• Refuses destructive actions without explicit confirmation — rebooting, deleting data, mass config changes.
• Never runs rm -rf on anything it didn't just create.
• Escalates rather than guesses — if it's unsure, it asks you on Slack/Telegram instead of taking a chance.
• Logs every command it runs to the agent audit log, visible in the dashboard under Logs.

You can harden further by setting Allowed SSH Hosts on the deploy page to restrict the agent to a specific hostname allowlist, or by writing a custom security policy to block specific command patterns.

Tips

• Use Tailscale MagicDNS names (web-1, not 10.0.0.5). They work even when a server changes IP.
• Store runbooks in the knowledge base. The agent reads them before acting on incidents, so its decisions match how your team actually operates.
• Don't give the agent your SSH key. Generate a separate keypair for the agent in the dashboard. If you ever suspect a compromise, remove the pubkey from authorized_keys and the agent is locked out — your own access is unaffected.
• Enable the Knowledge Base and upload your network diagram, server inventory spreadsheet, or runbook wiki. The agent is dramatically better at its job with context.

Advanced: the 5-agent IT Department (multi-agent)

For larger environments, you can split the work across specialized agents that talk to each other. The single it-sysadmin agent handles 95% of use cases — deploy the team only if you need all five roles separately:

• IT Lead — Triage coordinator. Receives alerts, classifies severity (P1–P4), delegates to specialists, tracks incident lifecycle.
• Monitor — Runs scheduled health checks, detects anomalies by comparing against baselines, produces predictive alerts ("disk will fill in 3 days").
• Sysadmin — Executes safe auto-fixes: disk cleanup, service restarts, log rotation, container recovery.
• Security — Read-only vulnerability scanner. CVE checks, auth-log review, SSH config audit. Never modifies security settings.
• Analyst — Reviews trends, calculates MTTR, projects capacity needs, drafts post-incident reports.

Deploy each from its own preset, configure them with the same Tailscale key + SSH key, and give each one its role in the system prompt. The agents can message each other via their assigned channels.

📅 Executive Assistant ~15 minutes

What it does: Your AI chief of staff. Reads and triages your inbox, watches your calendar, drafts replies and scheduling requests, keeps your task list in Notion up to date, and delivers a morning briefing so your day starts with context instead of chaos. Works across Gmail, Google Calendar, Google Docs, Google Sheets, Google Drive, and Notion.

What the agent can actually do

• Email triage — reads your inbox, flags urgent threads, drafts replies (never sends without your approval unless you tell it to).
• Calendar management — checks your day/week, blocks focus time, finds open slots for meetings, suggests reschedules when things collide.
• Morning briefing — a scheduled summary of today's meetings, urgent emails, pending tasks, and the weather (yes, really).
• Task tracking — reads + writes Notion pages, appends to task databases, surfaces overdue items.
• Document lookup — reads Google Docs and Drive files to answer questions about your own stuff ("what did I agree in last week's contract?").
• Spreadsheet updates — appends rows to Google Sheets for tracking (expense logs, CRM, whatever you already manage in Sheets).
• Knowledge base — upload your SOPs, bios, meeting prep templates, company docs; the agent references them when relevant.

Setup — 15 minutes

1. Deploy the Executive Assistant preset from the Deploy page.
2. Connect Google Workspace (Gmail + Calendar + Drive + Docs + Sheets) — one OAuth flow covers all five. Google Workspace setup →
3. Connect Notion (optional but recommended) for task tracking. Notion setup →
4. Connect Slack or Telegram so you can chat with the assistant from your phone ("what's on my calendar?" "draft a reply to the thread with Sarah").
5. Upload context to the Knowledge Base — your standard email signatures, company bios, meeting-prep templates, people you want auto-researched before a first meeting, etc.
6. Set up the morning briefing (see Suggested scheduled tasks below) so it runs automatically before your first meeting.

Which integrations to connect

• Google Workspace (recommended) — Gmail, Calendar, Drive, Docs, Sheets all unlock from one OAuth flow.
• Notion (recommended) — for task tracking, meeting notes, any knowledge your team already manages in Notion.
• Email (IMAP/SMTP) (alternative to Gmail) — if your inbox isn't on Google, the agent can connect via standard IMAP/SMTP.
• Slack or Telegram (recommended) — chat with the assistant from your phone.
• Knowledge Base — your personal context layer. The more you upload, the more useful the agent becomes.

Suggested scheduled tasks

Example prompts you can type in chat

Tips

• Don't give it send-email authority day one. Start with "show me drafts before sending." After a week of watching its drafts, turn on autosend for low-stakes categories.
• Upload your bios, templates, and SOPs to the Knowledge Base. Without that context, the agent writes generic replies. With it, the replies sound like you.
• Use scheduled tasks for the repetitive stuff. Morning briefing, end-of-day summary, meeting prep — these are where the agent pays back daily.
• Keep a "do not email" list in the system prompt or knowledge base — vendors, ex-clients, anyone you don't want the agent reaching out to.

📊 Data Analyst

What it does: Pulls data from your business tools, generates reports, tracks key metrics (KPIs), and posts summaries where your team can see them.

Which integrations to connect

• Stripe — revenue, subscriptions, charges, churn.
• Shopify — orders, products, customers.
• HubSpot — pipeline, deals, contacts.
• Google Sheets (via Google Workspace) — to write metrics into a dashboard you already maintain.
• Notion — for saving weekly / monthly reports.
• Slack or Telegram — chat with the agent to ask ad-hoc metrics questions from your phone. For pushing scheduled reports to a Slack channel, use the Webhook add-on on the agent.

Suggested scheduled tasks

Example prompts

How to get reports delivered to Slack

The agent itself doesn't push messages to Slack channels. For scheduled-report delivery, use the Webhook add-on:

1. Create an incoming webhook in your Slack workspace pointed at the channel you want (e.g. #metrics).
2. In the agent's Settings → Webhook field, paste the webhook URL and check the schedule.executed event.
3. When scheduled tasks complete, their output gets posted to that Slack channel automatically.

For ad-hoc questions ("what was revenue last week?"), the agent answers directly in whatever channel you message it through — Slack DM, Telegram, or dashboard chat.

Tips

• Start with one source. Connect Stripe first, set up the daily metrics task, see if the summaries are actually useful. Add Shopify / HubSpot / Sheets as you need them.
• Use Google Sheets as the system of record for trend-tracking. The agent can append rows daily and you end up with a real spreadsheet you can chart and share.
• Upload a KPI glossary to the Knowledge Base. Different teams calculate MRR / churn / LTV differently. The agent matches your definitions if you upload them.

📈 Crypto Trading Agent

What it does: An autonomous Solana trading agent that monitors markets, executes token swaps via Jupiter aggregator, manages positions with stop-losses and take-profits, and enforces risk controls — all without per-trade approval.

