Manage the routes that tell cordon which hosts to intercept and what credentials to inject.
All cordon route subcommands accept --scope project|user to select which config file they target, matching cordon start and cordon setup. --config and --scope are mutually exclusive — passing both is an error. Resolution:
--config <path> — explicit path.--scope <scope> — resolves to the scope’s default config path (project → $CWD/cordon.toml, user → ~/.config/cordon/cordon.toml).- Neither flag — defaults to project scope (
$CWD/cordon.toml).
cordon route add
Add a new route. With no flags, launches an interactive wizard that prompts for host, route name, auth type, secret source, and source-specific fields.
Non-interactive mode
Pass flags to skip the wizard. Requires --host, --auth-type, and --source:
cordon route add --host api.stripe.com --auth-type bearer --source keyring --account stripe-key
| Flag | Description |
|---|
--host | Hostname to match (e.g. api.stripe.com) |
--name | Route name (defaults to derived from host) |
--auth-type | bearer, basic, or api_key |
--source | 1password or keyring |
--vault | 1Password vault name (requires --source 1password) |
--item | 1Password item name (requires --source 1password) |
--field | 1Password field name (requires --source 1password) |
--account | Keyring account name (requires --source keyring) |
--username | Username (requires --auth-type basic) |
--header-name | Custom header name (requires --auth-type api_key, defaults to Authorization) |
--config | Path to cordon.toml (mutually exclusive with --scope) |
--scope | project (default) or user — selects which config file to edit |
Examples
# Interactive — wizard prompts for everything
cordon route add
# Bearer auth with keyring
cordon route add --host api.openai.com --auth-type bearer --source keyring --account openai
# API key auth with 1Password
cordon route add --host api.anthropic.com --auth-type api_key --header-name x-api-key \
--source 1password --vault Engineering --item "Anthropic API Key" --field credential
# Basic auth with keyring
cordon route add --host db.example.com --auth-type basic --username admin \
--source keyring --account db-password
# Custom route name
cordon route add --host api.stripe.com --name stripe-live \
--auth-type bearer --source keyring --account stripe-live-key
# Add to the user-scope config (~/.config/cordon/cordon.toml)
cordon route add --scope user --host api.openai.com \
--auth-type bearer --source keyring --account openai
After adding a keyring-backed route, store the secret with cordon secret set ACCOUNT. Use cordon route show NAME to find the keyring account for a route. 1Password routes don’t need this step — credentials are fetched from 1Password directly.
cordon route edit
Edit an existing route. With no flags (other than --scope or --config), launches an interactive editor that pre-fills current values — press Enter to keep a value, or type a new one.
Non-interactive mode
Pass flags to change only specific fields without prompting:
cordon route edit stripe --host api2.stripe.com
| Argument / Flag | Description |
|---|
NAME | Route name to edit (positional, required) |
--host | New hostname |
--auth-type | bearer, basic, or api_key |
--source | 1password or keyring |
--vault | 1Password vault name (requires --source 1password or existing 1password source) |
--item | 1Password item name (requires --source 1password or existing 1password source) |
--field | 1Password field name (requires --source 1password or existing 1password source) |
--account | Keyring account name (requires --source keyring or existing keyring source) |
--username | Username (requires --auth-type basic) |
--header-name | Custom header name (requires --auth-type api_key) |
--config | Path to cordon.toml (mutually exclusive with --scope) |
--scope | project (default) or user — selects which config file to edit |
Partial updates
Non-interactive edit changes only the fields you specify. Unspecified fields keep their current values.
For 1Password sources, you can update individual sub-fields without repeating the others:
# Change only the vault — item and field stay the same
cordon route edit stripe --vault NewVault
Switching secret sources
When switching from one source to another with --source:
- 1password to keyring:
--account defaults to the route name if omitted
- keyring to 1password: requires
--vault, --item, and --field
# Switch from 1password to keyring (account defaults to "stripe")
cordon route edit stripe --source keyring
# Switch from keyring to 1password
cordon route edit stripe --source 1password --vault Eng --item "Stripe" --field token
Examples
# Interactive — pre-fills current values, press Enter to keep
cordon route edit stripe
# Change just the host
cordon route edit stripe --host api2.stripe.com
# Switch auth type (basic requires --username)
cordon route edit stripe --auth-type basic --username admin
# Update keyring account
cordon route edit stripe --account new-stripe-key
# Edit a route in the user-scope config
cordon route edit stripe --scope user
cordon route list
List all configured routes.
cordon route list [--scope project|user] [--config path/to/cordon.toml]
| Option | Description |
|---|
--config | Path to cordon.toml (mutually exclusive with --scope) |
--scope | project (default) or user — selects which config file to read |
# List routes in the user-scope config
cordon route list --scope user
cordon route show
Show details of a single route.
cordon route show NAME [--scope project|user] [--config path/to/cordon.toml]
| Argument / Option | Description |
|---|
NAME | Route name to show |
--config | Path to cordon.toml (mutually exclusive with --scope) |
--scope | project (default) or user — selects which config file to read |
cordon route remove
Remove a route by name.
cordon route remove NAME [--yes] [--scope project|user] [--config path/to/cordon.toml]
| Argument / Option | Description |
|---|
NAME | Route name to remove |
--yes, -y | Skip confirmation prompt |
--config | Path to cordon.toml (mutually exclusive with --scope) |
--scope | project (default) or user — selects which config file to edit |
