Nyxid
Connect AI agents to any API, anywhere. Securely. Open-source Agent Connectivity Gateway.
NyxID lets your AI agents (Claude Code, Cursor, n8n) reach any API you have, public or private, and handles all the credentials so your agent never sees a raw key.
flowchart LR
subgraph Agents["AI Agents"]
CC[Claude Code]
CU[Cursor]
N8[n8n]
end
subgraph NyxID["NyxID Gateway"]
AUTH[OIDC and API Key Auth]
PROXY[Credential Injection Proxy]
MCP[MCP Tool Wrapping]
end
subgraph Connectivity["Private Reach"]
NODE[Credential Node]
end
subgraph Targets["Connected Services"]
PUB[Public APIs]
INT[Internal APIs]
LOC[Localhost Services]
end
CC --> AUTH
CU --> AUTH
N8 --> AUTH
AUTH --> PROXY
PROXY --> MCP
PROXY -->|Direct proxy| PUB
PROXY -->|Private network| INT
PROXY -->|NAT traversal| NODE
NODE --> LOC
classDef agents fill:#eef2ff,stroke:#4f46e5,color:#111827,stroke-width:1.5px;
classDef gateway fill:#111827,stroke:#22d3ee,color:#ffffff,stroke-width:2px;
classDef tooling fill:#e0f2fe,stroke:#0284c7,color:#0f172a,stroke-width:1.5px;
classDef node fill:#fef3c7,stroke:#f59e0b,color:#111827,stroke-width:1.5px;
classDef targets fill:#ecfeff,stroke:#14b8a6,color:#0f172a,stroke-width:1.5px;
class CC,CU,N8 agents;
class AUTH,PROXY gateway;
class MCP tooling;
class NODE node;
class PUB,INT,LOC targets;
NyxID proxies requests, injects credentials automatically, punches through NAT (Network Address Translation) to reach your local services, and wraps any REST API as MCP (Model Context Protocol) tools.
What NyxID Does
- Reach anything — public APIs, internal APIs, localhost services via credential nodes (
nyxid node). SSH (Secure Shell) tunneling (nyxid ssh) reaches remote hosts. No VPN (Virtual Private Network), no port forwarding. - Never expose keys — the reverse proxy injects credentials automatically. Your agent talks to NyxID; NyxID talks to the API with the real key.
- MCP auto-wrap — REST APIs with OpenAPI specs become MCP (Model Context Protocol) tools.
nyxid mcp config --tool cursorgenerates the config. Works with Claude Code, Cursor, VS Code, and any MCP client. - Per-agent isolation — each agent gets a scoped token. Agent A accesses Slack and Gmail. Agent B only accesses your internal API. Revoke any session without touching the underlying credentials.
- Full identity layer — OIDC (OpenID Connect) / OAuth 2.0 with PKCE (Proof Key for Code Exchange), RBAC (Role-Based Access Control), service accounts, transaction approval (Telegram + mobile push), LLM (Large Language Model) gateway for 7 providers.
See It in Action
The end-to-end loop is short: connect a service to NyxID once, then any AI agent pointed at your NyxID MCP endpoint can use it — without ever seeing the raw API key.
- Add a service in the web console — paste your OpenAI (or Anthropic, GitHub, etc.) key once; NyxID stores it encrypted.
- Wire up your AI tool —
claude mcp add --transport http --scope user nyxid http://localhost:3001/mcp(or one-click install for Cursor in Settings → MCP). - Use it — Claude Code, Cursor, or any MCP client can now call the service through NyxID. The agent sees the response; never the key.
Why NyxID
Other tools solve parts of this — NyxID combines credential injection, NAT traversal, and MCP tooling in one open-source gateway:
| NyxID | 1Password Universal Autofill | Cloudflare Tunnel | Keycloak | |
|---|---|---|---|---|
| Open source | Yes | No | No | Yes |
| NAT traversal to localhost | Yes (nyxid node) | No | Yes (no credentials) | No |
| Credential injection | Yes (any API) | Partner integrations | No | No |
| REST to MCP auto-wrap | Yes | No | No | No |
| Per-agent isolation | Yes | No | No | No |
| OIDC / OAuth 2.0 | Yes | No | No | Yes |
Use Cases
- Give Claude Code access to your private APIs without sharing keys
- Expose internal microservices to AI agents through a single MCP endpoint
- Secure AI agent access to self-hosted tools (Grafana, Jenkins, n8n) behind your firewall
Quick Start
There are two ways to use NyxID — pick the one that fits your situation:
| Hosted | Self-host | |
|---|---|---|
| What it is | We run NyxID for you in the cloud | You run NyxID on your own machine |
| Best for | Getting started quickly, no setup | Full control, private networks, offline use |
| Status | Early access (invite code below) | Open — anyone can run it |
Option A: Hosted (Recommended)
Start using NyxID in under a minute — no Docker, no setup.