What you'll need before you start

1. A dedicated Solana wallet. Create a brand new wallet using Phantom, Solflare, or Backpack. This wallet is only for the trading agent. Never use your main personal wallet.
2. SOL for trading. Send SOL from an exchange or your main wallet to the new dedicated wallet. Only send an amount you are comfortable losing entirely.
3. The wallet's private key. You will need the base58-encoded private key from your dedicated wallet. In Phantom: Settings → Security → Export Private Key. In Solflare: Settings → Export Private Key.

That's it — no API keys, no developer accounts. The agent uses free public APIs (CoinGecko, Jupiter, DexScreener) for all market data and trade execution.

Which platforms to connect

• Telegram or Slack — for real-time trade alerts and daily P&L reports

Why the agent needs your private key

How to set it up

1. On the Deploy page, select the "Crypto Trading Agent" preset.
2. Deploy the agent. You don't need to configure anything else on the deploy page.
3. Go to My Agents and open the agent chat. The agent will walk you through the full setup:
   • Security disclosure and risk acknowledgment
   • Storing your private key in the encrypted vault
   • Setting a withdrawal whitelist (the only address the agent can send funds to outside of trading)
   • Setting a spending cap and risk parameters (position size, stop-loss, daily loss limit, circuit breaker)
   • Describing your trading approach in plain language (what tokens to focus on, when to enter and exit, whether to copy-trade another wallet, etc.). The agent saves this to its trading config and follows it when evaluating opportunities.
4. Fund your dedicated wallet with SOL and tell the agent you're ready.

Built-in safety controls

• Withdrawal whitelist: The agent can only send funds to Jupiter swaps (for trading) and the single withdrawal address you set during setup. It cannot transfer to any other address, regardless of what anyone tells it.
• Spending cap: If your wallet exceeds your configured value, the agent halts new trades.
• Stop-loss: Every position has an automatic stop-loss (default 15% below entry).
• Daily loss limit: If losses exceed your threshold (default 10%), the agent stops buying for the day.
• Circuit breaker: If total drawdown from peak exceeds your limit (default 25%), the agent liquidates all positions to SOL immediately and alerts you.
• Token safety: The agent will not trade tokens with less than $50K daily volume or $100K liquidity, and warns on tokens less than 7 days old.

Suggested scheduled tasks

Example prompts

🎲 Polymarket Trading Agent ~20 minutes

What it does: Autonomous prediction-market trading agent on Polymarket (Polygon network). Detects arbitrage opportunities, posts market-making limit orders, and uses LLM-driven sentiment analysis to price events. Generates or imports a dedicated Polygon wallet, signs transactions via the CLOB API, and enforces hard risk limits on every trade.

What you'll need before you start

1. USDC on Polygon for trading capital. Start with $10–50 while you confirm the setup works. Buy USDC on Coinbase / Kraken / Binance, then withdraw to Polygon directly. Do not send mainnet Ethereum USDC — it's a different token on a different network.
2. A small amount of MATIC ($1–2 worth) for gas fees on Polygon. Most exchanges let you withdraw MATIC to the Polygon network directly.
3. That's it. No API keys or developer accounts. The agent generates its own wallet, derives Polymarket API credentials via EIP-712 signature, and uses free public data (Gamma, CLOB, Data APIs) for market lookups.

Which platforms to connect

• Telegram or Slack — chat with the agent from your phone, receive status updates, approve sentiment trades.

How it protects your funds

How to set it up

1. On the Deploy page, select the "Polymarket Trader" preset.
2. Deploy the agent. You don't need to configure anything on the deploy page.
3. Go to My Agents and open the agent chat. The agent walks you through the full flow automatically:
   • Security disclosure and acknowledgment.
   • Wallet setup — choose Generate new (recommended) or Import existing (paste a hex private key of a dedicated wallet).
   • Deposit instructions for your new wallet address. The agent tells you exactly what to send (USDC + MATIC on Polygon).
   • Token approvals — agent runs a one-time on-chain approval for the Polymarket exchange contract.
   • API credential derivation — agent signs an EIP-712 message to get HMAC credentials (saved to workspace for reuse).
   • Strategy selection — arb, mm, both, or manual. See strategies below.
   • Risk parameters (max bet size, daily loss limit, max concurrent positions, hourly trade limit).
   • If you picked arb or mm, the agent schedules a cron job to run the strategy automatically every minute.
4. Fund your trading wallet (USDC + MATIC on Polygon) and tell the agent you're ready.

The four strategies

1. Arbitrage (automated, zero-LLM) — detects when YES + NO ask prices sum to less than $1.00 minus fees. Buys both sides, guaranteed profit on resolution regardless of outcome. Executed by the zero-LLM polymarket-arb.mjs script on a cron. Typical profit: 0.5–3% per trade, speed-dependent.
2. Market Making (automated, zero-LLM) — posts bid/ask limit orders around the midpoint price, captures the spread when both sides fill. Same cron-driven script in "mm" mode. Typical return: 1–3% monthly with high win rate, requires idle capital.
3. Sentiment / Information Edge (LLM-driven) — the agent analyzes news, social feeds, and data to estimate event probabilities, compares its estimate to the current market price, and recommends trades where the edge is >5%. Uses fractional Kelly criterion for sizing (25–50% of full Kelly to reduce variance). You approve or auto-execute based on your confidence threshold.
4. Manual research — ask the agent about specific markets, events, or categories. It provides probability estimates and recommendations. You decide whether to trade.

Built-in safety controls

• Max bet size: no single trade exceeds your configured limit (default $50).
• Daily loss limit: halts all new trades after total daily loss exceeds your threshold (default $100).
• Max concurrent positions: prevents over-diversification and spreading capital too thin (default 20).
• Hourly trade limit: caps runaway execution (default 60).
• Liquidity floor: agent refuses to trade markets with less than $1K liquidity.
• Fee-aware: the 2% Polymarket winner fee is factored into all profit calculations, so the agent won't place trades with margins smaller than the fee.
• Withdrawal discipline: the agent can only send funds to the Polymarket exchange contract (for trading) — never to arbitrary addresses.

Suggested scheduled tasks

Example prompts

Which strategy should I start with?

• First week: start with arb only. Small max bet ($5–10). Confirm the agent finds and executes arb opportunities. You'll see small but frequent profits; this is the safest way to validate the setup.
• Once arb is working: layer on mm (choose "both" during setup). Market making needs more capital but produces steadier returns. Requires you to tolerate capital being locked in orders.
• Sentiment trading: start with approval required mode. Let the agent recommend trades for a week or two; manually approve the ones that look good. Once you trust its reasoning, you can raise the auto-execute threshold.

