First steps
When your deck boots for the first time it walks you through a guided onboarding. Three required steps; everything can be customized later.
Secure your deck
Pick how you want to log in. Passkeys are the recommended path; passwords are the fallback and unlock the encryption vault for stored secrets.
Passkey
Touch ID, Face ID, Windows Hello, or a hardware security key. No password to forget, phishing-resistant by design. Each deck ships with a domain so passkeys "just work" — no IP-address fallback gotcha.
Password
Minimum 12 characters. Setting one also initialises the encryption vault — provider keys, channel tokens, and other secrets get encrypted at rest. You can register a passkey first and add a password later as backup.
Recovery key
When the vault is initialised, your deck shows a one-time recovery key. Save it somewhere safe — a password manager, a sealed envelope, anywhere offline. It's the only way to unlock the vault if you lose access to both your passkey and password. The deck will not show it again.
Lose all three — passkey, password, recovery key — and the encrypted secrets in your vault are unrecoverable. We can re-issue your deck, but the credentials you stored in it are gone.
LLM providers
Bring your own key. A dozen frontier and open-weight providers are wired in — pick by goal, switch any time.
Comparison
| Provider | Top models | Context | Tier | Speed |
|---|---|---|---|---|
| Anthropic | opus-4.8 · opus-4.7 · sonnet-4.6 · haiku-4.5 | 200K–1M | $$$ | Fast |
| OpenAI | gpt-5.5 · gpt-5.4 · gpt-5.4-mini | 1M | $$$ | Fast |
| Gemini | 3.5-flash · 3.1-pro · 3-deep-think | 1M | $–$$ | Very fast |
| DeepSeek | V4-pro · V4-flash · R1 | 1M | $ | Medium |
| Groq | gpt-oss-120b · llama-4-scout · qwen-3-32b | 128K–256K | $ | Very fast |
| xAI | grok-4.3 · grok-build-0.1 | 256K–1M | $$ | Fast |
| Mistral | medium-3.5 · large-3 · small-4 | 128K–256K | $$ | Fast |
| OpenRouter | aggregator (300+) | varies | varies | varies |
| Cerebras | qwen-3-235b · qwen-3-coder · gpt-oss-120b | 131K | $ | Extreme |
| MiniMax | M2.7 · M2.5 | 200K | $$ | Fast |
| Z.AI | glm-5.1 · glm-5 · glm-5v-turbo | 256K | $–$$ | Fast |
| Moonshot | kimi-k2.6 · kimi-k2.5 | 262K–1M+ | $ | Fast |
Anthropic and OpenAI are the most battle-tested for complex tasks. GLM 5.1, Minimax 2.7 and Kimi k2.6 are great for reliable grunt work.
Openrouter has a free model selection. DeepSeek, Minimax, Kimi wins on quality-per-dollar.
Gemini's free tier covers casual exploration. xAI's Grok 4.1 Fast offers 2M context at absurdly low cost. OpenRouter lets you bounce between models without juggling keys.
Add a key
- Settings → LLM Providers. Pick the provider card you want to enable.
- Paste the key. It's encrypted at rest in your deck's vault and redacted from every log surface.
- Choose a default model (optional). Otherwise the deck picks the recommended model for that provider.
- Set fallbacks (optional). If a provider rate-limits or fails, the deck rolls to the next one in your chain.
Identity
Tell your deck who you are and who it should be. Five fields; thirty seconds.
What the agent calls you in conversation. Required.
What you call your deck. Defaults to a generic name — pick something with personality. Required.
A single emoji used as the agent's avatar across the web UI and channels. Optional, defaults to 🤖.
A short personality blurb — "wise owl", "chill fox", "witty robot". The agent leans into it stylistically without losing its head. Optional.
Auto-detected from your browser. Used for scheduling, reminders, and date formatting in replies.
All five are editable from Settings → Identity. Changing the agent name or emoji updates everywhere instantly — including across connected channels.
Channels
One deck, many surfaces. Connect a chat platform once and your deck shows up there with the same memory and tools as the web UI.
| Channel | What you'll need | Highlights |
|---|---|---|
| Telegram | Bot token from @BotFather | Voice ingest · OTP · reactions |
| Discord | Bot token, application ID | Threads · interactive · reactions |
| Matrix | Homeserver + login | Encryption · device verify · OTP |
| MS Teams | App ID + password | Threads · interactive · streaming |
| QR pairing from your phone | Pairing · voice · OTP | |
| Slack | Bot token + app token | Threads · interactive |
| Nostr | Private key (nsec) | Encrypted DMs (NIP-04) |
| Signal | Phone-number registration | DMs · groups · OTP |
Connect a channel
- Settings → Channels → Add. Pick the platform you want to wire up.
