NyxID
Health Uyari
- License — License: Apache-2.0
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 8 GitHub stars
Code Gecti
- Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Gecti
- Permissions — No dangerous permissions requested
This tool acts as an open-source gateway that connects AI agents to public, internal, or local APIs. It proxies requests, securely injects credentials so agents never see raw keys, and automatically wraps REST APIs into MCP tools.
Security Assessment
The system handles highly sensitive data, specifically managing API keys and routing authenticated requests. It relies on an external "Cloud Gateway," requires local nodes to tunnel through NAT (exposing localhost services to the gateway), and inherently makes continuous external network requests. However, the automated light code scan reviewed 12 files and found no dangerous hardcoded secrets, dangerous execution patterns, or excessive permissions. Because it requires trusting a proxy with your credentials and exposing local networks, the overall risk is rated as Medium.
Quality Assessment
The project is licensed under the permissive Apache-2.0 license and was updated very recently (pushed to today). The codebase appears clean based on initial scans. However, community trust and visibility are currently very low. With only 8 GitHub stars, the tool has not been widely peer-reviewed or battle-tested by the broader open-source community.
Verdict
Use with caution: the code is clean and actively maintained, but extremely low community adoption means you are relying on an untested proxy to handle your sensitive API credentials and local network access.
Connect AI agents to any API, anywhere. Securely. Open-source gateway that proxies requests, injects credentials automatically, punches ▎ through NAT to reach localhost services, and wraps REST APIs as MCP tools. Per-agent isolation. Never expose a raw key.
Connect AI agents to any API, anywhere. Securely. Open-source Agent Connectivity Gateway.
NyxID lets your AI agents (Claude Code, Cursor, n8n) reach any API you have,
public or private, and handles all the credentials so your agent never sees
a raw key.
flowchart TD
%% Top clients
A[Claude Code]
B[Cursor]
C[n8n]
%% Gateway
G[NyxID<br/>Cloud Gateway]
%% Destinations
P[Public APIs]
I[Internal APIs]
L[Localhost Services]
%% Flows
A --> G
B --> G
C --> G
G --> P
G --> I
G --> L
%% Styling
classDef client fill:#eef2ff,stroke:#6366f1,color:#111827,stroke-width:1.5px;
classDef gateway fill:#0f172a,stroke:#38bdf8,color:#ffffff,stroke-width:2px;
classDef public fill:#eff6ff,stroke:#3b82f6,color:#111827,stroke-width:1.5px;
classDef internal fill:#ecfdf5,stroke:#10b981,color:#111827,stroke-width:1.5px;
classDef local fill:#fff7ed,stroke:#f97316,color:#111827,stroke-width:1.5px;
class A,B,C client;
class G gateway;
class P public;
class I internal;
class L local;
NyxID proxies requests, injects credentials automatically, punches through
NAT to reach your local services, and wraps any REST API as MCP tools.
What NyxID Does
- Reach anything — public APIs, internal APIs, localhost services via credential nodes (
nyxid node). SSH tunneling (nyxid ssh) reaches remote hosts. No VPN, no port forwarding. - Never expose keys — the reverse proxy injects credentials automatically. Your agent talks to NyxID; NyxID talks to the API with the real key.
- MCP auto-wrap — REST APIs with OpenAPI specs become MCP tools.
nyxid mcp config --tool cursorgenerates the config. Works with Claude Code, Cursor, VS Code, and any MCP client. - Per-agent isolation — each agent gets a scoped token. Agent A accesses Slack and Gmail. Agent B only accesses your internal API. Revoke any session without touching the underlying credentials.
- Full identity layer — OIDC/OAuth 2.0 with PKCE, RBAC, service accounts, transaction approval (Telegram + mobile push), LLM gateway for 7 providers.