Troubleshooting

• "Automated trading hasn't made any trades yet": Check that the cron schedule is active (agent dashboard → Settings → Schedules). Arb opportunities are rare and speed-sensitive; it may take hours to find one on low-volume markets.
• "Balance check shows zero": You sent funds to the wrong network (mainnet Ethereum instead of Polygon). You need to bridge them to Polygon. Polymarket supports deposits only on Polygon; there's no fix from the TamaleBot side.
• "Token approvals failed": Your wallet doesn't have enough MATIC for gas. Deposit $1–2 worth of MATIC and re-run approvals.
• "Agent can't find the polymarket-tools.mjs script": The agent needs to be redeployed — the template file didn't copy. Destroy + redeploy the agent.

Platform Setup Guides

Step-by-step instructions for connecting each platform to your TamaleBot agent. Each guide tells you exactly what to click and where to paste.

𝕏 Twitter / X

Option A: X Simple Connect (Recommended) ~1 minute

1. Go to My Agents → your agent → Integrations tab.
2. In the X (Twitter) card, click "Set Up" to open the setup wizard.

Step 1 — Connect your X account

1. Click "Connect X Account". A popup opens with the X authorization screen.
2. Log in to X (if needed) and click "Authorize app".
3. The popup closes automatically and the wizard shows your connected username (e.g. @YourHandle).

Step 2 — Define your content strategy

Tell the agent what to post about. You can pick a preset or write your own strategy:

• Brand Awareness — industry insights, tips, and thought leadership
• Product Updates — announcements, features, and behind-the-scenes
• Community Engagement — questions, conversations, and user shout-outs
• Custom — write your own detailed content brief

The strategy you write here becomes part of the agent's system prompt and is included in every scheduled post task, so the more detail you provide (tone, audience, topics to avoid), the better the results.

Step 3 — Pick a posting schedule

Choose how often the agent should post:

Click "Finish Setup" and you're done. The wizard creates a scheduled task and updates the agent's system prompt automatically.

Option B: Manual Setup (Advanced) ~5 minutes

What you'll need

Step 1 — Open the Developer Console

The API keys are not in your regular X/Twitter settings. You need the separate Developer Console.

1. Go to developer.x.com and sign in with your X account.
2. If this is your first time, you'll see a signup form. Enter an Account Name (e.g. "TamaleBot" or your brand name).

Step 2 — Describe your use case

X requires a short description of how you'll use the API. Here's what to write:

1. Paste the description above (or write your own) into the use case text box.
2. Check the box that says "You understand that you may not resell anything you receive via the X APIs."
3. Click Submit. Approval is usually instant for the free tier.

Step 3 — Get your API keys

After approval you'll land on the Developer Dashboard. It shows your usage, credits, and billing.

1. Click "Apps" in the left sidebar.
2. You should see a default app. Click on it to open its settings. If there is no app, click "Create App" and give it a name.
3. Go to the "Keys and tokens" tab inside your app.
4. Under Consumer Keys, click "Regenerate" to get your API Key and API Key Secret. Copy both immediately — the secret is only shown once.
5. Under Authentication Tokens, click "Generate" to create your Access Token and Access Token Secret. Copy both immediately.

Step 4 — Set permissions to Read and Write

By default, your app may only have Read permission. You need Read and Write to post tweets.

1. In your app settings, go to "User authentication settings" and click "Set up" or "Edit".
2. Under App permissions, select "Read and write".
3. For Type of App, select "Web App, Automated App or Bot".
4. Fill in the required Callback URL and Website URL. You can use your own website or https://tamalebot.com as a placeholder.
5. Click Save.

Step 5 — Add credits (pay-per-use)

X's API is pay-per-use. Posting is very cheap — about $0.01 per 10 tweets — but you need a positive credit balance or API calls will fail with a 403 Forbidden error.

1. In the Developer Console, click "Billing" in the left sidebar.
2. Click "Credits" and add a small amount. Even $5 will last months at typical posting volumes.
3. Optionally, enable auto-recharge so your bot never runs out mid-post.

Step 6 — Paste into TamaleBot

1. Go to your TamaleBot deploy page (during initial setup) or your agent's Settings tab (for existing agents).
2. Paste all 4 keys into the Twitter/X fields:
   API Key API Key Secret Access Token Access Token Secret
3. Click Save. Your agent can now post, reply, and read mentions on X.

Troubleshooting

📸 Instagram ~10 minutes

What you'll need

1. You need a Facebook account and an Instagram Professional account (Business or Creator). If your Instagram is personal, open the Instagram app, go to Settings → Account → Switch to Professional Account and follow the prompts.
2. Go to developers.facebook.com and click "My Apps" in the top right, then click "Create App".
3. Choose the "Business" type. Give it any name you like, such as "My Social Bot".
4. On the app dashboard, find "Instagram Graph API" and click "Set Up".
5. Go to Tools → Graph API Explorer.
6. In the top dropdown, select your app.
7. Click "Generate Access Token". Log in with Facebook and grant the permissions it asks for.
8. Your User ID and Access Token will appear on screen. Copy both of them.
9. Paste the Access Token and User ID into TamaleBot — either in the Integrations tab (click the Instagram card) or on the Deploy page in the Instagram fields.

🎬 TikTok ~15 minutes

What you'll need

1. Go to developers.tiktok.com and create a developer account if you don't have one.
2. Click "Manage Apps" in the top menu, then click "Create App".
3. Under "Add Products", enable the "Content Posting API".
4. Fill out the app details and submit for review. TikTok typically reviews apps within a few business days. To avoid rejection:
   • Write a clear app description (e.g. "AI-powered social media assistant that creates and publishes content for my business").
   • Add an app icon and a privacy policy URL — TikTok requires one.
   • Make sure your TikTok account is a Business account, not a personal one.
5. Once your app is approved, go to your app's settings page and find the Access Token.
6. Paste the Access Token into TamaleBot — either in the Integrations tab (click the TikTok card) or on the Deploy page in the TikTok field.

▶️ YouTube ~10 minutes

What you'll need

1. Go to console.cloud.google.com and sign in with your Google account.
2. Create a new project (or select an existing one). Name it anything you like, such as "My Social Bot".
3. Go to "APIs & Services" → "Library" in the left sidebar.
4. Search for "YouTube Data API v3" and click "Enable".
5. Go to "APIs & Services" → "Credentials".
6. Click "Create Credentials" → "API Key". Copy the API key that appears.
7. Click "Create Credentials" → "OAuth Client ID".
8. If prompted to configure the OAuth consent screen, choose "External", add your email address, and save.
9. For Application Type, choose "Web application".
10. Under Authorized redirect URIs, add: https://developers.google.com/oauthplayground
11. Copy the Client ID and Client Secret that appear.
12. Go to developers.google.com/oauthplayground.
13. Click the gear icon (Settings) in the top right. Check "Use your own OAuth credentials" and paste your Client ID and Client Secret.
14. In the left panel, find "YouTube Data API v3", select all the scopes listed, then click "Authorize APIs".
15. Click "Exchange authorization code for tokens".
16. Copy the Refresh Token from the response.
17. Paste the API Key and Refresh Token into TamaleBot — either in the Integrations tab (click the YouTube card) or on the Deploy page where you can also enter the Client ID and Client Secret. All four are required for uploading Shorts.

