> ## Documentation Index
> Fetch the complete documentation index at: https://docs.synti.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Network Proxy

> Route Synti's traffic through an HTTP or HTTPS proxy and trust a corporate TLS-inspecting certificate.

On restricted or corporate networks, Synti may need to reach model providers and sources through an outbound proxy. Synti supports HTTP and HTTPS proxies, per-host bypass rules, and custom CA certificates for networks that inspect TLS. Settings apply across the app and are passed down to the agent's subprocesses automatically.

## Configure a proxy

Open **Settings → Network** and fill in:

| Field        | Description                                                              |
| ------------ | ------------------------------------------------------------------------ |
| Enable Proxy | Master toggle for proxy routing.                                         |
| HTTP Proxy   | Proxy URL for HTTP traffic, e.g. `http://proxy.corp.com:8080`.           |
| HTTPS Proxy  | Proxy URL for HTTPS traffic. Falls back to the HTTP proxy if left empty. |
| No Proxy     | Comma-separated hosts and domains that should bypass the proxy.          |

Changes take effect immediately — no restart required. They persist under the `networkProxy` key in the [config file](/reference/config/config-file).

```json config.json theme={null}
{
  "networkProxy": {
    "enabled": true,
    "httpProxy": "http://proxy.corp.com:8080",
    "httpsProxy": "http://proxy.corp.com:8080",
    "noProxy": ".internal.corp.com,192.168.1.1"
  }
}
```

## Authentication

If your proxy requires credentials, put them in the URL:

```text theme={null}
http://username:password@proxy.corp.com:8080
```

<Warning>
  Credentials embedded in a proxy URL are stored in plain text in `config.json`. Prefer supplying them through environment configuration so they aren't written to disk in the clear.
</Warning>

## Bypass rules

The **No Proxy** list supports several forms:

| Pattern            | Matches                        |
| ------------------ | ------------------------------ |
| `example.com`      | Exact host.                    |
| `.example.com`     | The domain and all subdomains. |
| `192.168.1.1`      | A specific IP address.         |
| `[::1]`            | An IPv6 address.               |
| `example.com:8443` | A host on a specific port.     |

<Note>
  `localhost` and `127.0.0.1` are not bypassed automatically. Add them to the No Proxy list if local services should skip the proxy.
</Note>

## TLS-inspecting proxies

Some corporate firewalls terminate and re-sign TLS. For Synti to trust the re-signed certificates, point `NODE_EXTRA_CA_CERTS` at your organization's CA bundle before launching the app.

<Tabs>
  <Tab title="macOS">
    Set it for GUI apps with `launchctl`, then relaunch Synti:

    ```bash theme={null}
    launchctl setenv NODE_EXTRA_CA_CERTS /path/to/corp-ca.pem
    ```
  </Tab>

  <Tab title="Windows">
    Add `NODE_EXTRA_CA_CERTS` under System Properties → Environment Variables, then restart Synti.
  </Tab>

  <Tab title="Linux">
    Add the variable to an `environment.d` file or your session profile, then relaunch:

    ```bash theme={null}
    # ~/.config/environment.d/synti.conf
    NODE_EXTRA_CA_CERTS=/path/to/corp-ca.pem
    ```
  </Tab>
</Tabs>

When connecting the terminal client to a server with a self-signed certificate, use `SYNTI_TLS_CA` or the `--tls-ca` flag instead — see [Environment Variables](/reference/config/environment-variables) and the [CLI reference](/reference/cli).

## How traffic is routed

Synti applies proxy settings at every layer that makes outbound requests:

* **App runtime** — outbound HTTPS is tunneled through the proxy via CONNECT.
* **App windows** — the Electron layer routes browser traffic through the same proxy.
* **Subprocesses** — the agent's child processes inherit `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` from the configured settings.

## Related

<CardGroup cols={2}>
  <Card title="Environment Variables" icon="terminal" href="/reference/config/environment-variables">
    CA and TLS variables for clients and servers.
  </Card>

  <Card title="Headless Server" icon="server" href="/server/headless">
    TLS options when exposing a server.
  </Card>

  <Card title="Config File" icon="file-code" href="/reference/config/config-file">
    Where proxy settings are persisted.
  </Card>

  <Card title="Credentials" icon="lock" href="/reference/config/credentials">
    Keeping secrets off disk in the clear.
  </Card>
</CardGroup>
