Skip to content

reorc/api-egress-gateway

BranchesTags

Repository files navigation

egressd

Local HTTPS MITM proxy that intercepts outbound API traffic from controlled clients (OpenClaw, rqdata-cli) and routes it through the APIMux control plane for unified authentication, billing, and audit.

中文文档

graph LR
    A[OpenClaw / rqdata-cli] -->|HTTPS_PROXY| B[egressd :8080]
    B -->|relay| C[APIMux]
    C -->|real credentials| D[Provider upstream]
Loading

Clients use APIMux platform keys (ak_ prefix). egressd intercepts HTTPS requests, identifies the platform key, and forwards the request to APIMux. APIMux injects the real provider credentials server-side — clients never touch them.

Install

curl -sSL https://raw.githubusercontent.com/reorc/api-egress-gateway/main/scripts/install.sh | sh

Or build from source:

make build

Quick start

egressd init          # generate config + MITM CA certificates
egressd serve         # start the proxy (default command)
egressd install       # install as systemd/launchd service

Configuration

JSON config controls provider behavior; environment variables control paths.

{
  "apimux": { "baseUrl": "http://apimux.internal:38080" },
  "providers": {
    "rqdata": { "enabled": true },
    "generic": [{
      "name": "brave",
      "enabled": true,
      "host": "api.search.brave.com",
      "credential": { "source": "header", "name": "X-Subscription-Token" },
      "fallback": "native"
    }]
  }
}

See config.example.json for all fields. Supported credential sources: header, bearer, json_field, query.

Variable Description Default
EGRESSD_CONFIG_PATH Config file path ./config.local.json then ./config.example.json

How it works

graph TB
    subgraph Same machine
        RC[rqdata-cli] -->|HTTPS_PROXY| E
        OC[OpenClaw] -->|HTTPS_PROXY| E
        E[egressd :8080<br/>loopback]
    end

    E -->|MITM intercept| D{Route by host}

    D -->|rqdata.ricequant.com /auth| AUTH[APIMux key? echo token<br/>else passthrough native]
    D -->|rqdata.ricequant.com /api| API[APIMux key? relay<br/>else passthrough native]
    D -->|api.search.brave.com| BRAVE[APIMux key? relay<br/>else native/reject]
    D -->|other hosts| PASS[passthrough]

    API --> RELAY[APIMux<br/>POST /v1/relay/requests]
    BRAVE --> RELAY
    RELAY -->|auth, rate-limit, billing| UP[inject real credentials, call provider]
Loading

CLI commands

Command Description
egressd serve Start the MITM proxy (default)
egressd init Initialize config and MITM CA certificates
egressd install Install as a system service (systemd/launchd)
egressd uninstall Remove the system service
egressd update Self-update to latest release
egressd version Print version

Deployment

E2E tests

Requires both apimux and egressd running:

APIMUX_API_KEY=ak_xxx SKIP_PROXY=1 ./scripts/e2e-rqdata.sh   # direct to APIMux
APIMUX_API_KEY=ak_xxx ./scripts/e2e-rqdata.sh                 # full chain
APIMUX_API_KEY=ak_xxx ./scripts/e2e-brave.sh                  # Brave full chain

License

MIT

About

Extensible MITM/API egress gateway for provider credential management; Brave MVP

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
Apr 10, 2026

Packages

 
 
 

Contributors

Languages