Cc Gateway Ai Proxy
Deploy CC Gateway so multiple Claude Code machines share one normalized Anthropic identity, central OAuth refresh, and blocked telemetry side channels.
Overview
CC Gateway AI Proxy is an agent skill most often used in Build integrations (also Ship security, Operate infra) that deploys a TypeScript reverse proxy normalizing Claude Code fingerprints and centralizing OAuth for Anth
Install
npx skills add https://github.com/aradotso/trending-skills --skill cc-gateway-ai-proxyWhat is this skill?
- Normalizes 40+ device fingerprint dimensions to a single canonical Claude Code identity
- Three-layer defense: env vars, Clash network rules, and gateway rewrite/auth inject
- Central OAuth token refresh via platform.claude.com while SSE streams pass through
- Docker-oriented deployment pattern for multi-machine Claude Code setups
- Blocks direct Anthropic connections and telemetry leakage from heterogeneous clients
- 40+ device fingerprint dimensions normalized
- 3-layer defense: env vars, Clash rules, gateway rewrite
Adoption & trust: 618 installs on skills.sh; 31 GitHub stars; 0/3 security scanners passed (skills.sh audits).
What problem does it solve?
Several Claude Code machines leak distinct device fingerprints and telemetry, making multi-device setups noisy, hard to auth, and difficult to lock down at the network edge.
Who is it for?
Indie builders standardizing Claude Code across multiple dev machines who accept Docker plus Clash-style network rules for API privacy.
Skip if: Teams not using Claude Code, single-machine setups with no fingerprint or telemetry concerns, or environments that forbid custom MITM-style API proxies.
When should I use this skill?
Set up CC Gateway, proxy Claude Code through a gateway, normalize telemetry, hide device fingerprint, configure Anthropic reverse proxy, or multi-machine gateway Docker setup.
What do I get? / Deliverables
Traffic routes through CC Gateway with rewritten identity dimensions, injected auth, and blocked direct Anthropic paths so clients present one canonical profile.
- Running CC Gateway reverse proxy
- Client env and network rules routing API traffic through the gateway
- Documented canonical identity and OAuth refresh behavior
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Integrations is the first journey moment you wire Claude Code to external APIs through a custom reverse proxy, even though hardening spans ship and operate. The skill is a TypeScript reverse proxy between clients and api.anthropic.com—not app frontend or generic CI—so integrations is the correct primary shelf.
Where it fits
Stand up the TypeScript gateway between local Claude Code and api.anthropic.com on a homelab or VPS.
Apply Clash rules that block direct Anthropic egress before giving contractors Claude Code access.
Rotate gateway env vars and confirm SSE passthrough still works after a Docker image bump.
How it compares
An integration deployment skill for a self-hosted gateway—not an MCP server and not Anthropic's hosted console alone.
Common Questions / FAQ
Who is cc-gateway-ai-proxy for?
Solo builders and tiny teams running Claude Code who need one gatewayed identity, centralized token refresh, and network-level blocks on stray Anthropic connections.
When should I use cc-gateway-ai-proxy?
During build integrations when wiring Claude Code to your stack, at ship security when hardening agent API paths before teammates onboard, and at operate infra when updating Docker gateway config or Clash rules.
Is cc-gateway-ai-proxy safe to install?
A reverse proxy handles OAuth and API traffic—treat it as sensitive infrastructure; review the Security Audits panel on this Prism page and your own secret handling before production use.
SKILL.md
READMESKILL.md - Cc Gateway Ai Proxy
# CC Gateway — AI API Identity Gateway > Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection. CC Gateway is a TypeScript reverse proxy that sits between Claude Code clients and the Anthropic API. It normalizes 40+ device fingerprint dimensions (device ID, email, environment, RAM, headers, and system prompt content) to a single canonical identity, manages OAuth token refresh centrally, and prevents telemetry leakage from multi-machine setups. ## Architecture Overview ``` Client (Claude Code + env vars + Clash) └─► CC Gateway (rewrite + auth inject + SSE passthrough) └─► api.anthropic.com (single canonical identity) Gateway also contacts: platform.claude.com (OAuth token refresh only) ``` **Three-layer defense:** | Layer | Mechanism | |-------|-----------| | Env vars | Route CC traffic to gateway, disable side channels | | Clash rules | Block any direct Anthropic connections at network level | | Gateway | Rewrite all 40+ fingerprint dimensions in-flight | ## Installation ### Prerequisites - Node.js 18+ or Docker - A machine that has previously logged into Claude Code (for OAuth token extraction) ### Clone and Install ```bash git clone https://github.com/motiful/cc-gateway.git cd cc-gateway npm install ``` ### Generate Identity and Tokens ```bash # Create a stable canonical identity (device_id, email, env profile) npm run generate-identity # Create a bearer token for a specific client machine npm run generate-token my-laptop npm run generate-token work-desktop ``` ### Extract OAuth Token (from a logged-in machine) ```bash # macOS — copies refresh_token from Keychain bash scripts/extract-token.sh ``` ### Configure ```bash cp config.example.yaml config.yaml ``` Edit `config.yaml`: ```yaml # config.yaml identity: device_id: "GENERATED_DEVICE_ID" # from generate-identity email: "canonical@example.com" platform: "darwin" arch: "arm64" node_version: "20.11.0" shell: "/bin/zsh" home: "/Users/canonical" working_directory: "/Users/canonical/projects" memory_gb: 16 # canonical RAM value oauth: refresh_token: "EXTRACTED_REFRESH_TOKEN" # from extract-token.sh clients: - name: my-laptop token: "GENERATED_CLIENT_TOKEN" - name: work-desktop token: "ANOTHER_CLIENT_TOKEN" server: port: 8443 tls: false # true for production with certs ``` ## Starting the Gateway ```bash # Development (no TLS, hot reload) npm run dev # Production build npm run build && npm start # Docker Compose (recommended for production) docker-compose up -d ``` ### Docker Compose Example ```yaml # docker-compose.yml version: "3.8" services: cc-gateway: build: . ports: - "8443:8443" volumes: - ./config.yaml:/app/config.yaml:ro restart: unless-stopped environment: - NODE_ENV=production ``` ## Verification ```bash # Health check curl http://localhost:8443/_health # Show before/after rewrite diff (requires client token) curl -H "Authorization: Bearer YOUR_CLIENT_TOKEN" \ http://localhost:8443/_verify ``` ## Client Machine Setup On each machine running Claude Code, set these environment variables: ```bash # ~/.bashrc or ~/.zshrc # Route all Claude Code API traffic through the gateway export ANTHROPIC_BASE_URL="https://gateway.your-domain.com:8443" # Disable side-channel telemetry (Datadog, GrowthBook, version checks) export CLAUDE_CODE_DISABLE_NONESSENTIAL_T