🔴 Facebook ~10 minutes

What you'll need

1. Go to developers.facebook.com, click "My Apps", and select your app (or create one if you haven't already).
2. Go to Settings → Basic in the left sidebar. Note your App ID and App Secret — you'll need them in a later step.
3. Go to Tools → Graph API Explorer.
4. In the "User or Page" dropdown at the top, make sure "User Token" is selected (not your Page).
5. Under "Permissions", add: pages_manage_posts, pages_read_engagement, and pages_show_list.
6. Click "Generate Access Token" and approve the permissions it asks for. This gives you a short-lived User Token (expires in ~1 hour).
7. Now exchange it for a long-lived User Token. In the Graph API Explorer, paste this into the query field and click Submit:
   GET /oauth/access_token?grant_type=fb_exchange_token&client_id={YOUR_APP_ID}&client_secret={YOUR_APP_SECRET}&fb_exchange_token={SHORT_LIVED_TOKEN}
   Replace the values in curly braces with your App ID, App Secret, and the token from the previous step. Copy the access_token from the response.
8. Finally, get your permanent Page Token. Paste this into the query field and click Submit:
   GET /me/accounts?access_token={LONG_LIVED_USER_TOKEN}
   Find your Page in the response. The access_token next to it is your permanent Page Token. Copy it.
9. Your Page ID is also in that same response, or you can find it in the URL when you visit your Facebook Page. Copy it.
10. Paste the Page Token and Page ID into TamaleBot — either in the Integrations tab (click the Facebook card) or on the Deploy page in the Facebook fields.

💬 Threads ~5 minutes

What you'll need

1. If you set up Instagram above, you already have a Meta Developer app. If not, follow the first three Instagram steps to create one.
2. On your app dashboard, find "Threads API" and click "Set Up".
3. Go to Tools → Graph API Explorer.
4. Generate a token with Threads permissions selected.
5. Your User ID is the same as your Instagram User ID. Copy it.
6. Paste the Access Token and User ID into TamaleBot — either in the Integrations tab (click the Threads card) or on the Deploy page in the Threads fields.

🗨️ Slack ~5 minutes

What you'll need

1. Go to api.slack.com/apps and click "Create New App".
2. Choose "From scratch". Name it something like "TamaleBot" and select your workspace.
3. Go to "OAuth & Permissions" in the left sidebar.
4. Scroll down to "Bot Token Scopes" and add these scopes: chat:write, app_mentions:read, im:history, channels:history.
5. Scroll back up and click "Install to Workspace", then click "Allow".
6. Copy the "Bot User OAuth Token" (it starts with xoxb-). This is your Bot Token.
7. Now enable Socket Mode: go to "Socket Mode" in the left sidebar and toggle it on.
8. Slack will ask you to create an App-Level Token. Give it a name (e.g. "tamalebot-socket"), add the connections:write scope, and click "Generate".
9. Copy the token that appears (it starts with xapp-). This is your App Token.
10. Go to "Event Subscriptions" in the left sidebar and toggle it on. Under "Subscribe to bot events", add: app_mention and message.im.
11. Paste both tokens into TamaleBot — either in the Integrations tab (click the Slack card) or on the Deploy page in the Slack fields.

🎮 Discord ~5 minutes

What you'll need

1. Go to discord.com/developers/applications and click "New Application".
2. Name it something like "TamaleBot" and click Create.
3. Go to "Bot" in the left sidebar.
4. Click "Reset Token" and copy the token that appears.
5. Still on the Bot page, scroll down to "Privileged Gateway Intents" and enable "Message Content Intent".
6. Go to "OAuth2" → "URL Generator" in the left sidebar.
7. Check the "bot" scope. In the permissions that appear below, check "Send Messages" and "Read Messages/View Channels".
8. Copy the generated URL at the bottom of the page. Open it in your browser and invite the bot to your server.
9. Paste the bot token into TamaleBot — either in the Integrations tab (click the Discord card) or on the Deploy page in the Discord field.

✈️ Telegram ~2 minutes

What you'll need

1. Open Telegram and search for @BotFather.
2. Send the command /newbot.
3. Choose a display name and a username for your bot (the username must end in "bot").
4. BotFather will reply with a token. Copy it.
5. Paste the token into TamaleBot — either in the Integrations tab (click the Telegram card) or on the Deploy page in the Telegram field.

✉️ Email (Gmail example) ~5 minutes

What you'll need

1. Go to myaccount.google.com and click "Security" in the left sidebar.
2. Make sure 2-Step Verification is turned on. If it's not, enable it first.
3. Go to myaccount.google.com/apppasswords.
4. Create an app password — select "Mail" and your device type.
5. Google will show a 16-character password. Copy it. This is your IMAP/SMTP password.
6. In TamaleBot, go to Integrations tab (click the Email card) or the Deploy page, and fill in:
   • IMAP Host: imap.gmail.com
   • Email / Username: your full email address (e.g. you@gmail.com)
   • App Password: the 16-character app password you just copied
   • SMTP Host: smtp.gmail.com

🤖 OpenAI (for image generation) ~2 minutes

What you'll need

1. Go to platform.openai.com and sign in (or create a free account).
2. Click your profile icon in the top right, then click "API Keys" (or go directly to platform.openai.com/api-keys).
3. Click "Create new secret key". Give it any name you like.
4. Copy the key (it starts with sk-). You won't be able to see it again after closing this dialog.
5. Paste it into TamaleBot's deploy page in the OpenAI field.

📝 Notion ~3 minutes

What you'll need

1. Go to notion.so/my-integrations and sign in.
2. Click "New Integration".
3. Name it something like "TamaleBot" and select your workspace.
4. Click "Submit".
5. Copy the "Internal Integration Secret" (it starts with ntn_).
6. Paste it into TamaleBot's deploy page in the Notion field.
7. Important: In Notion, open the database or page you want the bot to access. Click the "..." menu in the top right, go to "Connections", find your integration name, and add it. The bot can only see pages you explicitly share with it.

🛒 Shopify ~5 minutes

What you'll need

1. Go to your Shopify Admin at yourstorename.myshopify.com/admin.
2. Go to Settings → Apps and Sales Channels → Develop Apps.
3. Click "Create an App" and name it anything you like.
4. Click "Configure Admin API scopes". Enable read/write access for Products, Orders, and Customers.
5. Click "Install App" and confirm when prompted.
6. Copy the "Admin API Access Token" (it starts with shpat_).
7. Your store domain is: yourstorename.myshopify.com
8. Paste both into your TamaleBot dashboard → Settings → Integrations → Shopify fields. You can also enter them during deployment on the deploy page.

