Corporate Proxies

SOCKS keeps TLS end-to-end, so cert verification works untouched. A forward proxy that re-encrypts with its own certificate is a different story.

SOCKS proxies — nothing to do

Because SOCKS doesn't terminate TLS, agentty's certificate verification works exactly as it does on a direct connection. This is also why air-gap mode is safe over an untrusted network.

TLS-terminating proxies (Zscaler, Bluecoat, mitmproxy)

If your network routes through a forward proxy that re-encrypts traffic with its own CA, install that CA into the system trust store — agentty picks up system roots at startup:

# Debian / Ubuntu
sudo cp corp-proxy-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

# Fedora / RHEL
sudo cp corp-proxy-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Last resort

If you genuinely can't install the CA, you can disable peer verification:

AGENTTY_INSECURE=1 agentty

⚠WarningAGENTTY_INSECURE=1 skips peer verification entirely — anyone on the path can impersonate the API. Don't ship that to anyone you care about; use it only as a temporary local workaround.

← PreviousSSH Air-gap Next →Building from Source

✎ Edit this page on GitHub