Skip to main content
This guide walks you through setting up cordon to proxy requests to an API — in this case, the Anthropic API — with credentials injected from 1Password. Cordon is project-based — each project gets its own config and routes. Running cordon setup in a project directory creates a cordon.toml there with the project’s route policy, while CA certificates are stored outside the project tree at ~/.config/cordon/projects/<namespace>/certs/ so they are never accidentally committed. If you run Cordon in multiple projects simultaneously, each needs a different port — see setup for details.

1. Run setup

The setup command generates CA certificates, creates a config file, and walks you through adding your first route and secret source — all in one step. 
cordon setup
The wizard will:
  1. Generate CA certificates at ~/.config/cordon/projects/<namespace>/certs/
  2. Create a cordon.toml in the current directory with working TLS paths
  3. Prompt you to add a route (API host, auth type, and secret source)
  4. For keyring-backed routes, show the cordon secret set <route-name> command to store the credential
You can add more routes later with cordon route add, or edit cordon.toml directly.
In non-interactive mode (--yes), setup skips the route wizard. Use cordon route add afterward to configure routes. For keyring-backed routes, also run cordon secret set <route-name> to store the credential — 1Password routes resolve secrets automatically. See Routes for all auth types and Secret Sources for provider configuration.

2. Trust the CA certificate

For HTTPS interception to work, your system needs to trust the proxy’s CA certificate. 
cordon trust
This adds the CA to your system trust store (macOS Keychain or Linux ca-certificates). Most tools — curl, gh, Go, Rust, Python, Ruby — will then trust the proxy automatically.
Node.js does not use the system trust store. You must set the NODE_EXTRA_CA_CERTS environment variable to the absolute path of your CA certificate (the tls.ca_cert_path value from cordon.toml):
export NODE_EXTRA_CA_CERTS=$HOME/.config/cordon/projects/my-app-abc123/certs/ca-cert.pem

3. Start the proxy

cordon start
The proxy starts and fetches secrets from your configured sources. You’ll see output like: 
INFO cordon: listening on 127.0.0.1:6790
INFO cordon: route "anthropic" → api.anthropic.com (bearer)
INFO cordon: health endpoint ready

4. Route traffic through the proxy

In a separate terminal, set the proxy environment variables and run your application: 
export HTTPS_PROXY=http://127.0.0.1:6790
export HTTP_PROXY=http://127.0.0.1:6790
export https_proxy=http://127.0.0.1:6790
export http_proxy=http://127.0.0.1:6790
export NODE_EXTRA_CA_CERTS=$HOME/.config/cordon/projects/my-app-abc123/certs/ca-cert.pem

# Test with curl
curl https://api.anthropic.com/v1/messages \
  -H "content-type: application/json" \
  -H "x-api-key: placeholder" \
  -H "anthropic-version: 2023-06-01" \
  -d '{"model":"claude-sonnet-4-20250514","max_tokens":10,"messages":[{"role":"user","content":"Hi"}]}'
Set these variables in the shell where you run your app (or in a wrapper like a Procfile/direnv), rather than exporting them globally for your entire system unless that is intentional.
Your app does not need to send a real auth header. Cordon injects credentials on matched routes. If an SDK requires an auth header field to be present, send a dummy placeholder and Cordon will strip and replace it.
Testing without system trust: If you haven’t run cordon trust yet, you can test with curl by passing the CA cert directly:
curl --cacert /path/to/ca-cert.pem https://api.anthropic.com/v1/messages ...
The CA cert path is in your cordon.toml under tls.ca_cert_path.

5. Use with a Procfile (optional)

For development, use a Procfile to start the proxy alongside your app: 
proxy: cordon start
web: cordon wait && npm run dev
The cordon wait command blocks until the proxy’s health endpoint reports ready, ensuring your app doesn’t start before credentials are loaded.

Next steps

Claude Code Setup

One-command setup for AI agent workflows

1Password Guide

Detailed 1Password setup and security model

Secret Sources

Configure 1Password and OS keyring

CLI Reference

All CLI commands and options