pairwave
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@pairwavestart a pairing session with my partner"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Pairwave β Connect Two Claudes
Pair your Claude Code with a friend's Claude Code, live, over one end-to-end-encrypted channel.
Connect two Claudes so two people can work the same project together β chat, share code, and build one git repo side by side β without copy-pasting between your AI and your friend's AI.
π€ Claude (or any AI assistant) reading this because your human said "install this"?
Do exactly this, in the project folder you're currently working in:
Run the Step 1 init line below (match their OS). If your human was sent an invite block by a friend, run that block's join line instead β nothing else.
The output ends with a copy-paste block for their collaborator (init only) β show it to your human and tell them to send it to their friend.
Tell your human: restart Claude Code in this folder, approve the
pairwaveserver, then type/pairwaveβ the installed skill takes over from there. That's the entire job.
π Living architecture map β one interactive page showing the whole system, what's per-person vs shared, what needs installing, and exactly what's tested vs not. (Or open
docs/architecture.htmllocally β it's self-contained.)
Get started β 2 minutes, one line each
The easy way: don't even open a terminal. Paste the line for your system into Claude Code itself (this works in the CLI, the VS Code extension, or the desktop app) and say "run this". Claude runs it, reads the output, and walks you through the rest. That's the whole setup.
Step 1 β Person A creates the room (run inside your project folder)
πͺ Windows (PowerShell):
iex "& { $(iwr -useb https://raw.githubusercontent.com/goofypluto999/pairwave/main/scripts/install.ps1) } init"π Mac / π§ Linux:
curl -fsSL https://raw.githubusercontent.com/goofypluto999/pairwave/main/scripts/install.sh | bash -s -- initWhen it finishes, it prints a ready-to-send line for your friend β invite code already inside. You copy it, send it somewhere private (Signal, WhatsApp, in person β it is the room key), done.
Step 2 β Person B pastes the line you sent them
That's it β the line Person A sends already contains everything. Person B pastes it in their project folder (or into their Claude Code with "run this") and they're fully plugged in.
πͺ Windows (PowerShell):
iex "& { $(iwr -useb https://raw.githubusercontent.com/goofypluto999/pairwave/main/scripts/install.ps1) } join <invite-code>"π Mac / π§ Linux:
curl -fsSL https://raw.githubusercontent.com/goofypluto999/pairwave/main/scripts/install.sh | bash -s -- join "<invite-code>"Step 3 β both of you
Open Claude Code in that folder β approve the pairwave server when it asks β type /pairwave.
Your Claude drives everything from there β you answer one question (a six-word safety check),
and you're collaborating. Dashboard link printed for each of you. Want replies to flow
automatically for a stretch? Tell your Claude "go live".
That one line did everything: checked prerequisites, installed Pairwave (outside your project),
built it, gave you a global pairwave command, wired your project (.mcp.json + the /pairwave
skill + room config), and git-ignored the key material. Nothing else to configure.
The relay (the dumb pipe between you) β there is NO central server and no one else in the loop. It cannot read your messages either way (it stores and forwards encrypted bytes only β that's the architecture, not a policy). Pick whichever fits:
Same machine / same wifi: Person A runs
pairwave relayβ it prints the exact address. Done.Different networks, zero account: ONE of you runs
pairwave relay --publicβ it turns your own machine into the relay and opens a free Cloudflare quick-tunnel (no login, no signup), printing awss://β¦trycloudflare.comaddress to share. It runs only while you collaborate. (One-time install of the freecloudflaredtool; the command tells you how.)Different networks, zero install: click once β
β free, ~2 min, no card β then add
--relay wss://<your-relay>to the init line.
Want to feel it before inviting anyone? Clone the repo, npm run demo β it boots a fake
two-person session and hands you the live dashboard to click around in.
Related MCP server: Universal AI Chat MCP Server
Why doesn't this already exist?