- Paste credentials from the platform's developer portal. Each card has step-by-step instructions for that platform.
- Set access policy — who can DM, which groups the bot answers in, whether it responds on every message or only when @mentioned.
- Save. The deck connects in the background. Status flips to connected when it's live.
Access control
Three knobs control who can talk to your bot. Defaults are conservative — DMs require an allowlist, groups require an @mention.
- allowlist — listed users only (default)
- open — anyone
- disabled — silently ignored
- open — all groups (default)
- allowlist — listed rooms only
- disabled — silently ignored
- mention — only on @mention (default)
- always — every message
- none — DM-only
Self-approval (OTP)
Telegram, Discord, Matrix and WhatsApp support OTP self-approval. A user not on your allowlist who DMs the bot gets a one-time code prompt; the code shows up in Channels → Senders in your deck. Approve and they're added — three failed attempts trigger a five-minute cooldown.
An empty allowlist with DM policy = allowlist blocks everyone. Removing the last entry never silently switches to open access — that's a security feature, not a bug.
Import // coming soon
Coming from OpenClaw, Hermes, or Claude Code? Import support is planned — export your data and upload it via your Nebula Deck dashboard.
What will be importable
Agent name, theme, persona configuration.
API keys for already-configured LLM providers.
Custom prompt templates and tool wrappers.
Long-term memory files and recall index.
Connected Telegram / Discord / Matrix accounts.
Past conversation history.
Working files the agent had access to.
Each category will be a checkbox — pick what you want, leave the rest. Categories that aren't available in your export will be greyed out automatically.
Imports are transferred to your Nebula Deck instance and do not stay on our servers.
If you have multiple agents in your source install, non-default ones come over as separate personas on your deck — same provider keys, different identity.
Shell & coding
Your deck runs code and shell commands natively — inside its own sandboxed container, no worker needed. This is where most day-to-day work happens.
What runs inside the deck
Shell commands execute directly inside your deck's sandboxed container. The container itself is the sandbox — restricted syscalls, capped resources, isolated networking. No Docker-in-Docker, no nested VMs.
Write and edit code
Ask your deck to write a function, fix a bug, refactor a file. The LLM generates the code; tools write it to disk. Works with any language your provider model supports.
Run scripts and commands
Shell execution is native — python script.py, node index.js, curl, file operations, text processing. Output returns to chat.
Cron jobs and webhooks
Schedule recurring tasks or trigger actions on external events. Your deck runs them inside the sandbox automatically — morning briefings, data collection, report generation.
Self-extending capabilities
Your deck writes its own skills at runtime — reusable prompt templates and tool wrappers that persist across sessions. Teach it once, use it forever.
When to use the deck vs a worker
- Quick code edits and single-file changes
- Running scripts and shell commands
- Web search and data fetching
- Cron jobs and automations
- Conversational coding (ask → edit → review)
- Full repo cloning + multi-file engineering
- Installing dependencies (npm, pip, apt)
- Running full test suites
- Autonomous plan → code → test → PR loops
- Browser automation (JS-heavy sites)
If the task fits in a conversation (you ask, the deck does, you review), use the deck. If the task needs its own environment — cloning a repo, installing packages, iterating autonomously — spawn a worker.
MCP servers
The Model Context Protocol lets you bolt external tools onto your deck. Plugins for the agent age — your deck speaks both stdio and remote HTTP transports.
Functions the agent can call
File ops, API calls, search, anything you can wrap in a JSON schema.
Data the agent can read
Files, database records, config — exposed as addressable URIs.
Reusable prompt templates
Pre-baked instructions you can summon by name from any chat.
Add a server
- Settings → MCP Servers → Add.
- Pick a transport. Remote HTTP for hosted MCP servers (Linear, Atlassian, custom). stdio for npm-package servers your deck spawns as a child process.
- Paste the URL or command. Headers and arguments are accepted; secrets are stored encrypted and redacted from every status view.
- Save. Tools appear alongside built-ins within seconds.
For remote servers, secrets in URLs and headers can reference ${ENV_NAME} placeholders that resolve from Settings → Environment Variables on your deck. The UI only ever shows back a sanitized URL plus header names — never raw values.
OAuth-protected servers
If a remote MCP server requires OAuth 2.1, the deck handles it transparently. On the first 401, it discovers the auth server, registers a client, and pops a browser window for you to log in. Tokens are cached — you only authenticate once per server. If a session expires later, the deck re-authenticates automatically on the next 401.
Lifecycle
- Boot. The deck launches the server (stdio) or opens a connection (remote).
