Share Encrypted Data with a Third-Party API

Using Encryption as a Service allows you to keep sensitive data encrypted at all times: at rest, in transit and in use. Although this is a powerful security enhancement, third-party APIs need data in plaintext. We need a way to decrypt that data after it leaves our infrastructure, and before it reaches a third-party endpoint. We can achieve this using the Relay Primitive.

Relay is a network proxy that can be configured to decrypt data during a request. If we proxy our request to a third-party endpoint through Relay, we can configure it so that any encrypted data in the payload will be decrypted, allowing the request to be processed as normal.


Create a Relay

We’ll use RequestBin to simulate a third-party API. In practice, this could be an endpoint from any third-party service. We can create a RequestBin by navigating to, where we will be given a temporary endpoint that we can send requests to. To create a Relay for your RequestBin endpoint, navigate to the Relays tab in the Evervault Dashboard and click Create Relay. Add the RequestBin endpoint to the destination field.

A screenshot of the Evervault Dashboard showing a Relay being created with a RequestBin endpoint as its destination

Integrate the Proxy

To use Relay, first include and initialize the Evervault Node.js SDK in your application and enable Outbound Relay.

Then, using an HTTPclient, we can send a request to the RequestBin endpoint, and the Evervault SDK will automatically intercept the request and route it through Relay.

If you run the snippet, you’ll see the request in your RequestBin logs. You’ll notice that the email and password fields are still encrypted. Next, we’ll configure a Relay to decrypt any encrypted data that gets sent to this endpoint.

When using the Evervault SDK, Relay intercepts HTTP requests so the proxy will work regardless of whether you’re sending a request directly to a REST endpoint, or using a third-party SDK.

Configure the Proxy

Once you have included the Evervault SDK in your application, We can confifgure a Relay to perform encryption and decryption operations for our RequestBin endpoint. In our case, we want to use Relay to decrypt any encrypted data as it's proxied to our RequestBin endpoint. In the Evervault dashboard, navigate to the Relay you created, and click the Add Route button to configure a new route. We want to decrypt any data being sent to this endpoint, so we can enter "/**" in the path field to match all requests sent to the Relay. Next, we can add a request action to decrypt all fields in the request body. Select Add Request Action -> Decrypt -> JSON, and enter $..* in the fields to decrypt. JSON requests use JSONPath to match fields in the request body and $..* will match all fields in the request body. Learn More

A screenshot of Relay beind configured to decrypt all data on request

If you send the request again, you’ll notice that the values for email and password are now decrypted by Relay before being forwarded on to the RequestBin endpoint.


Using Relay means you can still interact with any third-party API that requires sensitive data in plaintext, while keeping it encrypted at all times within your application.