Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.codezero.io/llms.txt

Use this file to discover all available pages before exploring further.

Manage the default and client tokens stored in tokens.toml. Tokens authenticate clients to the local proxy before matched routes inject credentials. Token values are never printed by cordon token; use cordon env for generic clients. The default token is the general-purpose proxy credential for a Cordon instance. Client tokens are named proxy credentials managed for configured clients such as Claude Code, Codex, Hermes, and OpenClaw. In the current token model, all valid tokens grant the same proxy access; client tokens exist for independent rotation, revocation, setup/remove cleanup, and logging. Workload identity is verified separately. When enforcement is active, unmatched forwarding still works without a token. If a request does include Proxy-Authorization, Cordon rejects malformed, duplicate, or invalid values before forwarding.

Usage

cordon token <COMMAND> [OPTIONS]
All commands accept one location selector:
OptionDescription
--scopeToken scope: project (default) or user
--config, -cResolve token storage from a specific cordon.toml path
For Hermes and OpenClaw client tokens, omit --scope to use the integration’s default config path (or a legacy user-scope config during migration), or pass --config explicitly. --scope project is rejected for these global app integrations because it would otherwise target the caller’s current directory.

Commands

cordon token list

List configured token names and creation times without printing token values. 
cordon token list --scope project

cordon token rotate

Rotate one token or every configured token. Omitting the token name rotates the default token. 
cordon token rotate
cordon token rotate default
cordon token rotate codex --scope user
cordon token rotate hermes
cordon token rotate --all
When the token belongs to a supported client (claude-code, codex, hermes, or openclaw), rotation updates that client’s tokenized proxy URL before writing the new token file. Restart any running client process that already inherited the old URL.

cordon token revoke

Revoke a client token. 
cordon token revoke claude-code
The default token cannot be revoked; rotate it instead. For supported clients, revoke removes matching tokenized proxy settings from the client config after removing the token from tokens.toml.

Token storage

ScopeToken file
Project~/.config/cordon/projects/<dirname>-<hash8>/tokens.toml
User~/.config/cordon/user/tokens.toml
On Unix, Cordon writes tokens.toml with 0600 permissions and refuses symlinked, wrong-owner, or group/world-readable token files.

See also