- Initialize. Capabilities are exchanged; tools become available to the agent.
- Run. Tool calls flow on demand. Heartbeats keep the link alive.
- Recover. A crash triggers a restart with exponential backoff. After repeated failures the server is parked and re-enabled later.
MCP servers run inside your deck with access to its tools. Vet third-party servers, scope filesystem access narrowly, and keep an eye on what they expose to the agent. The convenience cuts both ways.
Voice — TTS & STT
Speak to your deck, hear it back. Wire up a voice provider and the microphone button appears in the chat — same flow on the web UI as on Telegram or WhatsApp voice notes.
- ElevenLabs premium neural voices
- OpenAI TTS alloy / nova / shimmer / …
- Google Cloud TTS neural2 voices, 40+ languages
- OpenAI Whisper accurate, broad language support
- Groq Whisper whisper-large-v3-turbo, very fast
- Deepgram nova-3 with smart formatting
- Mistral Voxtral multilingual, 13 languages
- Google Cloud Speech long-form, broad locales
If your provider key already covers TTS or STT (e.g. an OpenAI key), the deck auto-detects it — no extra setup required.
Auto-speak modes
Speak every reply.
Default — never auto-speak.
Only when you sent voice.
Only with explicit [[tts]].
Personas
A persona is a named, reusable voice identity. It bundles a provider-neutral prompt — profile, style, accent, pacing — with per-provider bindings (voice id, model, stability). One active persona at a time, applied to every TTS call automatically.
{
"id": "alfred",
"label": "Alfred",
"prompt": {
"profile": "A wise British butler with dry wit",
"style": "Measured, deliberate, slightly amused",
"accent": "Received Pronunciation",
"pacing": "Unhurried, with dramatic pauses"
},
"providerBindings": [
{ "provider": "openai", "voice_id": "cedar", "model": "gpt-4o-mini-tts" },
{ "provider": "elevenlabs", "voice_id": "21m00Tcm4TlvDq8ikWAM", "stability": 0.65 }
]
}Providers that accept free-form instructions (OpenAI gpt-4o-mini-tts, Gemini TTS) get the full prompt. ElevenLabs and Google Cloud apply only the binding overrides.
Calendars · CalDAV
Read events, schedule meetings, move appointments around — straight from chat. Fastmail and iCloud auto-discover; any other CalDAV server (Nextcloud, Radicale, etc.) works with a base URL.
Connect an account
- Settings → Calendars → Add account.
- Pick the provider. Fastmail and iCloud only need a username and an app-specific password — never your main account password.
- Generic CalDAV? Paste the base URL (e.g.
https://cloud.example.com/remote.php/dav) along with credentials. - Save. Multiple accounts are fine — pick one as the default, the agent will ask which to use otherwise.
Operations
| Operation | What it does | Notes |
|---|---|---|
| list_calendars | Enumerate calendars on an account | Returns name, color, description |
| list_events | Events in a calendar, optional date range | ISO 8601 start / end |
| create_event | Add a new event | Supports all-day, location, notes |
| update_event | Edit an existing event | ETag-locked — no silent overwrites |
| delete_event | Remove an event | Also requires current ETag |
Updates and deletes use ETag-based optimistic concurrency. If you edited the event from your phone since the agent last fetched it, the server rejects the write — the agent re-reads and retries instead of clobbering your change.
Example
"What's on my calendar this week?"
Lists calendars, queries events for the current week, replies with a summary.
"Move the dentist to Friday at 2pm."
Updates the event, confirms back in the same thread.
Worker containers
When a task outgrows the deck, spawn an isolated container. It gets its own resources, does the heavy lifting, and shuts down when done.
Why workers exist
Your deck runs in a 512MB container with 10GB storage. That's plenty for everyday work — chat, coding, scripting, automations. But some tasks need more:
Heavy workloads
Cloning a large repo, installing node_modules, running test suites — these can eat gigabytes of RAM and disk. Workers get 1-3GB RAM in their own container so your deck stays responsive.
Multi-step engineering
OpenHands workers run an autonomous agent loop — plan, edit, test, iterate on failures, manage branches, push PRs. They work through problems without you steering each step.
Throwaway environments
A worker can install broken packages, corrupt files, or fill its disk — and it doesn't matter. When done, the container is destroyed. Your persistent workspace is untouched.