- Go to nyx.chrono-ai.fun/register
- Enter invite code:
NYX-FGNY85AF - Sign in with Google, GitHub, or Apple
- Add your first AI Service
Early access — limited to 20 users.
Option B: Self-Host
Run NyxID on your own machine. This sets up three Docker containers (database, backend, frontend) — takes about 2 minutes.
Prerequisites: Docker and a bash-compatible terminal. The nyxid CLI is optional. Full prereqs and disk budgets in docs/QUICKSTART.md.
AI-Assisted (Recommended)
If you have Claude Code, Cursor, or any AI coding assistant open, paste the prompt below into it and it will drive the entire self-host flow for you — preflight, clone, env generation, Docker stack, health check, optional CLI install, login, first credential, and MCP config.
Click to expand the full AI-assisted self-host prompt
I want to self-host NyxID on this machine (the repo is https://github.com/ChronoAIProject/NyxID). Walk me through the full quickstart interactively. If anything fails or I'd prefer to follow the manual steps myself, the full step-by-step with troubleshooting is at https://github.com/ChronoAIProject/NyxID/blob/main/docs/QUICKSTART.md.
- Confirm Docker is installed and running before touching anything (check
git,docker,openssl,curl,docker composev2, anddocker info).- Before cloning or generating anything, check whether NyxID install STATE is present — look for a
./NyxID/.env.devfile OR any Docker volume matchingnyx*_mongodb_data(rundocker volume ls --format '{{.Name}}' | grep -E 'nyx.*_mongodb_data$'— this catches the defaultnyxid_mongodb_dataplus any variant from a renamed checkout). A bare./NyxIDdirectory alone does NOT count as "installed" —uninstall.shleaves the source tree in place, so the directory can exist with no state. If install state is present, stop and tell me the quickstart is a first-time-only install. Ask whether I want to (a) uninstall first — if./NyxIDexists, runcd NyxID && ./scripts/uninstall.sh --yes && cd ..; if only the stale Docker volume is orphaned (checkout was manually deleted earlier), rundocker volume ls --format '{{.Name}}' | grep -E 'nyx.*_mongodb_data$' | xargs -r docker volume rmdirectly. Either path wipes the volume, containers, and (for the script path).env.dev/keys — destroys all NyxID accounts and encrypted credentials. Or (b) keep my existing install and stop here — I can verify it's still running withcurl -sf http://localhost:3001/health. Do not proceed to step 3 until I answer.- If
./NyxIDalready exists (post-uninstall reinstall),cdinto it; otherwise clone the repo into the current directory andcdin. Generate.env.devwith a freshENCRYPTION_KEYandMONGO_ROOT_PASSWORD(setENVIRONMENT=development,INVITE_CODE_REQUIRED=false,AUTO_VERIFY_EMAIL=true, andEMAIL_AUTH_ENABLED=trueso I don't get stuck on email verification or a locked-down signup page), symlink it to.env.production, create the PKCS#1 JWT signing keys underkeys/(with a LibreSSL fallback using-puboutif-RSAPublicKey_outisn't supported), then pull images and start the stack withdocker compose -f docker-compose.yml -f docker-compose.prod.yml --env-file .env.production up -d. Wait up to 90 seconds forhttp://localhost:3001/healthto return 200 — if it times out, tell me to rundocker logs nyxid-backend. If the logs showSCRAM failure: Authentication failed, that means the MongoDB volume has a stale password from a previous install — tell me to run./scripts/uninstall.sh --yes(or, if the checkout is gone,docker volume ls --format '{{.Name}}' | grep -E 'nyx.*_mongodb_data$' | xargs -r docker volume rmto remove any nyx-flavored orphan volume) and retry. Show me the generatedENCRYPTION_KEYso I can back it up.- Tell me to open http://localhost:3000 and register my account (no email verification needed — accounts are auto-verified in dev mode), and wait until I confirm I've done that.
