Skip to main content

Access anything.Expose nothing.

Legba is a disposable browser engine. A real browser, spawned fresh, destroyed on close. No cookies in, no fingerprint left, no trail back. Reach it as an extension, a sandbox, an MCP server, or an API.

Get startedContact us
MuckerLabFounder UniversityGoogle for StartupsNVIDIA Inception
WHO IT'S FOR

One engine. Three jobs.

Three buyers, one engine. Each gets its own surface.

ACCESS

Access that holds up on hostile sites.

For fintechs on hardened sites. Banks, brokerages, benefits portals. The sites your users hold accounts on fight automation. Headless tools fail where Legba holds.

site-tuned · sub-15s MFA · persistent state

The extension
OPERATE

A browser that does not expose your agents.

For AI companies shipping agents. Your agent logs in, clicks, and transacts. It does that without leaking credentials, getting blocked, or risking your stack.

burn per task · no reach · MCP-native

The API
TEST

Find your exposure before attackers do.

For security teams mapping exposure. Adversary maps your external surface and validates the real exposures: exposed API keys, subdomain takeover, leaked secrets.

validated, not noise · minutes · evidence

Adversary

[ how it works ]

Three calls. One throwaway browser.

Reach Legba through the MCP server, the API, or the SDK. The lifecycle is the same every time. Spawn a scoped session, do the work, destroy it. Nothing persists unless you say so.

[ session lifecycle ]

  1. Spawn a session.

    Pick a geography, scope the reach, set the TTL. The container boots in under 200 ms. Real residential IP, fresh fingerprint.

  2. Do the work.

    An agent, a human, or an MCP client drives. Captchas resolve in-session. MFA codes arrive in seconds. The session sees only what you scoped.

  3. Destroy it.

    The TTL hits or you close it. Cookies, storage, tokens, fingerprint: gone. Nothing escapes because nothing is left.

[ ONE ENGINE. FOUR SURFACES. ]

One engine. Four surfaces.

Legba is one engine with many surfaces. The engine is isolation, routing, session spawning, and clean exit. The surfaces are how different people reach it: an extension, an API, an MCP server, an agent. Every session is fresh, isolated, and deniable. No cookies carried in, no fingerprint left behind, no trail back to the operator.

Same isolation. Same access. Different doors.

HUMANS

The extension

A browser tab that runs off your machine. Nothing executes locally. Close it and the session is gone.

See the extensionAGENTS

OpenClaw

A hosted browser an agent operates inside. It burns on close by default. Real residential IPs and captcha solving baked in.

Meet OpenClawBUILDERS

The MCP server

One config line and any MCP-aware agent gets a real browser. Disposable by default, scoped by you. Claude, GPT, your own.

Get the configBUILDERS

The API

A REST API and SDKs over the same disposable browser engine. Spawn sessions in any geography. Persist when you need to, destroy when you do not.

Read the docs
import { Sandbox } from "@legba/sandbox"

const sandbox = await Sandbox.create({
  geo: "phoenix-az",
  scope: ["legba.app"],
  ttl: "15m",
})

await sandbox.agent.run(
  "Log in and download my latest statement."
)

await sandbox.destroy()

Point the engine at your own surface.

Adversary
Engine spec

What every surface inherits.

Real browser
Full Chromium with GPU rendering, real fonts, real canvas, real WebGL. Not a stealth plugin over headless. Detection vendors see a person.
Real residential IP
Real ISPs. Real cities. Pick the geography the target site expects. Phoenix, Frankfurt, Seoul. Not a datacenter range pretending to be a home.
Smart routing
Sessions spawn in the region you call from, or the one your target needs. Routing rotates around degradation on its own. No manual switching.
Burn on close
Each session is a container. When the TTL hits or you close it, everything inside is destroyed. No state. No logs. No reach. Nothing to leak.
Captcha solving
hCaptcha and reCAPTCHA resolve in-session. No third-party stitching, no copy-paste flows. Your agent never sees the gate.
Anti-bot evasion
We built and broke detection systems before we built Legba. Cloudflare, Incapsula, DataDome. The engine routes around the checks those systems run.

Proof

NVIDIA Inception
MuckerLab
Google for Startups
Founder University
<200ms

spawn latency from a warm pool

2.5x

reliability over datacenter

0

session residue on close

Same engine,
every tier.

Start free. Scale to production. Burn-on-close sessions, residential IPs, and the same anti-bot evasion run across every tier.

Tier 01

Free

Prototype, evaluate, and find us in the MCP registry.

$0
  • 30 hours per month
  • 1 concurrent session
  • Datacenter IPs only
  • Basic fingerprint masking
  • Community support
Get started
Tier 02Most popular

Pro

For solo builders and small teams shipping agents to production.

$499/mo
  • 200 hours per month
  • 10 concurrent sessions
  • Residential IPs in 5 geos
  • MCP and API access
  • Captcha solving included
Get started
Tier 03

Production

For agent companies and fintechs running at scale.

$5,000/mo
  • 100 concurrent sessions
  • Unlimited residential IPs, all geos
  • Full MCP, API, and SDKs
  • Site-tuning service
  • Priority support with an SLA
Contact us
Tier 04

Enterprise

For multi-product platforms and regulated buyers.

Custom
  • Dedicated infrastructure
  • SOC 2 Type II in progress
  • VPC and air-gap options
  • Custom SLAs and terms
  • Named support engineer
Contact us
FAQ

Things people actually ask.

How is this different from Browserbase or Steel?
Each session is contained and disposable by default. The work runs off your stack and is destroyed on close, so a prompt injection or a leaked token has nowhere to go. We run a real browser on real residential IPs, not headless behind a rented proxy. They sell a browser. We sell isolation.
What is the cold start latency?
Under 200ms from a warm pool, under 2 seconds cold. These are measured per region. The status page is public. We do not quote averages we cannot ship.
How does the MCP integration work?
One config block in your MCP client. The server exposes session creation, navigation, and extraction as tools. Claude, GPT, or any MCP-aware agent gets a real browser without you writing a line of orchestration.
Where do sessions run?
You pick the geography per session. We hold residential capacity across major US, EU, and APAC metros. New regions land regularly. Enterprise gets dedicated regional pools.
Are you SOC 2 compliant?
SOC 2 Type II is in progress, tracked in Vanta. For early enterprise conversations we share our controls and questionnaire responses on request.
What happens to credentials I pass in?
They live inside the session container, scoped to the targets you declare, and are destroyed when the session ends. We do not log them. A persistent session stores an encrypted state blob under your key.
Does this work with LangChain, CrewAI, and the rest?
Yes. There are SDK adapters for the major frameworks plus a Playwright-compatible interface, so existing automation code redirects with minimal change.
What is Legba Adversary?
Adversary is the same engine pointed at your own attack surface. It maps your external assets, validates the real exposures, and returns a client-ready report in minutes. Exposed API keys, subdomain takeover, leaked secrets. Validated findings, not scanner noise.
What about consent and terms of service?
We serve consented-access use cases only. The buyer holds explicit user consent for the sites they reach, and we enforce that at onboarding. Legal exposure sits with the consent architecture, not the platform.

Access anything.
Expose nothing.

Legba is a disposable real browser: it spawns a clean session, does the work, and destroys itself on close.

Get started
Read the docs

chromium / real fingerprint · residential ip · burn on close

Real browser. Real IP. Real page. Spawn a session. Do the work. Destroy it. Off your device. Off your stack. Gone on close.