Tokenwise
Tokenwise Connect

See every LLM call your AI tools make.

One install. Captures Claude Code, Cursor, Codex, the Claude CLI — without touching your auth.

terminalmacOS · Linux · WSL
$curl -fsSL https://tokenwisehq.com/connect.sh | bash
powershellWindows (PowerShell)
>iwr -useb tokenwisehq.com/connect.ps1 | iex

Inspect the script first? connect.sh · connect.ps1

IDE coverage

What we observe today.

Connect detects the AI tools installed on your machine and configures each one in turn. If one isn’t in the list, it stays untouched.

  • Claude Code IDE

    Max plan OAuth + API key

    Supported

    Pass-through. Your OAuth bearer rides the request to api.anthropic.com untouched; we observe the round-trip.

  • Claude CLI (ant)

    Max plan OAuth + API key

    Supported

    Same as Claude Code — ANTHROPIC_BASE_URL is repointed, your auth header is forwarded verbatim.

  • Codex CLI

    ChatGPT Plus + API key

    Supported

    Pass-through. We patch ~/.codex/config.toml to route through proxy.tokenwisehq.com; the rest of your config is left alone.

  • Cursor

    BYO models only

    Partial

    Cursor Pro's bundled models stay on Cursor's own auth — that traffic remains unobserved. We patch the OpenAI base URL setting for your BYO keys.

  • Antigravity

    No public surface yet

    Soon

    No custom-endpoint setting exposed at the moment. We're tracking it and will ship support as soon as one lands.

  • Ollama

    Local-only

    Soon

    Ollama runs entirely on your machine — there's no cloud hop to observe. A local-loop observer is on the roadmap.

Boundary

What we never touch.

Connect is a pure pass-through. It re-points the LLM endpoint your IDE talks to — nothing else.

Your provider keys

Your sk-… and sk-ant-… keys stay in your IDE, in your Authorization header, untouched. They ride the request to the upstream provider and are dropped from worker memory the moment the response is returned.

Your OAuth & subscription auth

Claude Max plan, ChatGPT Plus, Cursor Pro — the OAuth tokens and session credentials your IDE manages are out of scope. We don't see them, don't store them, don't proxy their refresh flow.

Anything outside the LLM API host

The route token is scoped to /r/{token}/{provider}/… and nothing else. We forward to api.openai.com, api.anthropic.com, and the other LLM hosts — never to your IDE's internal endpoints, telemetry, or update servers.

Read the full security model[email protected]

How it works

Three steps. One terminal.

  1. Step 01

    Run the installer

    The one-liner kicks off a device-code flow: you open a short URL in your browser, sign into Tokenwise, and pick which workspace this device reports to. Takes about ten seconds.

  2. Step 02

    It patches each IDE's BASE_URL

    The installer detects every supported IDE on your machine and writes the proxy URL into its config — shell-rc for Claude Code & the Claude CLI, config.toml for Codex, settings.json for Cursor. Each edit is shown to you and asks for [Y/n].

  3. Step 03

    Every LLM call flows through Tokenwise

    From the moment you reload your shell, your IDEs route through proxy.tokenwisehq.com. The proxy forwards your existing auth verbatim and streams metadata into your dashboard — cost, latency, tokens, prompts (or just metrics if you've turned payload storage off).

Uninstall

Reverse every change with one command.

disconnect finds the markers Connect left in your shell rc, restores every .tokenwise.bak file, and revokes the device’s route token. Your IDE goes back to talking directly to its provider.

macOS · Linux · WSL
$curl -fsSL https://tokenwisehq.com/disconnect.sh | bash
Windows (PowerShell)
$iwr -useb tokenwisehq.com/disconnect.ps1 | iex

FAQ

Frequently asked.

01Does this work with the Claude Max plan?
Yes. The Max plan signs requests with an OAuth bearer token, and the proxy forwards that bearer to api.anthropic.comunchanged. We never see, store, or refresh your OAuth credentials — they belong to the IDE.
02What if I revoke a device?
That device stops reporting immediately. The local IDE config still points at proxy.tokenwisehq.com, but the route token auth-fails — so your IDE will see 401 invalid route until you either re-run connect.sh to pair again or run disconnect.sh to restore the original config.
03Do my requests slow down?
The proxy runs on Cloudflare Workers across 300+ cities. Median edge overhead is around 37 ms; p95 sits under 50 ms. Provider latency on a real chat completion is 400–2,000 ms, so the proxy is well inside the noise.
04Can Tokenwise see my prompts?
Yes — by default, that’s the value proposition. Capturing prompts is what powers the Insights email, prompt grouping, eval scoring, and prompt-version drift detection. If you’d rather keep them out, flip Privacy mode on in Settings — we keep cost, latency, tokens, model, status, and drop the prompt and completion bodies.
05Can I self-host?
Self-hosting is coming on the Pro plan. You’ll be able to run the Cloudflare Worker on your own account and point your IDEs at it, with ingestion going to your own Tokenwise app. Until then, Indie and Pro both run on the shared Cloudflare edge with workspace-isolated ingestion.

Ready to see every call your AI tools make?

Sign up, then run Connect on the machine you code on.

Start freeRead the docs →