Run any agent (Claude, Codex, custom) on any machine — with no API key on the machine. A secure, self-hosted proxy for models and tools.
Project description
proxyagent
Run any agent — Claude, Codex, custom — on any machine, with no API key on the machine.
A secure, self-hosted proxy for models and tools. Your keys live in one hardened place; every machine holds only a scoped, revocable token.
Agents need model access (and tool access) to do anything. Today that means scattering
real API keys across every machine an agent runs on — a security nightmare. proxyagent
fixes it: stand up one proxy that holds the real credentials, and point every agent at
it. The machine gets a throwaway token; the real key never leaves the proxy.
remote machine proxy (you host) upstream
┌────────────────┐ token only ┌──────────────────┐ real key ┌───────────┐
│ claude / codex │ ───────────► │ proxyagent serve │ ─────────► │ Anthropic │
│ (no real key) │ ◄─────────── │ scope·log·tools │ ◄───────── │ OpenAI │
└────────────────┘ stream └──────────────────┘ └───────────┘
How it works
Every harness honours *_BASE_URL, so the shim is trivial: point the base URL at the
proxy and use the machine token as the "api key." The proxy authenticates the token,
checks its scope, swaps in the real key, forwards upstream, and logs the call. The
machine never sees a real credential.
Quickstart
1. Run the proxy (on a box you control — it holds the real keys):
pip install proxyagent
export ANTHROPIC_API_KEY=sk-ant-… # and/or OPENAI_API_KEY=sk-…
proxyagent serve # prints an admin token + a dashboard at :8080
2. Mint a machine token (scoped + revocable):
proxyagent token new macbook-01 --scope "anthropic:claude-*" --admin pa_admin_…
3. Run any agent on any machine — no real key there:
PROXYAGENT_TOKEN=pa_… proxyagent run claude-code \
--goal "build a SwiftUI todo app" --proxy https://proxy.you.com
# or: proxyagent run codex --goal "fix the failing tests" --token pa_…
Or use any harness directly — just set the env and the proxy does the rest:
export ANTHROPIC_BASE_URL=https://proxy.you.com/anthropic
export ANTHROPIC_API_KEY=pa_… # the machine token, not the real key
claude -p "ship it"
The dashboard
proxyagent serve ships a dashboard at / — mint/revoke tokens, watch live usage and a
full request audit log, see configured providers + proxied tools. Paste the admin token to
open it.
Proxied tools — the same trick, for tools
The proxy can also hold your tool keys and hand agents governed tools — so an agent gets web search (and custom tools) without ever holding the tool's credential.
export TAVILY_API_KEY=tvly-… # web_search uses this; agents never see it
export PROXYAGENT_TOOLS='[{"name":"crm","url":"https://hooks.you.com/crm","headers":{"Authorization":"Bearer …"}}]'
# then send requests with header x-proxyagent-tools: on → tool defs are injected;
# the proxy executes calls to managed tools server-side (keys stay here).
Security model
- Real keys never leave the proxy — read from env, never persisted, never logged, never returned.
- Machine tokens are stored hashed (SHA-256); plaintext shown once. A stolen DB yields nothing usable.
- Scoped (
provider:modelglobs), expiring (TTL), revocable, rate-limited. - Constant-time token comparison; sensitive headers redacted from logs.
- Admin API + dashboard gated by a separate admin token. Run it behind TLS.
SDK
import proxyagent
# host the proxy (embed in your own service):
app = proxyagent.create_app() # ASGI app
# mint tokens programmatically:
admin = proxyagent.Admin("https://proxy.you.com", "pa_admin_…")
token = admin.mint("ci-runner", scope=["anthropic:claude-*"], ttl_seconds=3600)
# run a harness on this machine, no key here:
proxyagent.run("claude-code", goal="build the app",
proxy="https://proxy.you.com", token=token)
Supported harnesses
claude-code, codex, and any custom command (--command "my-agent {goal}"). Adding one
is a few lines — it just needs to respect *_BASE_URL.
License
Apache-2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file proxyagent-0.1.0.tar.gz.
File metadata
- Download URL: proxyagent-0.1.0.tar.gz
- Upload date:
- Size: 18.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.13 {"installer":{"name":"uv","version":"0.9.13"},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3f0b26813fc56374d161ad1d0e3b09111af00127f2a9eae1d882eaa5e000626a
|
|
| MD5 |
3ab0cbdd54c4088176802a28931543af
|
|
| BLAKE2b-256 |
e7fce6d121beaf40b626352c98084d8dbf7a850e0c56275dd0472db6d8947f83
|
File details
Details for the file proxyagent-0.1.0-py3-none-any.whl.
File metadata
- Download URL: proxyagent-0.1.0-py3-none-any.whl
- Upload date:
- Size: 22.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.13 {"installer":{"name":"uv","version":"0.9.13"},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8f1f31c8fc6db0cb7e63189d8c732bdd04186e8f54280bb897be39d254139884
|
|
| MD5 |
e3c7670d00fd0c6d096537a9fcb28850
|
|
| BLAKE2b-256 |
0d71f130fec4a61e772b4555d972cb1bf1869c2efb6760adcfe6c8d180b3c245
|
