Case Study · Internal Agents

How Z47 deployed secure, production-ready OpenClaw agents to their entire org

One agent per team member. Every credential isolated. Every action traceable. Zero plaintext secrets anywhere in the stack.

Get started →Talk to an engineer

Z47$3.5Bn AUM venture firm·OpenClaw + Scalekit · WhatsApp

agents live across the firm

0 days

design call to full rollout

connectors active

About Z47

An agent-first operating model, built for a firm that moves at founder speed

Z47 is one of India's most active venture firms: $3.5Bn AUM, 100+ companies, 10 unicorns. They leaned into AI agents as infrastructure early, not experimentation.

The bet: every team member gets an agent that knows their context, inbox, and data. WhatsApp as the interface, since the firm already lives there. The hard part wasn't adoption. It was running it safely at org scale with real credentials on the line.

✦✦

Z47

One agent per personOwn session, own accounts. WhatsApp as interface.

ASRKVMPN+20

25 agents in productionone per team member, firm-wide

"Context-switching was the bottleneck. Now each of us has an agent that already knows the tools and conversations."

25 agents20+ appsWhatsApp-native

What the agents do

A personal AI, on WhatsApp

A team member sends a message. Their agent, running in its own session on their own accounts, handles it. Click a category to see an example.

01Deal motion→02Inbox management→03Research→04Operations→

Pull a portfolio summary

Agent reads their Attio pipeline and drafts a summary from their deals, not shared data.

WhatsApp"Update on active Series B talks."

AttioAffinity

Catch up on email

Agent reads their Gmail or Outlook and surfaces threads that need a response. Actions are attributed to them.

WhatsApp"What did I miss from founders this week?"

GmailOutlook

Pre-meeting intelligence

Agent pulls Notion notes, Affinity relationship history, and live web context via Brave Search.

WhatsApp"Brief me on [founder] before my 3pm."

NotionAffinityBrave

Log work and projects

Agent updates Harvest entries, files them under the right project, as the person who sent the message.

WhatsApp"Log today's founder calls to Harvest."

HarvestCalendar

Architecture

OpenClaw routes and executes. Scalekit handles everything else.

The architecture separates concerns cleanly. OpenClaw routes incoming messages and runs each agent in its own sandbox. Scalekit handles the auth: identity, credential vault, and tool calls into every connected service.

Team members message a shared WhatsApp number. Every action is scoped to them: their credentials, their accounts, their permissions. Nothing shared, nothing crossed.

The sandbox holding your agent never touches a real token. It holds only a Scalekit client ID. Scalekit resolves the rest at runtime.

Message-to-action flow

team member
sends message

①message

→

OpenClaw

lookup phone number
route to sandbox
spin up if needed
pass message in

②route + isolate

→

Sandbox

per employee

holds: client_id only
no tokens or secrets
calls Scalekit SDK

③call w/ client ID

→

Scalekit

auth + tools

resolve user identity
fetch scoped token
execute tool call
return result
log audit event
per-agent rate limits

④resolve + execute

→

Notion

Harvest

Gmail

Granola

Attio

Brave

Affinity

Outlook

20+ more

⑤connected services

OpenClaw routes and isolates

OpenClaw identifies the sender's phone number, routes to their isolated sandbox, and spins it up if needed. The agent reasons about the task and makes tool calls scoped entirely to that user. No cross-agent visibility. No shared state.

Scalekit secures and executes

The sandbox holds only a Scalekit client ID. No tokens, no API keys, no shared secrets. Scalekit validates delegated auth, enforces scoped permissions, executes the tool call, and returns a clean result. The agent never touches a credential directly.

Connected services

Every agent connected to the tools that person actually uses

Each team member's agent connects to their own accounts across every service, not shared service accounts. Scalekit manages the OAuth tokens, scopes, and refresh cycles per user, per app.

CRM & Pipeline

Relationship intel

Deal history, portfolio contacts, and pipeline signals. Queried and updated as each individual user, with their permissions.

Attio

Affinity

Communications

Mail & calendar

Reads, drafts, and sends from each person's own inbox. Actions are scoped to their OAuth-granted account, fully attributable.

Gmail

Outlook

Knowledge

Research & notes

Deal memos and portfolio intelligence from Notion. Live web research via Brave. Meeting summaries from Granola.