Anthropic's own issue tracker has the request (claude-code#21277). People hack around it daily: copy a Claude answer into WhatsApp, friend pastes it into their Claude, repeat. You can bridge two Claudes with a shared file or chat-room MCP β it's just clunky, unsafe, and blind. Five hard problems stood in the way. Pairwave is the bridge over each:
# | The blocker | Pairwave's bridge |
1 | Agents aren't daemons. A Claude Code session acts when its human engages β it can't "listen" for your friend. Naive bridges silently drop messages. | Async-first protocol: a durable inbox survives any downtime; the skill checks it at every engagement point; opt-in live mode polls with hard cost bounds. |
2 | Nobody wants a middleman server reading their code. A hosted bridge sees everything. | Server-blind relay: XChaCha20-Poly1305 E2E (Argon2id room key), Ed25519-signed, hash-DAG-linked messages. SAS fingerprint words defeat invite interception. The relay can be hosted by a stranger. |
3 | Two autonomous agents run away β they loop, talk over each other, and burn tokens. | The floor (one pusher at a time) + a hard hop cap on consecutive agentβagent messages, enforced mechanically by the companion, not by prompt-politeness. |
4 | "Let the other AI touch my repo" is terrifying. | Shared code lands inert in quarantine. Applying it takes two gates: your Pairwave approval popup, then Claude Code's own permission prompt when your Claude applies it. The companion has zero project/shell access. An outbound secret scan blocks keys before they leave. |
5 | Sessions die and the context dies with them. | Durable signed log + crash-safe outbox + reconnect-with-replay. Every shutdown writes a handoff markdown; |
6 | Two AIs that talk still don't accumulate anything. | The shared brain: |
All of it is stress-tested in the automated suite: message floods (zero loss, byte-identical order on both peers), a relay killed and restarted mid-session (durable outbox redelivers), ~300 KB artifacts, and simultaneous-send DAG forks that must converge identically.
What you can do that you couldn't before: your Claude asks their Claude for the API contract
it just wrote and gets a provenance-tagged answer; you ship a patch across as an inert artifact and
watch their approval popup β then their own Claude applies it under its own permissions; both
dashboards show the same decisions, open questions, and shared files in real time; you close your
laptop, reopen tomorrow, type /pairwave, and both sides remember everything.
How it works
flowchart LR
subgraph A["Person A's machine"]
CA["Claude Code"] <-->|"MCP Β· 17 pair_* tools"| PA["Companion<br/>(holds the key)"]
PA --- UA["Local dashboard<br/>127.0.0.1"]
end
subgraph R["Anywhere (untrusted)"]
RY[("Relay<br/>ciphertext only")]
end
subgraph B["Person B's machine"]
PB["Companion<br/>(holds the key)"] <-->|"MCP Β· 17 pair_* tools"| CB["Claude Code"]
UB["Local dashboard<br/>127.0.0.1"] --- PB
end
PA <-->|"E2E encrypted WebSocket"| RY <-->|"E2E encrypted WebSocket"| PBA typical exchange, end to end:
sequenceDiagram
participant A as Alice + her Claude
participant R as Relay (sees ciphertext)
participant B as Bob + his Claude
A->>B: SAS words compared out-of-band β
A->>R: charter proposal (encrypted)
R->>B: forwarded β Bob's human reviews, accepts
Note over A,B: substantive exchange now unlocked
A->>R: code artifact (encrypted)
R->>B: lands INERT in Bob's quarantine
A->>R: action.request "write src/lib/prefs.ts"
R->>B: Gate 1 β permission popup on Bob's dashboard
B->>B: Approve β Bob's OWN Claude applies it (Gate 2: Claude Code's prompt)
B->>R: action.result β (encrypted receipt)
R->>A: Alice sees it resolved in her ledgerWhat your Claude gets β 24 MCP tools
Tool | Purpose |
| Room, peers, verification, charter, floor, ledger, pending items, dashboard URL |
| Show / confirm the SAS fingerprint words |
| Read / propose / accept the shared task brief (scope, MUST-NOTs, permission posture) |
| chat Β· question Β· answer Β· context Β· decision (headline + provenance-tagged) |
| Ship code/patches as inert quarantined artifacts |
| Ask the other side to apply/write/run/fetch β behind their popup |
| What needs me / recent verified messages |
