decoy logodecoy
decoy vs 1Password

a password manager — with disposable emails, on-device ai, and ai assistants built in.

1password grants an agent access through an approved vault session. Decoy lets users approve one request or standing access to selected accounts and information, with an expiry or until revoked. every Decoy data access is recorded.

see side by side →
decoy
free for founding members
1Password
$47.88 / yr
raised 33% in march 2026
the password manager basics

everything 1Password does

  • passwords, TOTP codes, and passkeys autofilled across iOS and safari.
  • end-to-end encrypted means even we can't read your data — it can only ever be read on your device, so a breach on our side leaks nothing readable.
  • we tell you when a password of yours shows up in a known breach (checked against HIBP, the standard breach database) and flag weak or reused ones to fix first.
  • move passwords, passkeys, and TOTP seeds from 1password in one tap via apple's credential exchange (CXP) on iOS 26. secure notes, custom fields, and attachments don't move via CXP yet — export those separately if you use them.
what decoy adds

and what 1Password skips

  • a fresh disposable email for every signup, generated on demand. optional personal alias (yourname.decoys.me) lets you invent any prefix on the fly. send + reply from any of them.
  • your inbox never leaves your phone — we use on-device ai so we can pull promo codes, catch 2fa, summarize emails, and extract action buttons, all without shipping your mail to a server.
  • when an ai agent needs a login, Decoy lets the user choose the account and information it can access and for how long. every Decoy data access is recorded.

side by side

where decoy wins, and where it doesn't.

disposable emails
a different email for every signup — so when a site gets breached or starts spamming, you burn the decoy, not your real inbox. send and reply from any of them.
decoy
unlimited, send + receive
1Password
not included
password manager + 2fa
passwords, 2fa codes, and passkeys in one place, autofilled on iOS — so you stop juggling an authenticator app to sign in.
decoy
passwords, TOTP, passkeys
1Password
yes (with TOTP)
end-to-end encryption
end-to-end encrypted means even we can't read your data — it can only ever be read on your device. if we ever got breached, there's nothing readable to steal.
decoy
yes
1Password
yes
migration & import
move your whole vault over in one tap via apple's credential exchange (CXP) — and one tap moves it back out if you change your mind. no csv files, no lock-in.
decoy
CXP import from apple passwords
1Password
CXP export (iOS 26)
on-device ai
your inbox never leaves your phone — we use on-device ai so we can pull out promo codes, catch 2fa automatically, summarize what's new, and flag breach hints, all without shipping your mail to a server.
decoy
iOS 26 foundation models
1Password
no ai
ai agents
when an ai agent needs a login, inbox or personal detail, Decoy lets the user choose the exact accounts and information it can access and for how long. every Decoy data access is recorded.
decoy
MCP + user-controlled access
1Password
MCP via Unified Access (session-scoped, no mobile approvals)

be a nobody. get unlimited perks.

free for founding members. lock it in now.

why we built decoy

i got tired of paying climbing password-manager prices, with every account tied to one permanent email. now i generate a password and a fresh email for every signup. if a site leaks or starts spamming, i delete the decoy and move on. ios autofill and the safari extension do everything i used 1password for.

switch to decoy if…

  • you're tired of every site getting your real email — decoys stop spam, breaches, and tracking at the door.
  • you want passwords, TOTP codes, and passkeys autofilled from one app on iOS.
  • you want promo codes and 2fa pulled out of your inbox automatically — with your inbox never leaving your phone.
  • you want users to choose which accounts and information an ai agent can access, for how long, with every Decoy data access recorded.
  • you don't want to pay $48/yr for a password manager that doesn't do any of this.
or pick 1Password if…
  • you need a native desktop vault on windows or linux today (decoy's app starts on iOS; emails and AI work anywhere).
  • you share a vault with a family or team of 5+.
  • you rely on 1password features decoy doesn't have — travel mode, watchtower, SCIM/SSO for business.

free for founding members

join the waitlist to lock in founding-member status. paid tiers come later — you stay free.

questions

is decoy really free?
yes. free for founding members — anyone on the waitlist now. paid tiers come later, founding members stay free.
can i import my 1password vault into decoy?
yes. 1password ships CXP export on iOS 26 — one tap moves passwords, passkeys, and TOTP seeds into decoy. secure notes, custom fields, and attachments aren't part of CXP yet, so export those separately if you store SSH keys or docs in 1password. decoy imports from apple passwords via the same standard.
does decoy replace my authenticator app (authy, google authenticator)?
yes. decoy stores TOTP seeds and generates live 6-digit codes. when a site asks for a code, iOS autofill offers it straight from the keyboard — no separate authenticator app needed.
does decoy have a safari extension and iOS autofill?
yes. decoy uses iOS autofill for passwords, TOTP codes, and decoy emails, and ships a safari extension that fills fields and creates decoys inline.
1password now has MCP via unified access. isn't that the same thing?
different security models. 1password grants access through an approved vault session. Decoy lets users approve one request or standing access to selected accounts and information, with an expiry or until revoked. every Decoy data access is recorded.
what stops an ai from reading all my emails once i've paired it?
the user chooses. they can approve one request or grant standing access to selected accounts and information for a chosen duration. every Decoy data access is recorded and access can be revoked at any time.
is my data really private?
yes. end-to-end encrypted means even we can't read your data — it can only ever be read on your device. if we ever got breached, there's nothing readable to steal.
does decoy only work on iPhone?
today, yes — the decoy app is iOS (iPhone + iPad) with a safari extension on iOS and macOS. desktop and other platforms are in active development. your decoys already forward to whatever inbox you use on any platform (gmail, outlook, proton), and any ai agent can manage them from any device via MCP.