Worker types
| Type | What it does | Rate |
|---|---|---|
| OpenHands headless | Autonomous coding: clones repo, plans, edits, tests, opens PR. Events stream to your chat. | $0.05/hr |
| OpenHands GUI | Same as headless + web-based VSCode and browser. Watch live, take over the terminal, pair-program. | $0.15/hr |
| Browser session | Isolated Chromium for scraping, form automation, screenshots, JS-heavy sites. | $0.05/hr |
All workers are billed per second with a 60-second minimum. The meter stops the moment the container shuts down.
Spawning a worker
Workers are always explicit — your deck never spawns one on its own. Two ways to trigger:
Tell your deck what you want done: "Fix the auth bug in login.go." If the task needs a worker, the deck asks for confirmation before spawning.
The chat input row has a worker button. Click it, describe the task, pick headless or GUI, confirm.
During a run
Events stream back to your chat in real time — you can see what the worker is doing, ask it questions, or tell it to change direction. If the worker gets stuck, it asks you and waits. You're never locked out.
Compute tiers
Workers require a compute tier subscription. Each tier bundles a monthly credit and a concurrency limit:
| Tier | Price | Concurrent | Credit |
|---|---|---|---|
| Developer | $15/mo | 3 | $10 |
| Studio | $39/mo | 5 | $35 |
| Observatory | $99/mo | 10 | $100 |
Each tier includes the $7 deck. If you exceed your credit, compute keeps running at the same rate — overage appears on your next bill. Set a hard spending cap in your dashboard if you want one.
The $7 deck handles chat, coding, scripting, web search, cron jobs, webhooks, MCP tools, and voice natively. Compute tiers are for when you need isolated worker containers. Many users never need one.
Browser automation
Full Chrome DevTools Protocol control — fill forms, click buttons, screenshot SPAs, run JS in page context. Use it when a static fetch isn't enough.
When a task needs JavaScript rendering or page interaction, your deck provisions an isolated browser session on demand. Chrome boots in its own container, connects via CDP, and is reaped when idle. Nothing to install, nothing running when you're not using it.
What the agent can do
Open a URL, create a session.
Extract interactive elements with stable refs.
Click an element by ref number.
Send text into an input by ref.
Scroll the page or a specific element.
Run arbitrary JS in page scope.
Block until a selector or ref appears.
PNG capture, optionally full-page.
Element references
Snapshots return numbered refs instead of CSS selectors. References survive minor markup changes, never expose fragile path strings to the model, and identify elements by role + content rather than DOM position.
{
"ref_": 1,
"tag": "button",
"role": "button",
"text": "Submit",
"aria_label": "Submit form",
"visible": true,
"interactive": true,
"bounds": { "x": 100, "y": 200, "w": 80, "h": 40 }
}Browser vs. fetch
- Static HTML
- API responses
- Documentation
- SPAs & JS-heavy sites
- Forms, logins, clicks
- Screenshots
Domain restrictions
Want to keep the agent on a leash? Settings → Browser → Allowed domains lets you whitelist sites the browser can navigate to. Wildcards work — *.github.com matches all subdomains. Anything outside the list is rejected before a request goes out.
Page text reaches the model. A hostile site can try to inject instructions. The allowed-domains list is your strongest defence — pair it with skepticism when the agent reads from sites you don't control.
Isolation & safety
What happens to your deck under the hood — so you know where the trust boundaries are without having to read the source.
Your deck, your container
Every customer gets a dedicated deck instance. No noisy neighbours, no shared state. Encrypted vault for your secrets, never readable from another tenant.
Your deck is the sandbox
Shell commands execute directly inside your deck's gVisor-isolated container — restricted syscalls, capped resources, and no access to the host or other tenants. Browser sessions and coding agents boot in separate ephemeral containers with their own isolation.
Trusted-domain allowlist
By default, sandboxed commands have no internet access. Flip on trusted network and add the domains you want — everything else stays blocked, with a full audit trail.
What's hardened by default
Your deck and its compute containers (browser sessions, coding agents) are secured with multiple layers of isolation:
Compute containers run with no Linux capabilities — no raw sockets, no kernel mucking.
no-new-privileges is set, so setuid binaries can't get root inside the sandbox.
Compute containers use read-only root filesystems. Writable space is limited to scoped tmpfs mounts.
Memory, CPU, and process counts are capped per session — a runaway script can't take the deck down.
BIOS, DMI, serial-number paths under /sys are masked so workloads can't fingerprint the host.
Browser sessions and coding agents are reaped automatically when idle, freeing resources without you having to think about it.
Secrets handling
- Encryption at rest vault-backed key storage
- Zeroed on drop no lingering plaintext in memory
- Redacted in logs debug output never leaks values
- Sanitized in UI remote URLs and headers display masked
Need a custom isolation policy or VPC peering for your deck? Talk to us — that's exactly what the higher tiers are for.