💳 Stripe ~2 minutes

What you'll need

1. Go to dashboard.stripe.com and sign in.
2. Click "Developers" in the sidebar (or top right corner).
3. Go to "API Keys".
4. Copy the "Secret key" (it starts with sk_live_ or sk_test_).
5. Paste it into your TamaleBot dashboard → Settings → Integrations → Stripe field. You can also enter it during deployment on the deploy page.

📈 HubSpot ~5 minutes

What you'll need

1. Go to app.hubspot.com and click the gear icon (Settings) in the top right.
2. Go to Integrations → Private Apps in the left sidebar.
3. Click "Create a Private App".
4. Name it something like "TamaleBot".
5. Go to the "Scopes" tab. Enable these scopes: crm.objects.contacts (read/write) and crm.objects.deals (read/write).
6. Click "Create App" and confirm.
7. Copy the Access Token (it starts with pat-).
8. Paste it into your TamaleBot dashboard → Settings → Integrations → HubSpot field. You can also enter it during deployment on the deploy page.

🌏 Google Workspace ~15 minutes

This covers Gmail, Google Drive, Google Calendar, Google Docs, and Google Sheets — all in one setup.

What you'll need

1. Go to console.cloud.google.com and sign in.
2. Create a new project (or select an existing one).
3. Go to "APIs & Services" → "Library" in the left sidebar.
4. Search for and enable each of these APIs: Gmail API, Google Drive API, Google Calendar API, Google Docs API, and Google Sheets API.
5. Go to "APIs & Services" → "OAuth consent screen".
6. Choose "External", fill in your app name and email address, and save.
7. Go to "APIs & Services" → "Credentials".
8. Click "Create Credentials" → "OAuth Client ID".
9. For Application Type, choose "Web application".
10. Under Authorized redirect URIs, add: https://developers.google.com/oauthplayground
11. Copy the Client ID and Client Secret that appear.
12. Go to developers.google.com/oauthplayground.
13. Click the gear icon in the top right. Check "Use your own OAuth credentials" and paste your Client ID and Client Secret.
14. In the left panel, select the scopes for Gmail, Drive, Calendar, Docs, and Sheets.
15. Click "Authorize APIs", sign in with your Google account, and grant access.
16. Click "Exchange authorization code for tokens".
17. Copy the Refresh Token from the response.
18. Paste the Client ID, Client Secret, and Refresh Token into TamaleBot's deploy page in the Google Workspace fields.

🌐 Tailscale (private network access) ~5 minutes

Tailscale puts your TamaleBot agent on the same private network as your servers, so it can SSH into your 192.168.x.x, 10.0.0.x, home-lab, office VLAN, or cloud-VPC machines. Required for any IT or DevOps agent managing infrastructure that isn't on the public internet.

What you'll need

1. Sign up for Tailscale at login.tailscale.com/start. Free tier is fine to start.
2. Install Tailscale on your servers (the ones your agent will manage). One-liner from tailscale.com/download for each OS. Run sudo tailscale up on each server — they'll show up in your Tailscale admin panel. (one-time per server)
3. Create an auth key for the agent. Go to tailscale.com/admin/settings/keys and click "Generate auth key". Check these two options:
   • Reusable — so if the agent container restarts, it can reconnect.
   • Ephemeral — so old agent devices auto-cleanup when they disconnect. Stops "ghost device" accumulation.
4. Copy the key (starts with tskey-auth-).
5. Paste it into TamaleBot. Open your agent's dashboard → Integrations → Tailscale card. Paste the key, click Save.
6. The agent will join your tailnet on its next boot. You'll see a device named tb-<your-agent-name> appear at tailscale.com/admin/machines within 10–30 seconds.

Verify it worked

In the agent's chat window, ask:

You should see a list of every device on your tailnet, including the agent itself. If the list is empty or says "Logged out", check the Tailscale logs:

Security model

• The auth key is stored encrypted in your agent's config (AES-256-GCM). Only the agent container can decrypt it.
• The agent appears on your tailnet as a normal device. You can see it, revoke it, and scope its access in the Tailscale admin panel just like any other device.
• HTTPS interception is auto-disabled when Tailscale is on, because Tailscale's control-plane protocol requires raw TLS. Side effect: other outbound credential-injection (for OAuth integrations) won't work on this agent — use a BYOK/API-key path instead, or keep those integrations on a separate non-Tailscale agent.
• Outbound network restrictions are relaxed because the agent must reach arbitrary tailnet peers. If you need both a locked-down allowlist and Tailscale, reach out — we'll help.

Advanced: Tailscale SSH for fleets

If you're managing 20+ servers, skip per-server SSH key installs. Enable Tailscale SSH on each server and use one ACL in Tailscale admin to grant the agent access everywhere at once.

1. On each managed server (one-time): sudo tailscale up --ssh --accept-routes
2. In your Tailscale admin ACL, add:

   "tagOwners": {
     "tag:tamalebot-agent": ["autogroup:admin"],
     "tag:managed-server":  ["autogroup:admin"]
   },
   "ssh": [{
     "action": "accept",
     "src":    ["tag:tamalebot-agent"],
     "dst":    ["tag:managed-server"],
     "users":  ["root", "admin"]
   }]

3. Generate the Tailscale auth key with tag:tamalebot-agent attached, and tag your servers tag:managed-server in the admin panel.
4. That's it — the agent can now SSH to any tagged server with no per-server key install. Revoke by editing the ACL; it takes effect instantly across every device.

Tips

• Name things clearly. Rename your tailnet devices (office-web-1, home-nas, etc.) at admin/machines. The agent uses these names via MagicDNS.
• Keep the auth key for re-use. Reusable auth keys let multiple agents join the same tailnet with the same key, and survive container restarts.
• Can't reach a server? Ask the agent: "ping <hostname> from my end and show me the result." The agent uses tailscale ping which tells you if the connection path is working.

🔑 SSH Key (persistent agent identity) ~5 minutes

Gives your IT or DevOps agent a stable SSH keypair so it can log into your servers the same way every time — even after container restarts, redeploys, or upgrades. Install the public key once on each server and the agent has access forever (until you remove it).

What you'll need

1. Open your agent's dashboard → Integrations → SSH Key card.
2. Click "Generate new ed25519 key". TamaleBot creates an OpenSSH-format keypair. The public key fills into the top textarea; the private key goes into the lower one.
   • Prefer your own key? Run ssh-keygen -t ed25519 -C tamalebot-agent -N "" locally and paste both into the textareas instead.
3. Click Save. The private key is encrypted at rest in the agent config and mounted to ~/.ssh/id_ed25519 inside the container on every boot.
4. Install the public key on each target server. Click "Copy install one-liner" to get a single bash command. Run it on each server via whatever access you have (existing SSH, HopToDesk, VNC, console). Example command:

   mkdir -p ~/.ssh && chmod 700 ~/.ssh && \
   echo 'ssh-ed25519 AAAA... tamalebot-agent' >> ~/.ssh/authorized_keys && \
   chmod 600 ~/.ssh/authorized_keys

5. Verify by asking the agent in chat: "SSH into <hostname> and run whoami."

First-time bootstrap — servers with no existing SSH access

If you don't already have SSH working to a server (for example, a home machine you only reach via RDP/VNC/HopToDesk), get in through whatever interface you have, open a terminal on the server's desktop, and run the install one-liner from step 4 there. That bootstraps the first SSH path. From then on, the agent (and you) can use SSH.

