Forward Proxy & Watch Mode
The forward proxy intercepts HTTPS traffic from any AI agent by acting as an HTTP CONNECT proxy with MITM TLS. Unlike the MCP gateway (which requires pointing agents at Quint), the forward proxy works with standard HTTP_PROXY / HTTPS_PROXY environment variables — zero code changes required.
How It Works
Quick Start
# Start the forward proxy with dashboard
quint watch
# In another terminal, run your agent with proxy env vars
export HTTP_PROXY=http://localhost:9090
export HTTPS_PROXY=http://localhost:9090
export SSL_CERT_FILE=~/.quint/ca/quint-ca-bundle.pem
export NODE_EXTRA_CA_CERTS=~/.quint/ca/quint-ca.crt
# Run any agent — traffic is automatically intercepted
claude --model claude-sonnet-4-20250514 "summarize this repo"
http://localhost:8080 showing live agent activity.
CLI Flags
| Flag | Default | Description |
|---|
--port | 9090 | Proxy listen port |
--dashboard-port | 8080 | Dashboard UI port |
--policy | auto-detect | Path to policy.json |
--static-dir | embedded | Serve dashboard from local dir (dev mode) |
--no-dashboard | false | Skip starting the dashboard |
--no-open | false | Don’t auto-open browser |
Agent Environment Variables
Set these in any terminal where your agent runs:
| Variable | Value | Purpose |
|---|
HTTP_PROXY | http://localhost:9090 | Route HTTP traffic through Quint |
HTTPS_PROXY | http://localhost:9090 | Route HTTPS traffic through Quint |
SSL_CERT_FILE | ~/.quint/ca/quint-ca-bundle.pem | Trust Quint’s CA (Go, Python, curl) |
NODE_EXTRA_CA_CERTS | ~/.quint/ca/quint-ca.crt | Trust Quint’s CA (Node.js) |
Named Agents
To explicitly name an agent, use the proxy URL’s username field:
HTTP_PROXY=http://my-research-bot@localhost:9090
HTTPS_PROXY=http://my-research-bot@localhost:9090
CA Certificate
Quint generates a local CA on first run using ECDSA P-256:
- CA certificate:
~/.quint/ca/quint-ca.crt (valid 10 years)
- CA private key:
~/.quint/ca/quint-ca.key
- Combined bundle:
~/.quint/ca/quint-ca-bundle.pem (system CAs + Quint CA)
- Leaf certificates: generated per-hostname, cached in memory, valid 24 hours
The CA never leaves your machine. Leaf certificates are signed on-the-fly for each unique hostname the agent connects to.
Provider Classification
Quint automatically classifies intercepted traffic into 46+ AI providers using domain matching:
| Provider | Domains |
|---|
anthropic | api.anthropic.com, mcp-proxy.anthropic.com |
openai | api.openai.com, chatgpt.com |
google | generativelanguage.googleapis.com, aiplatform.googleapis.com |
azure-openai | openai.azure.com, cognitive.microsoft.com |
aws-bedrock | bedrock-runtime.*.amazonaws.com |
mistral | api.mistral.ai |
groq | api.groq.com |
deepseek | api.deepseek.com |
cohere | api.cohere.com |
Full list includes 40+ providers: Together, Replicate, Fireworks, Perplexity, xAI, HuggingFace, Cerebras, SambaNova, NVIDIA, OpenRouter, Cloudflare, and 8 Chinese providers (Zhipu, Baidu, Alibaba, ByteDance, Moonshot, 01.AI, MiniMax, SiliconFlow).
- Exact domain match — fastest, covers all known API endpoints
- Pattern-based — catches region-specific AWS/Azure/Databricks URLs
- Root domain fallback — handles unknown subdomains (e.g.,
console.anthropic.com → anthropic)
Domain Policy
Control which domains are allowed or blocked:
{
"forward_proxy": {
"default_action": "allow",
"log_bodies": true,
"max_body_log_size": 8192,
"domains": [
{ "domain": "*.openai.com", "action": "allow" },
{ "domain": "pastebin.com", "action": "deny" }
]
}
}
Architecture
The forward proxy integrates with all other Quint subsystems:
