The browser runtime forAI agents.
Runs locally. Learns from every session. Works with any LLM. Your agent gets a real browser — already logged in, privacy-focused, persistent.
Runs locally. Learns from every session. Works with any LLM. Your agent gets a real browser — already logged in, privacy-focused, persistent.
First, the login wall — headless browsers launch blank, hit MFA and CAPTCHAs, and break before the task starts. But the bigger problem? Mid-task failure with no recovery. Your agent completes 7 of 10 steps, hits an error, and restarts from scratch.
| Standard approach | Pagerunner | |
|---|---|---|
| The login wall | ||
| Sessions | Launches blank, no cookies | Opens your real Chrome profile via CDP |
| Auth state | No cookies, passwords, or history | Inherits all saved credentials |
| Bot detection | MFA / CAPTCHA blocks it | Genuine human browser fingerprint |
| Result | Task fails before it starts | Executes immediately, already authenticated |
| Mid-task failure | ||
| Step 7 fails | Restart from step 1 | Resume from checkpoint at step 5 |
| Browser state | Lost — no saved state | Tabs, cookies, localStorage preserved |
| Site changes | CSS selectors break on redesign | Adapters bridge to internal logic |
| Result | Fragile, unreliable, can't recover | Stable across redesigns, recoverable |
Not a mock. These are actual Pagerunner MCP calls with real Chrome, real auth, real results.
Browser automation that relies only on clicking UI elements breaks every time a site ships a redesign. Site Intelligence lets agents bridge directly to the site's internal logic — bypassing clunky UI entirely or tracking which selectors are stable over time.
register_adapter and generate_adapter to bridge the agent directly to internal site logiccall_site_api for rapid, API-style execution inside the authenticated sessionWhen your agent fails mid-task, it doesn't start over. Checkpoints save complete browser state — tabs, cookies, localStorage, scroll position — so agents resume from where they left off. Not from step one.
save_session_checkpointrestore_session_checkpoint picks up exactly where it stoppedYou log into GitHub, Jira, your staging environment once. Pagerunner saves the authenticated state — cookies, localStorage, session tokens — encrypted with AES-256-GCM, key stored in your macOS Keychain. Every agent call that follows starts already logged in.
A local ONNX NER model runs on your machine before get_content() returns anything to the agent. Emails, names, phone numbers, SSNs, credit cards, and IBANs are replaced with reversible tokens. The LLM works with tokens instead of real data. No anonymization is 100% guaranteed — but it's a significant layer of protection that runs entirely on your machine.
john@co.com → [EMAIL:a3f9], reversible via vaultjohn@co.com → [EMAIL][EMAIL:a3f9] to fill(), real value written to DOMOne daemon process, multiple AI clients, persistent memory outside the LLM context window. Agents remember what they learned across sessions — login patterns, site behavior, task history — without re-discovering it every run.
Start once. Run all day. Sessions survive restarts, context survives across Claude windows.
A background service initializes, sharing one browser state across multiple Claude Code windows and MCP clients simultaneously.
Pagerunner continuously saves the complete browser state — tabs, cookies, localStorage — so nothing is lost between agent interactions.
If the daemon restarts, the system automatically reattaches to the active session via TCP without losing context or requiring manual reconnection.
Manage sessions, control checkpoints, and monitor the daemon entirely from a native Swift companion app — no terminal window required.
Pagerunner is how they solve it — without writing scrapers, managing auth, or babysitting headless Chrome.
Edit CSS, navigate, screenshot, compare to design spec — without touching the browser yourself. Agent closes the loop.
Track competitor pricing, feature pages, and changelog on a schedule. Morning briefing, automatically compiled.
Screenshot feature branches at 375px, 768px, 1440px. Pixel-diff against baseline. Flag regressions before merge.
Track your rankings and competitors'. Surface ranking drops before they hurt traffic. No third-party SaaS required.
Legal, HR, finance workflows where PII can't reach an external LLM. Local ONNX NER + token vault makes it possible.
Queue depths, error counts, certificate expiry — read from dashboards that have no API. Screenshot for audit trail.
Website, LinkedIn, Crunchbase, press in 2 minutes before every call. Agent reads, synthesizes, CRM field updated.
Revenue, support queue, competitor mentions, PR status — all pulled, summarized, waiting in Slack at 8am.
Three layers of protection around your Chrome profile and credentials. Browser automation without guardrails is dangerous — Pagerunner ships with controls most tools never considered.
Blocks navigation to private IPs (RFC1918), loopback, file://, javascript:, and embedded-credential URLs. An agent can't be tricked into leaking internal resources.
Strips hidden elements (display:none, visibility:hidden), HTML tags, and zero-width Unicode characters from page content before it reaches the agent.
All session snapshots and KV store data encrypted at rest. Encryption key stored in macOS Keychain. On Linux, set PAGERUNNER_DB_KEY env var.
Every tool call logged to ~/.pagerunner/audit.log with timestamp, tool name, session, and result. File permissions 0600. Cannot be modified retroactively.
Restrict any session to an explicit list of domains. An agent running a Jira automation can't navigate to Stripe or your internal admin console, even if instructed to.