Give the agent sudo (optional but recommended)

Without sudo, the agent can read most diagnostics but can't restart services, read protected logs, or install packages — roughly 60% of real IT work. There are three ways to grant it:

1. Passwordless sudo (easiest). On each server, run:

   echo '<agent-user> ALL=(ALL) NOPASSWD: ALL' | sudo tee /etc/sudoers.d/tamalebot-agent
   sudo chmod 440 /etc/sudoers.d/tamalebot-agent

   Replace <agent-user> with the SSH user the agent uses (e.g. ops, ubuntu, m). This grants full root on that machine via the agent's SSH key — same trust level as giving someone root SSH access.
2. Narrower passwordless sudo (safer). Scope to only the commands the agent legitimately needs:

   ops ALL=(ALL) NOPASSWD: /usr/bin/systemctl, /usr/bin/journalctl, \
   /usr/bin/apt, /usr/bin/docker, /bin/cat /var/log/*

   Add or remove paths to fit your policy.
3. Tailscale SSH with root ACL. If you use the Tailscale SSH path, add "users": ["root"] to your ACL. The agent logs in as root directly, no sudo needed.

Rotating or revoking the key

• Rotate: Click "Regenerate" in the SSH Key card, Save, then install the new pubkey on every server (remove the old line from authorized_keys). Takes a few minutes depending on fleet size — use the Tailscale SSH path if this gets painful.
• Revoke (emergency): Delete the matching line from ~/.ssh/authorized_keys on each server. The agent is locked out instantly without touching TamaleBot at all — your own SSH access is unaffected.

Security model

• Private key stored encrypted in the agent config (AES-256-GCM), never logged, never returned in API responses.
• Mounted at /home/agentuser/.ssh/id_ed25519 with 0600 perms at container boot, then the env-var carrying the key is unset so the agent process can't dump it via env.
• Separate from your personal keys. Always generate a dedicated key per agent — never paste in your own laptop's key. Scope and revocation become simple.

Features

📚 Knowledge Base

The Knowledge Base is where you upload the documents your agent will use to answer questions. Think of it like giving your agent a library — it can only reference what you put in there.

How it works

1. You upload files to your agent's Knowledge Base in the dashboard.
2. When a user asks a question, the agent uses knowledge_search to find relevant files by name, description, or tags.
3. It reads the file content with knowledge_read (text is extracted automatically from PDFs and Word docs).
4. It answers the question based on what it found, citing the source document.
5. If the user needs the actual file, the agent can share it directly in the chat via knowledge_get_url.

How to upload files

1. Go to your TamaleBot dashboard and select your agent.
2. Click the Knowledge Base tab.
3. Drag and drop files into the upload zone, or click browse to select files.
4. Each file can be up to 25 MB.
5. After uploading, you can add a description and tags to each file to help the agent find it more easily.

Supported file types

What to upload for a customer support agent

The more relevant content you upload, the better your agent answers. Here's what works best:

Tips for a good knowledge base

• Use clear file names. The agent searches by file name, description, and tags. return-policy.pdf is much better than doc_final_v3.pdf.
• Add descriptions and tags. After uploading, click a file to add a description like "30-day return policy for all products" and tags like "returns, refunds, policy". This helps the agent find the right file faster.
• Keep docs up to date. If your pricing changes, upload the new version. The agent can only answer based on what's in the KB.
• Use markdown or plain text when possible. These are the fastest for the agent to read. PDFs and Word docs work too — text is extracted automatically — but simple formats are more reliable.
• One topic per file works best. A focused shipping-policy.md is better than a 50-page everything.pdf. The agent searches for relevant files first, so smaller, focused files get matched more accurately.
• Include the questions, not just the answers. If your FAQ doc includes "Q: How do I reset my password?" the agent can match that question directly. A doc that only says "Go to Settings > Reset" is harder to find.
• Test after uploading. Ask your agent the questions your customers ask. If it can't find the answer, the file might need a better name, description, or more detail.
• Storage included: 2 GB of Knowledge Base storage is included free with every account. KB is shared across all your agents, so you can upload a document once and have every agent reference it. For heavier document sets, you can upgrade to Pro (20 GB, $5/mo) or Business (100 GB, $15/mo) from your account page. Per-file max is 100 MB.

🧠 Memory & Storage Scope ~3 minutes

Each TamaleBot agent has three places it can store data. They differ in scope (who can read it), durability (how long it lives), and what you'd use them for. Understanding the differences saves you from "wait, why can't my new agent see this?" surprises.

The three kinds of storage

What this means in practice

• Your DevOps agent's deploy history is NOT visible to your IT Sysadmin agent, even on the same account. Each agent has its own memory_save log. If you want a shared deploy ledger, use Team Storage.
• Knowledge Base uploads are per-agent too — if you upload your company handbook to agent A, agent B doesn't see it automatically. Upload to each agent that needs it (or use the same KB as you deploy similar agents).
• Team Storage is the one thing that's truly shared, and only between agents in the same team deploy. A standalone IT Sysadmin agent and a standalone DevOps agent (deployed separately) have no shared storage — they can only coordinate if you explicitly deploy them together as a team.
• Nothing is shared across accounts. All three storage types are scoped to your account. Your agents and someone else's agents never see each other's data.

Which one should I use?

• Agent remembered something from a past conversation? That's memory_save. Use it for the agent's own running context.
• Multiple agents collaborating on a shared state? Team Storage. Deploy them as a team to get this automatically.
• Looking up reference material (docs, runbooks, policies)? Knowledge Base. Upload the files once; the agent queries them when needed.

👥 Multi-Agent Setups: Teams vs Sub-Agents ~5 minutes

Two ways for agents to get other agents involved — they look similar from the outside but solve different problems. Use the wrong one and you'll either pay for agents you don't need, or fail to persist work that should outlive a single task.

Team Deploy

You decide at deploy time to run multiple agents together. They're all real, long-lived agents that share team storage, can message each other, and each show up on your dashboard.