- Ask me whether I want to install the
nyxidCLI. Explain that it's optional, that the installer will pull the Rust toolchain (~300 MB) if I don't have it, and that the first build takes 3–10 minutes and ~1.5 GB of disk. If I say yes, install it using https://raw.githubusercontent.com/ChronoAIProject/NyxID/main/skills/nyxid/scripts/install.sh, thensource ~/.cargo/env, log me in withnyxid login --base-url http://localhost:3001, add my OpenAI key withnyxid service add llm-openai --credential-env OPENAI_API_KEY, and verify withnyxid proxy request llm-openai models. If I say no, walk me through adding the same OpenAI credential in the web console instead.- Finish by connecting my AI tool to NyxID's MCP endpoint at
http://localhost:3001/mcp. For Claude Code:claude mcp add --transport http --scope user nyxid http://localhost:3001/mcp. For Codex:codex mcp add nyxid --url http://localhost:3001/mcp. For Cursor: open Settings > MCP in the web console and click Install to Cursor.
Manual Setup
Prefer to run each step yourself, or need the full troubleshooting guide? The complete manual flow lives in docs/QUICKSTART.md:
- System preflight check — Step 1
- One paste-block install — Step 2
- Register your account — Step 3
- Optional CLI install
- Uninstall & reinstall, orphan volume recovery, and SCRAM failure troubleshooting
Once NyxID is running and you've registered at http://localhost:3000:
Next: Add your first AI Service
For production deployment (TLS, custom domain, email verification), see docs/DEPLOYMENT.md.
Connecting AI Services
The Quick Start above (Hosted and Self-Host) sends you to the Web UI walkthrough. For CLI, AI-driven (Claude Code / Codex / Cursor via MCP), or Direct API (curl, n8n, CI/CD), see docs/connecting-services/. The hub explains the deliverable (HTTP/1.1 200 from a real downstream call), distinguishes external service credentials from NyxID Agent Keys, and links to one walkthrough per path.
Reach Local Services (Optional)
Services behind a firewall? Deploy a credential node to punch through NAT and expose them as MCP tools:
# Register and start a node (outbound WebSocket — no port forwarding, no VPN)
nyxid node register --token <reg-token> --url wss://<your-server>/api/v1/nodes/ws
nyxid node credentials add --service my-local-api --header Authorization --secret-format bearer
nyxid node start
# Register the service and link it to the node
nyxid node credentials setup --service my-local-api --api-url http://localhost:8080
# Import endpoints as MCP tools (if the service has an OpenAPI spec)
nyxid catalog endpoints my-local-api
Resources
| Topic | Link | Description |
|---|---|---|
| Connecting AI Services | docs/connecting-services/ | Add your first (or Nth) AI Service — Web UI / CLI / AI-driven / Direct API |
| Quickstart (manual) | docs/QUICKSTART.md | Step-by-step self-host + troubleshooting |
| Deployment | docs/DEPLOYMENT.md | Start here for production setup |
| AI Agent Playbook | docs/AI_AGENT_PLAYBOOK.md | Start here for agent integration |
| Architecture | docs/ARCHITECTURE.md | System design and data flows |
| API Reference | docs/API.md | Full endpoint documentation |
| Credential Nodes | docs/NODE_PROXY.md | NAT traversal setup |
| MCP Integration | docs/MCP_DELEGATION_FLOW.md | MCP protocol details |
| SSH Tunneling | docs/SSH_TUNNELING.md | Remote host access over WebSocket |
| Security | docs/SECURITY.md | Threat model and hardening |
| Environment Variables | docs/ENV.md | Full config reference |
| Telemetry | docs/TELEMETRY.md | Opt-in usage analytics — hot-swap contract, event taxonomy, consent + GDPR erasure |
| Developer Guide | docs/DEVELOPER_GUIDE.md | Local development setup |
Contributing
We welcome contributions. See CONTRIBUTING.md.
License
Server Config
{
"mcpServers": {
"nyxid": {
"type": "http",
"url": "https://nyx.chrono-ai.fun/mcp",
"headers": {
"Authorization": "Bearer <YOUR_NYXID_API_KEY>"
}
}
}
}Recommend Servers
View AllWrite notes to Flomo