NyxID

Connect AI agents to any API, anywhere. Securely. Open-source Agent Connectivity Gateway.

NyxID lets your AI agents (Claude Code, Cursor, n8n) reach any API you have, public or private, and handles all the credentials so your agent never sees a raw key.

flowchart LR
    subgraph Agents["AI Agents"]
        CC[Claude Code]
        CU[Cursor]
        N8[n8n]
    end

    subgraph NyxID["NyxID Gateway"]
        AUTH[OIDC and API Key Auth]
        PROXY[Credential Injection Proxy]
        MCP[MCP Tool Wrapping]
    end

    subgraph Connectivity["Private Reach"]
        NODE[Credential Node]
    end

    subgraph Targets["Connected Services"]
        PUB[Public APIs]
        INT[Internal APIs]
        LOC[Localhost Services]
    end

    CC --> AUTH
    CU --> AUTH
    N8 --> AUTH

    AUTH --> PROXY
    PROXY --> MCP
    PROXY -->|Direct proxy| PUB
    PROXY -->|Private network| INT
    PROXY -->|NAT traversal| NODE
    NODE --> LOC

    classDef agents fill:#eef2ff,stroke:#4f46e5,color:#111827,stroke-width:1.5px;
    classDef gateway fill:#111827,stroke:#22d3ee,color:#ffffff,stroke-width:2px;
    classDef tooling fill:#e0f2fe,stroke:#0284c7,color:#0f172a,stroke-width:1.5px;
    classDef node fill:#fef3c7,stroke:#f59e0b,color:#111827,stroke-width:1.5px;
    classDef targets fill:#ecfeff,stroke:#14b8a6,color:#0f172a,stroke-width:1.5px;

    class CC,CU,N8 agents;
    class AUTH,PROXY gateway;
    class MCP tooling;
    class NODE node;
    class PUB,INT,LOC targets;

NyxID proxies requests, injects credentials automatically, punches through NAT (Network Address Translation) to reach your local services, and wraps any REST API as MCP (Model Context Protocol) tools.

What NyxID Does

• Reach anything — public APIs, internal APIs, localhost services via credential nodes (nyxid node). SSH (Secure Shell) tunneling (nyxid ssh) reaches remote hosts. No VPN (Virtual Private Network), no port forwarding.

• Never expose keys — the reverse proxy injects credentials automatically. Your agent talks to NyxID; NyxID talks to the API with the real key.

• MCP auto-wrap — REST APIs with OpenAPI specs become MCP (Model Context Protocol) tools. nyxid mcp config --tool cursor generates the config. Works with Claude Code, Cursor, VS Code, and any MCP client.

• Per-agent isolation — each agent gets a scoped token. Agent A accesses Slack and Gmail. Agent B only accesses your internal API. Revoke any session without touching the underlying credentials.

• Full identity layer — OIDC (OpenID Connect) / OAuth 2.0 with PKCE (Proof Key for Code Exchange), RBAC (Role-Based Access Control), service accounts, transaction approval (Telegram + mobile push), LLM (Large Language Model) gateway for 7 providers.

See It in Action

The end-to-end loop is short: connect a service to NyxID once, then any AI agent pointed at your NyxID MCP endpoint can use it — without ever seeing the raw API key.

1. Add a service in the web console — paste your OpenAI (or Anthropic, GitHub, etc.) key once; NyxID stores it encrypted.

2. Wire up your AI tool — claude mcp add --transport http nyxid http://localhost:3001/mcp (or one-click install for Cursor in Settings → MCP).

3. Use it — Claude Code, Cursor, or any MCP client can now call the service through NyxID. The agent sees the response; never the key.

Why NyxID

Other tools solve parts of this — NyxID combines credential injection, NAT traversal, and MCP tooling in one open-source gateway:

Use Cases

• Give Claude Code access to your private APIs without sharing keys

• Expose internal microservices to AI agents through a single MCP endpoint

• Secure AI agent access to self-hosted tools (Grafana, Jenkins, n8n) behind your firewall

Quick Start

There are two ways to use NyxID — pick the one that fits your situation:

Option A: Hosted (Recommended)

Start using NyxID in under a minute — no Docker, no setup.

1. Go to nyx.chrono-ai.fun/register

2. Enter invite code: NYX-FGNY85AF

3. Sign in with Google, GitHub, or Apple

4. Add your first AI Service

Early access — limited to 20 users.

Option B: Self-Host

Run NyxID on your own machine. This sets up three Docker containers (database, backend, frontend) — takes about 2 minutes.

Prerequisites: Docker and a bash-compatible terminal. The nyxid CLI is optional. Full prereqs and disk budgets in docs/QUICKSTART.md.

AI-Assisted (Recommended)

If you have Claude Code, Cursor, or any AI coding assistant open, paste the prompt below into it and it will drive the entire self-host flow for you — preflight, clone, env generation, Docker stack, health check, optional CLI install, login, first credential, and MCP config.

I want to self-host NyxID on this machine (the repo is https://github.com/ChronoAIProject/NyxID). Walk me through the full quickstart interactively. If anything fails or I'd prefer to follow the manual steps myself, the full step-by-step with troubleshooting is at https://github.com/ChronoAIProject/NyxID/blob/main/docs/QUICKSTART.md.