• How: Pick "Team Deploy" on the deploy page. Select a template (IT Department, Dev Team, etc.) or build a custom team from blueprints.
• Lifecycle: Permanent. Each agent runs 24/7 until you destroy it.
• Storage: Shared team storage via team_storage_* tools. All agents in the team can read/write the same R2-backed namespace.
• Messaging: Agents discover each other via list_agents, talk to each other via message_agent.
• Billing: Each agent counts as a separate deployment. A 5-agent IT Department team = 5 agents against your plan limit.
• Good fit: Ongoing, role-specialized work where the team is the product — an IT Department that monitors, remediates, audits, and reports; a Dev Team where dev-lead delegates to backend-dev + frontend-dev + qa-tester.

Sub-Agents

The agent decides at runtime to spawn a helper for a specific task. The sub-agent lives only long enough to complete the task, inherits the parent's config and credentials, and is gone when it returns the result.

• How: Enable "Sub-Agents" on the parent agent during deploy (or in Settings → Add-ons). The parent agent then uses the sub_agent tool when it wants to delegate.
• Lifecycle: Ephemeral. Spawned when needed, executes one task, dies when done (max 5 minutes). Never appears on your dashboard.
• Storage: None of its own. Inherits the parent's API keys and LLM config. Anything it needs to persist must be returned to the parent, which can then memory_save it.
• Messaging: Parent uses sub_agent tool to send a task, awaits a single response. No peer-to-peer messaging.
• Billing: Runs on the parent's token quota. No new agent on your account.
• Constraint: Sub-agents cannot spawn their own sub-agents (no recursion — prevents runaway chains).
• Good fit: A specialist subtask inside one conversation — "delegate this code review to a sub-agent with a tighter security policy," or "spawn a research sub-agent to summarize these 10 URLs while I finish drafting."

Side-by-side

When to pick which

• "I want a permanent IT team where each agent has a role" → Team Deploy.
• "I want my DevOps agent to occasionally delegate code review to a specialist" → Sub-Agents.
• "I want two agents that collaborate on shared state across days/weeks" → Team Deploy.
• "I want one agent that can break up a complex task into parallel subtasks" → Sub-Agents.
• "I want agents that each handle a different communication channel (Telegram, Slack, email) for the same business" → Team Deploy — different roles, shared state.

Can I use both?

Yes. A team-deployed agent can also have sub-agents enabled — the parent is a permanent team member that occasionally spawns ephemeral helpers. For example: a permanent Dev Lead in a team that occasionally spawns a sub-agent to write and run a throwaway test.

💬 Chat Widget

The Chat Widget lets you embed a customer-facing AI chat on your website. Your visitors see a chat bubble in the corner of your site. When they click it, they can ask questions and get instant answers from your agent.

How it works

1. When you deploy an agent, choose "Website Widget" or "Both" as the deployment mode.
2. After deployment, you get a one-line embed code to paste into your website.
3. The widget loads as a chat bubble in the bottom-right (or left) corner of your site.
4. Visitors click the bubble, type a question, and get a response from your agent.
5. Conversations are stored per-session so visitors can refresh the page and continue where they left off.

Embed code

Add this line to your website, just before </body>:

Replace your-agent-name with the name you chose when deploying.

Customization options

Works everywhere

The widget is a single JavaScript file with no dependencies. It works on any website:

• Static HTML sites
• WordPress, Squarespace, Wix, Webflow
• Shopify storefronts
• React, Next.js, Vue, Angular apps
• Any site where you can add a <script> tag

Security & isolation

• Shadow DOM — the widget's styles are completely isolated from your site. It won't break your layout or CSS.
• Rate limiting — 20 messages per hour per visitor, plus a configurable daily conversation cap to prevent abuse.
• Anonymous sessions — visitors don't need to log in. Sessions are tracked via a token stored in the browser and expire after 24 hours.
• No cookies — the widget uses localStorage, not cookies. No cookie banner needed.

Billing

Widget conversations are billed to the agent owner's account at the same per-message rate as any other channel (Slack, Discord, etc.). There is no extra charge for the widget itself. See the Customer Support pricing section for estimated costs by volume.

🧩 Agent Skills ~3 minutes

Agent Skills are reusable capability packages that extend what your agent can do. Instead of writing long system prompts for every task, you can add pre-built skills from community marketplaces — things like customer onboarding workflows, sales objection handling, data analysis templates, and more.

How it works

1. During deployment, open the 3. Agent Skills section in the configure step.
2. Type a keyword in the search bar (e.g. "customer support", "writing", "research"). Results appear from community skill marketplaces.
3. Click a skill to add it. It appears as a chip below the search bar. Add as many as you need.
4. Alternatively, paste a GitHub URL directly into the search bar to add a custom skill from any public repository.
5. Deploy your agent. Skills are automatically pulled into the agent container and available at startup.

Verified vs. unverified skills

Skills can be cryptographically signed by their authors using Ed25519 signatures. In the deploy wizard and agent dashboard, you'll see:

• ✅ Verified — The skill has a valid Ed25519 signature from the author. The contents haven't been tampered with since signing.
• ⚠️ Unverified — No signature found, or the signature didn't match. The skill may still work fine, but you should review its instructions before deploying.

Skill format

Each skill is a directory containing a SKILL.md file with YAML frontmatter:

---
name: Customer Onboarding
description: Structured onboarding workflow for new customers
---

When a user says they are a new customer, follow these steps:
1. Greet them and ask for their company name...
2. Walk them through account setup...
...

Your agent loads skill names and descriptions at startup (lightweight), then reads the full instructions on-demand when a user's request matches a skill.

🛡️ Custom Security Policies ~5 minutes

By default, every TamaleBot agent runs with a built-in security policy that blocks dangerous commands, sensitive file access, and data exfiltration. For advanced users, you can define custom policies in YAML to tighten or loosen rules for your specific use case.

How it works

Every tool call your agent makes — shell commands, file reads, HTTP requests, SSH, Git, browser actions — passes through the policy engine before execution. The engine checks the action against your rules and either allows it (with an audit log entry) or blocks it immediately.

Writing a custom policy

Create a YAML file with any combination of these fields:

# my-policy.yaml
name: strict-finance

blocked_read_paths:
  - /etc/shadow
  - /etc/passwd
  - ~/.ssh/
  - ~/.aws/credentials
  - .env

blocked_write_paths:
  - /etc/
  - /usr/bin/
  - /sys/

dangerous_command_patterns:
  # Block database destruction
  - 'DROP\s+TABLE'
  - 'DROP\s+DATABASE'
  - 'TRUNCATE\s+TABLE'
  # Block filesystem destruction
  - 'rm\s+-rf\s+/'
  - 'sudo\s+rm'
  # Block exfiltration
  - 'curl.*pastebin'
  - 'curl.*webhook\.site'
  # Custom: block crypto wallet operations
  - 'solana\s+transfer'
  - 'eth\s+send'

# Restrict outbound HTTP to specific domains
allowed_domains:
  - api.anthropic.com
  - api.stripe.com
  - your-internal-api.com

# Restrict SSH access
allowed_ssh_hosts:
  - deploy.yourcompany.com

# Restrict Git operations
allowed_git_repos:
  - github.com/your-org

max_requests_per_minute: 30

Deploying with a custom policy

Set the TAMALEBOT_POLICY_FILE environment variable to point to your YAML file:

TAMALEBOT_POLICY_FILE=/app/config/my-policy.yaml

You can include the YAML file in your agent's knowledge base or mount it into the container. Environment variable overrides (like TAMALEBOT_ALLOWED_SSH_HOSTS) always take precedence over YAML values, so you can use YAML as a base and override specific fields per deployment.

