Skip to main content
Cordon integrates with Cursor so that tools running inside the editor — terminal commands, extensions, MCP servers, and tasks — can make authenticated API calls without holding real credentials.
This integration proxies traffic from tools running inside Cursor, not Cursor’s own AI calls. Cursor authenticates with its backend (*.cursor.sh) via your Cursor subscription — that traffic passes through Cordon as a transparent tunnel and doesn’t need credential injection.

Automated setup

The fastest way to get started: 
cordon setup cursor
This:
  1. Generates CA certificates (if not already present)
  2. Creates a scaffold cordon.yaml
  3. Configures Cursor’s settings.json with http.proxy and terminal environment variables
Your existing settings.json is backed up to settings.json.cordon.bak before any changes are made.

Global setup with background service

To install cordon as a background service that starts automatically: 
cordon setup cursor --global
This additionally installs a launchd (macOS) or systemd (Linux) service so cordon runs in the background without a terminal window.

Remove the setup

cordon setup cursor --remove           # project-scoped
cordon setup cursor --remove --global  # global (also removes background service)

What gets configured

Cordon writes to Cursor’s VS Code-style settings.json:
SettingPurpose
http.proxyRoutes extension and VS Code HTTP traffic through Cordon
terminal.integrated.env.osx (or .linux)Sets HTTPS_PROXY, HTTP_PROXY, NODE_EXTRA_CA_CERTS for integrated terminal sessions

Adding routes

After setup, edit cordon.yaml to add routes for the APIs your tools call. Example for OpenAI: 
routes:
  - name: openai
    match:
      host: api.openai.com
    auth:
      type: bearer
      secret:
        source: keyring
        account: openai
Then store the secret: 
cordon secret set openai --config /path/to/cordon.yaml

Verifying the setup

To test from Cursor’s integrated terminal without running cordon trust, pass the CA cert directly to curl: 
curl --cacert /path/to/ca-cert.pem https://api.openai.com/v1/models -H "Authorization: Bearer dummy"
The CA cert path is shown during setup and can be found in cordon.yaml under tls.ca_cert_path. If Cordon is running with a matching route, the dummy token is stripped and replaced with the real credential.

How it works

Cursor is built on VS Code (Electron/Node.js). The integration uses two complementary mechanisms: http.proxy tells VS Code’s built-in proxy agent to route HTTP requests through Cordon. This covers extensions that use VS Code’s HTTP utilities, marketplace requests, and other VS Code-layer traffic. terminal.integrated.env.osx (or .linux) sets proxy environment variables for integrated terminal sessions. CLI tools, scripts, and processes launched from Cursor’s terminal pick up HTTPS_PROXY and HTTP_PROXY automatically. NODE_EXTRA_CA_CERTS is set in the terminal environment so Node.js tools trust Cordon’s CA certificate. For extensions and the main Cursor process to trust the CA, run cordon trust to add it to the system trust store. Cordon only MITMs connections to hosts with matching routes. All other traffic passes through as a transparent CONNECT tunnel — the upstream server’s real certificate is presented to the client, and no CA configuration is needed for those connections.

Workflow

Once configured, the workflow is:
  1. Start cordon: cordon start (or use the background service)
  2. Open Cursor as usual
  3. Terminal commands and extensions that call configured API hosts get credentials injected transparently
  4. No real API keys in your terminal history, env vars, or extension configs
Use cordon doctor to diagnose any setup issues. It checks config validity, cert paths, trust store status, and port availability.

Troubleshooting

Certificate errors in terminal

If you see SSL certificate problem: unable to get local issuer certificate from curl or similar tools:
  1. Quick fix: Pass the CA cert directly: curl --cacert /path/to/ca-cert.pem ...
  2. Permanent fix: Run cordon trust to add the CA to the system trust store
The CA cert path is in your cordon.yaml under tls.ca_cert_path.

Extensions not routing through proxy

Verify http.proxy is set in Cursor’s settings: 
cat "$HOME/Library/Application Support/Cursor/User/settings.json" | grep http.proxy
Note that extensions using their own bundled HTTP libraries (not VS Code’s HTTP utilities) may not respect http.proxy. They would need HTTPS_PROXY set in the process environment, which requires either cordon trust + launching Cursor from a shell with the var set, or the extension to read VS Code’s proxy configuration.

Terminal not picking up proxy vars

Open a new terminal tab in Cursor after running setup — existing terminals won’t pick up the new terminal.integrated.env settings. Verify: 
echo $HTTPS_PROXY    # should show http://127.0.0.1:6790
echo $NODE_EXTRA_CA_CERTS  # should show path to ca-cert.pem

Proxy not running

cordon status
curl http://127.0.0.1:6790/health

New routes not taking effect

Cordon resolves routes and secrets at startup. If you add or change routes in cordon.yaml, restart the proxy: 
# If running manually
# Ctrl+C, then:
cordon start

# If running as a service
cordon service stop cursor && cordon service start cursor

401 Unauthorized errors

  1. Verify the secret is stored: cordon secret set <route-name> --config /path/to/cordon.yaml
  2. Check the auth type: OpenAI uses type: bearer, Anthropic uses type: api_key with header_name: x-api-key
  3. Restart cordon: Secrets are resolved at startup — if you changed a secret, restart the proxy