Why NyxID
| NyxID | 1Password UA | Cloudflare Tunnel | Keycloak | |
|---|---|---|---|---|
| Open source | Yes | No | No | Yes |
| NAT traversal to localhost | Yes (nyxid node) |
No | Yes (no credentials) | No |
| Credential injection | Yes (any API) | Partner integrations | No | No |
| REST to MCP auto-wrap | Yes | No | No | No |
| Per-agent isolation | Yes | No | No | No |
| OIDC / OAuth 2.0 | Yes | No | No | Yes |
Quick Start
Hosted (closed beta, invitation only)
Sign up at the NyxID console and add the API credentials you want your agents to use. The hosted service is currently in closed beta. Join the waitlist.
Install the CLI and log in:
cargo install --git https://github.com/ChronoAIProject/NyxID.git nyxid-cli
nyxid login --base-url https://nyx.chrono-ai.fun
Self-host
git clone https://github.com/ChronoAIProject/NyxID.git && cd NyxID
cp .env.example .env # edit: set ENCRYPTION_KEY=$(openssl rand -hex 32)
# set INVITE_CODE_REQUIRED=false
docker compose up -d # MongoDB + Mailpit
cargo run -p nyxid & # Backend on :3001
cd frontend && npm i && npm run dev # Frontend on :5173
See docs/DEPLOYMENT.md for production setup.
Connect Your AI Agent
nyxid api-key create --name my-agent # creates an API key for MCP auth
nyxid mcp config --tool claude-code # or: --tool cursor, --tool vscode
Follow the output to add NyxID to your MCP config. Your agent can now call any API you added through NyxID's authenticated proxy — credentials are injected automatically.
NyxID's MCP transport (/mcp) exposes your connected services as tools automatically. Service endpoints are loaded on-demand and mapped to MCP tools you can call from any MCP client.
Reach local services — turn localhost into MCP tools (optional)
Have services behind a firewall? Deploy a credential node to punch through NAT, then expose them as MCP tools your agents can call.
# 1. Connect a node to NyxID (outbound WebSocket, no port forwarding)
nyxid node register --token <reg-token> --url wss://<your-server>/api/v1/nodes/ws
nyxid node credentials add --service my-local-api --header Authorization --secret-format bearer
nyxid node start
# 2. Register the service with NyxID and link it to the node
nyxid node credentials setup --service my-local-api --url http://localhost:8080
# 3. If the service has an OpenAPI spec, import endpoints as MCP tools
nyxid catalog endpoints my-local-api
The node makes an outbound WebSocket connection to NyxID. No port forwarding.
No VPN. Once the service is registered and endpoints are imported, your AI
agents can call it as MCP tools through nyxid mcp config.
Quick Start (with AI assistant)
Paste this into Claude Code, Cursor, or any AI coding assistant:
Help me set up NyxID. Install the CLI (cargo install --git
https://github.com/ChronoAIProject/NyxID.git nyxid-cli), log in with
nyxid login, add my OpenAI API key, and configure MCP so I can use
NyxID-proxied tools from this session.
Use Cases
- Give Claude Code access to your private APIs without sharing keys
- Expose internal microservices to AI agents through a single MCP endpoint
- Secure AI agent access to self-hosted tools (Grafana, Jenkins, n8n) behind your firewall
Resources
| Topic | Link |
|---|---|
| API Reference | docs/API.md |
| Architecture | docs/ARCHITECTURE.md |
| AI Agent Playbook | docs/AI_AGENT_PLAYBOOK.md |
| Credential Nodes | docs/NODE_PROXY.md |
| MCP Integration | docs/MCP_DELEGATION_FLOW.md |
| SSH Tunneling | docs/SSH_TUNNELING.md |
| Security | docs/SECURITY.md |
| Environment Variables | docs/ENV.md |
| Deployment | docs/DEPLOYMENT.md |
| Developer Guide | docs/DEVELOPER_GUIDE.md |
Contributing
We welcome contributions. See CONTRIBUTING.md.
License
Yorumlar (0)
Yorum birakmak icin giris yap.
Yorum birakSonuc bulunamadi