Default policy

If no custom policy file is specified, agents use the built-in default policy which blocks:

• Sensitive file reads (SSH keys, AWS credentials, .env files, Docker/Kube configs)
• System directory writes (/etc/, /usr/bin/, /boot/, /proc/)
• Dangerous commands (DROP TABLE, rm -rf /, chmod 777, fork bombs)
• Data exfiltration (curl to pastebin, ngrok, webhook.site, etc.)
• Homoglyph/IDN domain attacks (mixed Unicode scripts in URLs)

🔐 Skill Signing (Ed25519) ~5 minutes

Skill signing lets authors cryptographically prove that a skill hasn't been tampered with. TamaleBot uses Ed25519 signatures — the same algorithm used by SSH, GPG, and most modern signing systems. This is optional: unsigned skills still work, but verified skills get a trust badge in the deploy wizard and dashboard.

For skill authors: signing your skill

1. Generate a keypair (one time):

   node -e "
     const ed = require('@noble/ed25519');
     const priv = ed.utils.randomPrivateKey();
     const pub = Buffer.from(ed.getPublicKey(priv)).toString('hex');
     console.log('Private:', Buffer.from(priv).toString('hex'));
     console.log('Public:', pub);
   "

   Save both keys somewhere safe. The private key is used to sign; the public key is published with your skill.

2. Sign your SKILL.md:

   node -e "
     const ed = require('@noble/ed25519');
     const fs = require('fs');
     const content = fs.readFileSync('SKILL.md');
     const priv = 'YOUR_PRIVATE_KEY_HEX';
     ed.sign(content, priv).then(sig =>
       fs.writeFileSync('SKILL.md.sig', Buffer.from(sig).toString('hex'))
     );
   "

3. Save your public key:

   echo "YOUR_PUBLIC_KEY_HEX" > SKILL.md.pub

4. Publish all three files in your skill directory:

   my-skill/
     SKILL.md        # The skill instructions
     SKILL.md.sig    # 128-char hex Ed25519 signature
     SKILL.md.pub    # 64-char hex Ed25519 public key

For users: what verification means

When your agent loads a skill at startup, TamaleBot automatically checks for .sig and .pub files. If found and valid, the skill is marked as verified in the system prompt and dashboard. Verification confirms:

• The SKILL.md file hasn't been modified since the author signed it
• The signature was created by someone who holds the private key matching the published public key

It does not confirm the author's real-world identity — for that, check the author's public key against their GitHub profile or marketplace listing.

Alternative Runtimes

TamaleBot can host agents built with other frameworks. You bring your Docker image, we handle infrastructure, security, integrations, and scaling. No LLM API key is needed when selecting these runtimes — they bring their own.

🤖 OpenClaw ~5 minutes

OpenClaw is the most popular open-source AI agent framework (247K+ GitHub stars, MIT license). Deploy your own OpenClaw agent on TamaleBot's managed infrastructure with container isolation, integrations, and audit trails.

What you need

• Nothing! TamaleBot uses the official OpenClaw image by default. If you have a custom image, you can set it after deployment in your agent dashboard.

Steps

1. Go to tamalebot.com/deploy.
2. In Step 1, select OpenClaw Agent.
3. You'll skip straight to Configure — fill in Agent Name (e.g. my-openclaw-bot).
4. Optionally set a system prompt override, or leave blank to use the prompt baked into the OpenClaw image.
5. Connect any integrations you want (Slack, Discord, Telegram, etc.). TamaleBot routes incoming messages to your OpenClaw agent automatically.
6. Review Your Container Resources — you get 1GB RAM (~384MB for your agent), 0.5 vCPU, and persistent workspace storage.
7. Consider enabling Always-On in Add-ons — OpenClaw agents run via Docker-in-Docker, so cold starts take longer than native agents. Always-On keeps your container warm for instant responses (+$3/mo).
8. Click Deploy Agent.

TamaleBot spins up an isolated container, pulls the OpenClaw image, and starts it. Your agent gets its own persistent workspace with all integrations wired up.

What works and what doesn't

The container is great for LLM-powered conversations, tool calls, API integrations, web browsing, file processing, and cron jobs. Most agent tasks are I/O-bound (waiting on LLM APIs), so CPU and RAM are rarely the bottleneck.

Heavy local inference, large ML model loading, image/video processing, or memory-intensive data pipelines will need more resources than the current tier provides. A performance upgrade option is coming soon.

Migrating an existing config

If you have an OpenClaw JSON config, click the "Switching from OpenClaw or NemoClaw?" banner at the top of the deploy page. Paste your config and we'll auto-fill the form — provider, model, API key, and integration tokens are all imported.

⚡ NemoClaw (NVIDIA Enterprise) ~5 minutes

NemoClaw is NVIDIA's enterprise security wrapper around OpenClaw. The setup is nearly identical.

What you need

• Nothing! TamaleBot uses the official NemoClaw image by default. Custom images can be set post-deployment in your agent dashboard.

Steps

1. Go to tamalebot.com/deploy.
2. In Step 1, select NemoClaw Agent.
3. You'll skip straight to Configure — fill in Agent Name and connect integrations.
4. Review Your Container Resources (1GB RAM, ~384MB for your agent, 0.5 vCPU, persistent storage).
5. Consider enabling Always-On (+$3/mo) to avoid cold starts.
6. Click Deploy Agent.

To use a custom NemoClaw image instead of the default, go to your agent dashboard → Settings → Container Image after deployment.

📦 Custom Docker Image ~10 minutes

Run any agent framework — LangChain, CrewAI, AutoGen, or your own code. Just package it as a Docker image that responds to HTTP requests.

What you need

• A Docker image that exposes an HTTP endpoint
• Image pushed to a public or accessible registry
• The port your agent listens on

Steps

1. Go to tamalebot.com/deploy.
2. In Step 1, select Custom Agent.
3. In Step 2 (Runtime), select Custom and enter your Docker image URL (e.g. ghcr.io/yourorg/my-agent:latest).
4. Set the container port your agent listens on (default: 8080).
5. Choose the HTTP contract: TamaleBot (our message format) or OpenAI-compatible (standard chat completions format).
6. In Step 3 (Configure), fill in Agent Name, connect integrations, and review your container resources.
7. Click Deploy Agent.