Outbound Interception

Automatically decrypt sensitive data after it leaves your app and before it reaches your trusted destination.

By including our Node.js SDK or Python SDK, we will automatically route all requests from your backend to third-party APIs through the Evervault edge network and decrypt any fields that we detect are encrypted. This means that fields can be encrypted before they reach your backend, stored in your database and sent to third-party APIs without writing any logic for decryption, or worrying about storing the data in a secure way.

How does Outbound Interception work?

Relay can be used to pass data to third-party services and APIs using the Relay HTTP CONNECT Proxy on

Relay intercepts outbound requests by signing a new certificate for the target (e.g. using the Relay Root CA. In order to establish a TLS connection with the target, your system needs to trust the Root CA certificate. Relay transparently terminates TLS-encrypted requests and decrypts all Evervault-encrypted data within the payload before establishing a new TLS connection with the destination and sending the request.

We currently only support CONNECT-over-TLS in order to avoid transmitting credentials in plaintext.

Outbound Relay supports two authentication mechanisms:

  1. Include a Proxy-Authorization header in the destination request. This ensures that your API credentials are TLS-encrypted at all times. Relay will remove this header before being passed to the destination.
  2. Use spec-compliant HTTP Basic Auth with your team ID as the username and your API key as the password. Many languages support the HTTPS_PROXY environment variable which can be set as follows:

Our Node.js SDK and our Python SDK allow you to automatically forward all requests to Relay with the Proxy-Authorization header included and the Relay Root CA trusted. No additional configuration is required.

Test with curl

Send an encrypted string outbound through Relay without integrating an SDK:

curl -x <your destination url> -H 'Content-Type: application/json' -H 'Proxy-Authorization: <your Team's api key>' -X POST -d '{ "key": "<an Evervault encrypted string>"}' -kv

Strict Mode

When your app sends an outbound request through Relay, any encrypted fields in the payload will be decrypted. It's important that these requests only go to destinations you trust.

With Strict Mode on, only requests to destinations you have chosen will be allowed through Relay. If a request is sent to non-trusted destination, Relay will respond with a 403 HTTP status and Evervault error header: x-evervault-error-code: forbidden-destination.

You can configure in the Dashboard what traffic should be allowed through Relay by going to Settings -> Strict Mode.

Was this page useful?