Notion

Brave

Granola

Operations

Time & projects

Project context and time tracking via Harvest. New connectors added on demand as the firm's tool stack evolves.

Harvest

On demand

First-time authorization

From zero to connected in minutes, over WhatsApp

No IT ticket. No admin intervention. No hardcoded tokens. When a new team member sends their first message, the agent handles the entire onboarding flow over WhatsApp.

Message arrives

Team member sends a message. OpenClaw creates their sandbox. Agent identifies a tool that hasn't been authorized yet.

Magic link generated

Scalekit generates a per-user, per-service magic link. The agent sends it back over WhatsApp.

OAuth completed

User taps the link, completes the OAuth flow in their browser. Scalekit captures and stores the token scoped to their account.

Agent proceeds

From here on, every call for that service uses their credentials automatically. No repeat steps. No maintenance overhead.

Security model

Isolated by design. Bounded blast radius.

The original deployment had a structural gap: the central OpenClaw config file contained plaintext credential values any agent could read. A single compromised agent could expose every other agent's keys.

Scalekit closes that gap. Each sandbox gets a unique client ID stored only in its own environment file. No shared config. No cross-agent credential visibility. If an agent is suspended, only that client ID is revoked. Every other agent keeps running.

Z47's framing was direct: at some point, an agent would be compromised. The question wasn't whether. It was how to contain the damage when it happened.

No shared credentials

The central OpenClaw config holds only Scalekit identifiers, never token values. No agent can read another agent's credentials by design.

Per-agent client IDs

Each sandbox gets a unique Scalekit client ID and secret. Suspension is instant and surgical: one ID, one agent, zero collateral.

Full audit trail

Every tool call is logged: which agent, which user, which action, which service. Full visibility into what happened and on whose behalf.

Credential isolation

Session A

Active

a@z47.com

ref_a1x9f2...ref only

Session B

Revoked

b@z47.com

ref_b4m7r8...off

Session C

Active

c@z47.com

ref_c8n2p5...ref only

Revoke one. Others run.

0 of 25 active

Safe

✦✦

Z47

"We'd actually paused rollout because we weren't confident in the security model. Scalekit gave us the identity layer we needed to start again. Every agent now acts as its own user, and we can see and control exactly what each one can do."

Krish BajajSenior Analyst, Tech and AI · Z47

Results

From paused rollout to full org deployment in under a week

From stalled to running across the firm, with credentials handled per person and nothing shared.

agents live, each with a distinct Scalekit identity and isolated credential scope

plaintext secrets in OpenClaw config. All credentials live in Scalekit's vault.

connectors live across CRM, comms, knowledge, and ops, added on demand

The pattern

A blueprint for internal multi-user agents

Z47's deployment is an instance of a pattern any org deploying AI agents internally will need to solve: how do you give every team member their own agent, with their own credentials, permissions, and audit trail, without building custom identity infrastructure from scratch? The answer is a clean separation of concerns. The agent framework handles execution. The identity layer handles everything else.

Agent execution framework

Per-user session isolation behind one WhatsApp number. OpenClaw gives you this out of the box: one process, N isolated agents, no cross-agent state.

Runtime

Credential isolation + delegated auth

Scalekit decouples secret storage from the agent runtime entirely. Sandboxes hold client IDs, not tokens. Scalekit validates auth, enforces scoped permissions, executes tool calls.

Auth

Per-user connected accounts

OAuth managed per user, per app. Every action taken as the person who triggered it, not a shared bot with org-wide access.

Accounts

Without this pattern

✕Shared credentials accessible to every agent

✕One compromised agent = full org exposure

✕No way to suspend one agent without taking everything down

✕No audit trail of who did what

✕Manual onboarding for every new team member

With OpenClaw + Scalekit

✓Zero plaintext secrets anywhere in config

✓Blast radius contained to one client ID

✓One-click suspension, zero collateral

✓Full per-action audit trail, per user

✓Self-serve magic-link onboarding over WhatsApp

✦✦✦

Building internal agents on OpenClaw?

Scalekit handles credential isolation, delegated auth, scoped permissions, and tool calls. Ship production-ready agents without building auth infrastructure from scratch.

Get started free See the docs →