Before restoring a saved snapshot, Pagerunner verifies the origin matches. A snapshot saved for github.com cannot be injected into a different origin.
Responsible Automation: The anonymize: true flag ensures workflows processing third-party data never leak PII to external LLM providers. GDPR/CCPA compliance without re-engineering your agent.
Blast Radius Containment: Domain allowlisting and SSRF protections prevent autonomous agents from pivoting into internal corporate networks or unauthorized applications — even if the agent is given malicious instructions.
Most browser tools were built for testing. Pagerunner was built for agents.
| Capability | Pagerunner | Computer Use | Playwright MCP | agent-browser | Browserbase |
|---|---|---|---|---|---|
| Action latency | 1–2s | 30–60s | 1–3s | 1–2s | 2–5s |
| Tokens per action | 50–200 | ~2,000 | 50–200 | 50–200 | 50–200 |
| Persistent auth | ✓ Encrypted snapshots | ✗ Re-login every run | ~ Session only | ✓ Auth vault | ~ Managed sessions |
| Checkpoint / recovery | ✓ Resume from checkpoint | ✗ | ✗ | ✗ | ✗ |
| Site adapters | ✓ Stable across redesigns | ✗ | ✗ | ✗ | ✗ |
| PII anonymization | ✓ Local ONNX NER | ✗ | ✗ | ✗ | ✗ |
| Daemon + KV store | ✓ Shared across clients | ✗ | ✗ | ✓ Basic | ✗ |
| CLI parity | ✓ All 44 tools | — | ✗ | ✓ | ✗ |
| Bot detection bypass | ✓ Stealth mode | ✗ Blocked frequently | ~ Headless tells | ~ Basic | ~ Cloud IP |
| SSRF protection | ✓ RFC1918 blocked | ✗ | ✗ | ✗ | ~ Network isolation |
| Audit log | ✓ Append-only | ✗ | ✗ | ✗ | ~ Cloud logs |
| Data locality | ✓ Never leaves machine | ✗ To Anthropic cloud | ✓ Local | ✓ Local | ✗ Cloud execution |
| Cost | Free · Open source | Usage-based | Free | Free | $20–$99/mo |
agent-browser has recently added auth vault and basic daemon support. It still doesn't strip PII or protect against SSRF. · Browserbase is the right choice for 100+ parallel sessions. For developer-scale work, local + free wins.
More comparisons: vs Browser Use · vs Chrome DevTools MCP · vs Project Mariner
Pick your client. Copy. Paste. Done.
A browser automation MCP server that gives your AI coding agent a real Chrome browser. Your agent can navigate, screenshot, click, fill forms, and read content from pages you're already logged into. It runs on your machine, learns from every session through site adapters, and works with any MCP-compatible AI tool.
Yes. Pagerunner is free and open source under the Apache-2.0 license. No subscription, no usage limits, no API keys required.
Any MCP-compatible client: Claude Code, Cursor, Windsurf, Codex CLI, OpenClaw, Gemini CLI, and more. Pagerunner is LLM-agnostic — it's a browser runtime, not tied to any specific AI provider.
Pagerunner itself runs entirely locally — your browser sessions, profiles, cookies, and stored state never leave your machine. However, page content your agent reads is sent to whatever LLM you're using (Claude, GPT, etc.). If you enable PII anonymization, Pagerunner strips sensitive data before it reaches the model, but no anonymization is 100% guaranteed. If you're working with sensitive data and using cloud models, review what your agent sees carefully.
Computer Use takes screenshots and clicks pixels. Pagerunner reads the DOM directly via Chrome DevTools Protocol. For browser-specific tasks, this means sub-second actions (vs 30-60s per screenshot), no token cost for screenshots, and reliable CSS selectors instead of pixel coordinates. Computer Use is better for native desktop apps — Pagerunner is better for everything in a browser.
Playwright MCP is great testing infrastructure adapted for AI. Pagerunner was built for AI agents from the start. The key difference: Pagerunner learns from usage through site adapters and selector tracking, so it gets better over time. Playwright persists cookies — Pagerunner compounds knowledge. Playwright supports cross-browser (Firefox, WebKit); Pagerunner is Chrome-only.
Pagerunner builds site knowledge over time. It tracks which CSS selectors work reliably on each site, discovers API endpoints, and lets you register site adapters — structured rules for interacting with specific sites. This means your agent gets more reliable and efficient the more you use it, instead of starting from scratch every time.
No. The simplest setup is just the MCP server — your AI client launches it on demand. The daemon is optional and adds shared state between clients, session persistence across restarts, multi-agent coordination, and cron scheduling. Start without it, add it when you need it.
Yes. Pagerunner uses a real Chrome browser (not headless) with your actual browser fingerprint. Stealth mode further reduces automation signals. Because it uses your real profiles with existing cookies and history, most sites treat it as a normal browser session.
macOS is the primary platform. Linux support is available but some features (menu bar app, Keychain-backed secrets) are macOS-specific. Windows support is planned.
The browser runtime for AI agents. Runs locally. Learns from every session. Works with any LLM.
Free forever. Open source.