Skip to main content
This guide walks you through setting up cordon to proxy requests to an API — in this case, the Anthropic API — with credentials injected from 1Password.

1. Run setup

The setup command generates CA certificates, creates a config file, and provides trust guidance for your environment. 
cordon setup
This creates:
  • CA certificates at ~/.config/cordon/projects/<name>/certs/
  • A cordon.yaml config file in the current directory

2. Configure a route

Edit cordon.yaml to add a route for the API you want to proxy. Here’s an example using the Anthropic API with a secret stored in 1Password: 
listen: "127.0.0.1:6790"

tls:
  enabled: true
  ca_cert_path: "./ca-cert.pem"
  ca_key_path: "./ca-key.pem"

routes:
  - name: anthropic
    match:
      host: api.anthropic.com
    auth:
      type: bearer
      secret:
        source: 1password
        vault: Engineering
        item: Anthropic API Key
        field: credential
See Routes for all auth types and matching options, and Secret Sources for 1Password and keyring configuration.

3. Trust the CA certificate

For HTTPS interception to work, your system needs to trust the proxy’s CA certificate. 
cordon trust
This adds the CA to your system trust store (macOS Keychain or Linux ca-certificates). Most tools — curl, gh, Go, Rust, Python, Ruby — will then trust the proxy automatically.
Node.js does not use the system trust store. You must set the NODE_EXTRA_CA_CERTS environment variable:
export NODE_EXTRA_CA_CERTS=./ca-cert.pem

4. Start the proxy

cordon start
The proxy starts and fetches secrets from your configured sources. You’ll see output like: 
INFO cordon: listening on 127.0.0.1:6790
INFO cordon: route "anthropic" → api.anthropic.com (bearer)
INFO cordon: health endpoint ready

5. Route traffic through the proxy

In a separate terminal, set the proxy environment variables and run your application: 
export HTTPS_PROXY=http://127.0.0.1:6790
export HTTP_PROXY=http://127.0.0.1:6790
export NODE_EXTRA_CA_CERTS=./ca-cert.pem

# Test with curl
curl https://api.anthropic.com/v1/messages \
  -H "content-type: application/json" \
  -H "x-api-key: placeholder" \
  -H "anthropic-version: 2023-06-01" \
  -d '{"model":"claude-sonnet-4-20250514","max_tokens":10,"messages":[{"role":"user","content":"Hi"}]}'
Cordon strips the placeholder x-api-key header and injects the real credential from 1Password before forwarding the request.

6. Use with a Procfile (optional)

For development, use a Procfile to start the proxy alongside your app: 
proxy: cordon start
web: cordon wait && npm run dev
The cordon wait command blocks until the proxy’s health endpoint reports ready, ensuring your app doesn’t start before credentials are loaded.

Next steps

Claude Code Setup

One-command setup for AI agent workflows

Configuration Reference

Full config file reference

Secret Sources

Configure 1Password and OS keyring

CLI Reference

All CLI commands and options