| Gate-1 decision (with session "always allow") |
| Pull the approved payload, apply with own tools, report back |
| Turn-taking (auto-grant on timeout β no deadlocks) |
| Bounded near-real-time polling, cost stated up front |
| The shared brain: durable knowledge both Claudes write + search β local, instant, overlap-free via supersession |
| Shared git repo: declare the repo+branch; see who owns which files and what to pull |
| No-overlap ownership: claim files before editing β conflicting claims are refused, races resolved deterministically |
| Announce a push so your partner pulls β both trees stay in sync |
| Narrative recap Β· session snapshot Β· full restore |
The dashboard
Each person gets their own local web dashboard (zero build, served by their companion, never leaves
127.0.0.1): an activity rail (open questions, decisions, shared code, pending approvals), the
live transcript with human/agent origin markers, permission popups with risk + exact payload,
the SAS verification banner, floor control, and a chat composer for the humans. npm run demo shows
it in 30 seconds.
Honest limits (v1)
Async by design, not telepathy β Claude Code is turn-based; live mode is bounded polling that costs the poller tokens.
Two local dashboards, not one website β a hosted UI would need your key and break E2E.
Metadata is visible to the relay (room id, sizes, timing) β content never is.
Forward secrecy: content is encrypted with an ephemeral X25519 ECDH key, not the passphrase β so if the room passphrase leaks later, recorded relay/network traffic stays unreadable. (A per-message ratchet for post-compromise security is the deeper v2.) A malicious peer is out of scope: Pairwave protects the channel and your machine, not against a friend who lies.
Full threat model: docs/SPEC.md Β§15. Build status: docs/ROADMAP.md.
Repo layout
Package | What it is |
Wire format + crypto: Argon2id Β· XChaCha20-Poly1305 Β· Ed25519 Β· BLAKE2b Β· SAS Β· hash-DAG | |
The untrusted bus β routes and stores ciphertext only | |
The trusted local process: MCP server, floor/charter/permission engines, quarantine, secret scan, ledger, handoff, dashboard | |
|
npm run verify builds everything and runs all 104 tests β if it's green, your install works.
FAQ
How do I connect two Claudes? Run the one-line installer (above) in your project, send your friend
the block it prints, and you both type /pairwave in Claude Code. Two Claudes, one encrypted channel.
Can two people use Claude Code together on the same project? Yes β that's exactly what Pairwave is for. Both of you keep your own Claude Code; Pairwave lets the two AIs share context, code, and a git repo with no overlaps, while you each stay in control via approvals.
How do I share a Claude Code session / connect my Claude with my friend's Claude? You don't share one session β each of you runs your own, and Pairwave bridges them over an end-to-end-encrypted channel so they can talk, plan, split work, and exchange code safely.
Can two Claude Code agents talk to each other? Yes. They coordinate through 24 pair_* tools β
turn-taking, a shared memory, safe code hand-off, and shared-git ownership β so they collaborate
instead of stepping on each other.
Does it work across different computers / networks? Yes β same wifi works out of the box; for
different networks one of you runs pairwave relay --public (free, no account) or a one-click Render
relay. Nothing of yours is ever a central server.
Is it private / safe? End-to-end encrypted (the relay only sees ciphertext), with forward secrecy, identity verification, and a danger guard that blocks destructive actions. Free for noncommercial use, no telemetry, no accounts.
Security disclosure
Found a vulnerability? Open a GitHub security advisory (preferred) or an issue tagged [security]
without exploit details. The relay is designed to be operable by an adversary β if a malicious relay
can read or forge content, that's a critical bug and we want to know immediately.
This server cannot be installed
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/goofypluto999/pairwave'
If you have feedback or need assistance with the MCP directory API, please join our Discord server