Skip to main content
Cordon integrates with Claude Code so your AI agent can make authenticated API calls without holding real credentials.

Automated setup

The fastest way to get started: 
cordon setup claude-code
This:
  1. Generates CA certificates (if not already present)
  2. Creates a scaffold cordon.yaml
  3. Configures Claude Code’s settings.json with proxy env vars (HTTPS_PROXY, HTTP_PROXY, NODE_EXTRA_CA_CERTS)

Global setup with background service

To install cordon as a background service that starts automatically: 
cordon setup claude-code --global
This additionally installs a launchd (macOS) or systemd (Linux) service so cordon runs in the background without a terminal window.

Remove the setup

cordon setup claude-code --remove

Manual setup

If you prefer manual configuration, set these env vars in Claude Code’s environment: 
export HTTPS_PROXY=http://127.0.0.1:6790
export HTTP_PROXY=http://127.0.0.1:6790
export NODE_EXTRA_CA_CERTS=./ca-cert.pem
You can add these to Claude Code’s settings.json: 
{
  "env": {
    "HTTPS_PROXY": "http://127.0.0.1:6790",
    "HTTP_PROXY": "http://127.0.0.1:6790",
    "NODE_EXTRA_CA_CERTS": "./ca-cert.pem"
  }
}

Trust the CA

If tools used by Claude Code fail with certificate errors: 
tls: failed to verify certificate: x509: certificate signed by unknown authority
Add the CA to the system trust store: 
cordon trust
Node.js ignores the system trust store, so you still need NODE_EXTRA_CA_CERTS for Node-based tools (this is handled automatically by cordon setup claude-code).

Workflow

Once configured, the workflow is:
  1. Start cordon: cordon start (or use the background service)
  2. Start Claude Code as usual
  3. When Claude Code makes API calls to configured hosts, cordon transparently injects credentials
  4. Claude Code never sees or logs real API keys
Use cordon doctor to diagnose any setup issues. It checks config validity, cert paths, trust store status, and port availability.