1. Confirm Docker is installed and running before touching anything (check git, docker, openssl, curl, docker compose v2, and docker info).

2. Before cloning or generating anything, check whether NyxID install STATE is present — look for a ./NyxID/.env.dev file OR any Docker volume matching nyx*_mongodb_data (run docker volume ls --format '{{.Name}}' | grep -E 'nyx.*_mongodb_data$' — this catches the default nyxid_mongodb_data plus any variant from a renamed checkout). A bare ./NyxID directory alone does NOT count as "installed" — uninstall.sh leaves the source tree in place, so the directory can exist with no state. If install state is present, stop and tell me the quickstart is a first-time-only install. Ask whether I want to (a) uninstall first — if ./NyxID exists, run cd NyxID && ./scripts/uninstall.sh --yes && cd ..; if only the stale Docker volume is orphaned (checkout was manually deleted earlier), run docker volume ls --format '{{.Name}}' | grep -E 'nyx.*_mongodb_data$' | xargs -r docker volume rm directly. Either path wipes the volume, containers, and (for the script path) .env.dev/keys — destroys all NyxID accounts and encrypted credentials. Or (b) keep my existing install and stop here — I can verify it's still running with curl -sf http://localhost:3001/health. Do not proceed to step 3 until I answer.

3. If ./NyxID already exists (post-uninstall reinstall), cd into it; otherwise clone the repo into the current directory and cd in. Generate .env.dev with a fresh ENCRYPTION_KEY and MONGO_ROOT_PASSWORD (set ENVIRONMENT=development, INVITE_CODE_REQUIRED=false, AUTO_VERIFY_EMAIL=true, and EMAIL_AUTH_ENABLED=true so I don't get stuck on email verification or a locked-down signup page), symlink it to .env.production, create the PKCS#1 JWT signing keys under keys/ (with a LibreSSL fallback using -pubout if -RSAPublicKey_out isn't supported), then pull images and start the stack with docker compose -f docker-compose.yml -f docker-compose.prod.yml --env-file .env.production up -d. Wait up to 90 seconds for http://localhost:3001/health to return 200 — if it times out, tell me to run docker logs nyxid-backend. If the logs show SCRAM failure: Authentication failed, that means the MongoDB volume has a stale password from a previous install — tell me to run ./scripts/uninstall.sh --yes (or, if the checkout is gone, docker volume ls --format '{{.Name}}' | grep -E 'nyx.*_mongodb_data$' | xargs -r docker volume rm to remove any nyx-flavored orphan volume) and retry. Show me the generated ENCRYPTION_KEY so I can back it up.

4. Tell me to open http://localhost:3000 and register my account (no email verification needed — accounts are auto-verified in dev mode), and wait until I confirm I've done that.

5. Ask me whether I want to install the nyxid CLI. Explain that it's optional, that the installer will pull the Rust toolchain (~300 MB) if I don't have it, and that the first build takes 3–10 minutes and ~1.5 GB of disk. If I say yes, install it using https://raw.githubusercontent.com/ChronoAIProject/NyxID/main/skills/nyxid/scripts/install.sh, then source ~/.cargo/env, log me in with nyxid login --base-url http://localhost:3001, add my OpenAI key with nyxid service add llm-openai --credential-env OPENAI_API_KEY, and verify with nyxid proxy request llm-openai models. If I say no, walk me through adding the same OpenAI credential in the web console instead.

6. Finish by connecting my AI tool to NyxID's MCP endpoint at http://localhost:3001/mcp. For Claude Code: claude mcp add --transport http nyxid http://localhost:3001/mcp. For Codex: codex mcp add nyxid --url http://localhost:3001/mcp. For Cursor: open Settings > MCP in the web console and click Install to Cursor.

Manual Setup

Prefer to run each step yourself, or need the full troubleshooting guide? The complete manual flow lives in docs/QUICKSTART.md:

• System preflight check — Step 1

• One paste-block install — Step 2

• Register your account — Step 3

• Optional CLI install

• Uninstall & reinstall, orphan volume recovery, and SCRAM failure troubleshooting

Once NyxID is running and you've registered at http://localhost:3000:

Next: Add your first AI Service

For production deployment (TLS, custom domain, email verification), see docs/DEPLOYMENT.md.

Connecting AI Services

The Quick Start above (Hosted and Self-Host) sends you to the Web UI walkthrough. For CLI, AI-driven (Claude Code / Codex / Cursor via MCP), or Direct API (curl, n8n, CI/CD), see docs/connecting-services/. The hub explains the deliverable (HTTP/1.1 200 from a real downstream call), distinguishes external service credentials from NyxID Agent Keys, and links to one walkthrough per path.

Reach Local Services (Optional)

Services behind a firewall? Deploy a credential node to punch through NAT and expose them as MCP tools:

# Register and start a node (outbound WebSocket — no port forwarding, no VPN)
nyxid node register --token <reg-token> --url wss://<your-server>/api/v1/nodes/ws
nyxid node credentials add --service my-local-api --header Authorization --secret-format bearer
nyxid node start

# Register the service and link it to the node
nyxid node credentials setup --service my-local-api --api-url http://localhost:8080

# Import endpoints as MCP tools (if the service has an OpenAPI spec)
nyxid catalog endpoints my-local-api

Resources

Contributing

We welcome contributions. See CONTRIBUTING.md.

License

Apache-2.0