Outbound Relay

Automatically decrypt sensitive data after it leaves your app and before it reaches your trusted destination.

When a request is sent through Outbound Relay, it will automatically decrypt any fields that it detects are encrypted. This means that fields can be encrypted before they reach your backend using Inbound Relay, stored in your database and sent to third-party APIs without writing any logic for decryption, or worrying about storing the data in a secure way.

By including our Node.js SDK or Python SDK, all requests to third party APIs are routed through Outbound Relay. No additional configuration is required.

How Outbound Relay works

Relay can be used to pass data to third-party services and APIs using the Outbound Relay HTTP CONNECT Proxy on

Outbound Relay intercepts requests by signing a new certificate for the target (e.g. using the Relay Root CA. In order to establish a TLS connection with the target, your system needs to trust the Root CA certificate. Relay transparently terminates TLS-encrypted requests and decrypts all Evervault-encrypted data within the payload before establishing a new TLS connection with the destination and sending the request.

We currently only support CONNECT-over-TLS in order to avoid transmitting credentials in plaintext.

Outbound Relay supports two authentication mechanisms:

  1. Include a Proxy-Authorization header in the destination request. This ensures that your API credentials are TLS-encrypted at all times. Outbound Relay will remove this header before being passed to the destination.
  2. Use spec-compliant HTTP Basic Auth with your team ID as the username and your API key as the password. Many languages support the HTTPS_PROXY environment variable which can be set as follows:

Our Node.js SDK and our Python SDK do this configuration for you you by trusting the Relay Root CA and including the Proxy-Authorization header in all requests.

Test with curl

Send an encrypted string through Outbound Relay without integrating an SDK:

curl -x <your destination url> \
-H 'Content-Type: application/json' \
-H 'Proxy-Authorization: <your Team's api key>' \
-d '{ "key": "<an Evervault encrypted string>"}' -kv

Outbound Destinations

The default behavior of Outbound Relay is to allow traffic to all domains. A whitelist can be made by adding trusted domains as outbound destinations, and then turning on Strict Mode.

You can configure Response Encryption for Outbound Relay in much the same way you configure it for Inbound Relay. Outbound Destinations can be configured to have associated fields to encrypt.

You can add outbound destinations in the 'Outbound Relay' section of the dashboard.

Outbound Relay → Add Outbound Destination
Coming soon - Define and configure outbound destinations in the dashboard using wildcards.

Was this page useful?