Manage the routes that tell cordon which hosts to intercept and what credentials to inject.
All cordon route subcommands accept --scope project|user to select which config file they target, matching cordon start and cordon setup. --config and --scope are mutually exclusive — passing both is an error. Resolution:
--config <path> — explicit path.--scope <scope> — resolves to the scope’s default config path (project → $CWD/cordon.toml, user → ~/.config/cordon/cordon.toml).- Neither flag — defaults to project scope (
$CWD/cordon.toml).
cordon route add
Add a new route. With no flags, launches an interactive wizard that prompts for host, route name, auth type, secret source, and source-specific fields.
Non-interactive mode
Pass flags to skip the wizard. Requires --host, --auth-type, and --source:
cordon route add --host api.stripe.com --auth-type bearer --source keyring --account stripe-key
| Flag | Description |
|---|
--host | Hostname to match (e.g. api.stripe.com) |
--name | Route name (defaults to derived from host) |
--auth-type | bearer, basic, or api_key |
--source | 1password or keyring |
--vault | 1Password vault name (requires --source 1password) |
--item | 1Password item name (requires --source 1password) |
--field | 1Password field name (requires --source 1password) |
--account | Keyring account name (requires --source keyring) |
--username | Username (requires --auth-type basic) |
--header-name | Custom header name (requires --auth-type api_key, defaults to Authorization) |
--config | Path to cordon.toml (mutually exclusive with --scope) |
--scope | project (default) or user — selects which config file to edit |
Examples
# Interactive — wizard prompts for everything
cordon route add
# Bearer auth with keyring
cordon route add --host api.openai.com --auth-type bearer --source keyring --account openai
# API key auth with 1Password
cordon route add --host api.anthropic.com --auth-type api_key --header-name x-api-key \
--source 1password --vault Engineering --item "Anthropic API Key" --field credential
# Basic auth with keyring
cordon route add --host db.example.com --auth-type basic --username admin \
--source keyring --account db-password
# Custom route name
cordon route add --host api.stripe.com --name stripe-live \
--auth-type bearer --source keyring --account stripe-live-key
# Add to the user-scope config (~/.config/cordon/cordon.toml)
cordon route add --scope user --host api.openai.com \
--auth-type bearer --source keyring --account openai
After adding a keyring-backed route, store the secret with cordon secret set ROUTE_NAME. 1Password routes don’t need this step — credentials are fetched from 1Password directly.
cordon route list
List all configured routes.
cordon route list [--scope project|user] [--config path/to/cordon.toml]
| Option | Description |
|---|
--config | Path to cordon.toml (mutually exclusive with --scope) |
--scope | project (default) or user — selects which config file to read |
# List routes in the user-scope config
cordon route list --scope user
cordon route show
Show details of a single route.
cordon route show NAME [--scope project|user] [--config path/to/cordon.toml]
| Argument / Option | Description |
|---|
NAME | Route name to show |
--config | Path to cordon.toml (mutually exclusive with --scope) |
--scope | project (default) or user — selects which config file to read |
cordon route remove
Remove a route by name.
cordon route remove NAME [--yes] [--scope project|user] [--config path/to/cordon.toml]
| Argument / Option | Description |
|---|
NAME | Route name to remove |
--yes, -y | Skip confirmation prompt |
--config | Path to cordon.toml (mutually exclusive with --scope) |
--scope | project (default) or user — selects which config file to edit |
