Skip to main content
Cordon fetches credentials from external secret stores at startup. It never stores secrets itself. Two sources are supported.

1Password

Fetches secrets from 1Password vaults using the 1Password CLI (op). 
secret:
  source: 1password
  vault: Engineering
  item: Stripe API Key
  field: secret_key
FieldDescription
vault1Password vault name
itemItem name within the vault
fieldField name within the item

Prerequisites

The op CLI must be installed and authenticated before starting cordon: 
# Install (macOS)
brew install --cask 1password-cli

# Sign in
op signin
For non-interactive use (CI, services), configure 1Password Service Accounts instead of interactive sign-in.

OS Keyring

Reads credentials from the operating system’s built-in credential store. 
secret:
  source: keyring
  service: cordon
  account: stripe-api-key
FieldDescription
serviceService name (namespace for the credential)
accountAccount name (identifier within the service)

Storing keyring credentials

Use the cordon secret set command to store credentials: 
cordon secret set --service cordon --account stripe-api-key
# Prompts for the secret value
You can also use OS-native commands: 
security add-generic-password -s cordon -a stripe-api-key -w 'sk_live_...'

Platform differences

macOS Keychain enforces per-application access control. The binary that creates a keychain entry owns it and can read it without prompting. Any other binary triggers a system authorization dialog.Use cordon secret set to create entries owned by cordon. Entries created by other tools (e.g., security CLI) will prompt on every proxy startup.Upgrading cordon changes the binary signature. macOS may prompt for keychain access after an upgrade.
On Linux, cordon uses the kernel keyring (via keyutils) or the Secret Service API (via D-Bus). There are no per-application ACLs — any process running as the user can read entries. Security relies on standard Unix user isolation.

Mixing sources

You can use different secret sources for different routes: 
routes:
  - name: stripe
    match:
      host: api.stripe.com
    auth:
      type: bearer
      secret:
        source: 1password
        vault: Engineering
        item: Stripe API Key
        field: secret_key

  - name: internal-api
    match:
      host: api.internal.example.com
    auth:
      type: api_key
      header_name: X-Api-Key
      secret:
        source: keyring
        service: cordon
        account: internal-api-key