Using Encryption as a Service allows you to keep sensitive data encrypted at all times: at rest, in transit and in use. This means that no sensitive data should touch your server in plaintext. Sometimes, requests made to a third-party service will include sensitive data in the response payload, like user credentials. We can encrypt that data using the Outbound Relay Primitive.

Outbound Relay is a network proxy which can be configured to encrypt responses from a third-party API before they reach your server.

An isometric drawing showing how Outbound Relay can be used to encrypt data retrieved from a third-party API

In this guide, we’ll set up a mock third-party endpoint that returns sensitive data. We’ll make a request to this endpoint using Outbound Relay to encrypt the sensitive data in the response.

First, we’ll set up the proxy, then we’ll configure Outbound Relay to encrypt responses from the API.

Integrate the Proxy

We’ll use PutsReq to simulate a third-party API. In practice, this could be an endpoint from any third-party API. Selecting Create a PutsReq will provision a temporary endpoint that we can send requests to. In the Response Builder, add the following snippet and select Update.

1
const data = {
2
  email: 'claude@shannon.com',
3
  password: '12345678',
4
};
5
6
response.headers = { 'Content-Type': 'application/json' };
7
response.body = data;

To use Outbound Relay, first include and initialize the Evervault Node.js SDK in your application and enable Outbound Relay.

1
const Evervault = require('@evervault/sdk');
2
const evervault = new Evervault('<APP_ID>', '<API_KEY>');
3
evervault.enableOutboundRelay();

Then, using an HTTPclient, we can send a request to the PutsReq endpoint. The Evervault SDK will automatically intercept the request and route it through Outbound Relay. Since Outbound Relay intercepts HTTP requests, the proxy will work regardless of whether you’re sending a request directly to a REST endpoint, or using a third-party SDK.

1
const Evervault = require('@evervault/sdk');
2
const axios = require('axios');
3
const evervault = new Evervault('<APP_ID>', '<API_KEY>');
4
5
evervault.enableOutboundRelay();
6
7
const PUTSREQ_URL = '<PUTSREQ_URL>';
8
9
(async () => {
10
  const result = await axios.get(PUTSREQ_URL);
11
  console.log(result.data);
12
})();

If you run the snippet, you’ll see the request in your PutsReq logs. You’ll notice that the response still includes plaintext values for email and password. Next, we’ll configure Outbound Relay to encrypt these fields in the response.

Configure the Proxy

Outbound Relay can be configured to decrypt requests or encrypt responses. Since our endpoint returns plaintext data, we’re going to configure the proxy to encrypt the response. Doing so allows us to ensure that plaintext data never touches our server.

If we navigate to the Outbound Relay tab in the Evervault Dashboard, we can specify the hostnames of the APIs we want to configure. In this case, we’ll create a new Outbound Destination, and add our PutsReq URL as the hostname.

A screenshot of the Evervault dashboard showing a new Outbound Relay being created. The destination of the Outbound Relay proxy is a PutsReq endpoint

In the destination we just created, we’ll navigate to the Response Fields tab and select Add Fields. Under Encrypted Fields, add email and password, then hit Save.

A screenshot of the Evervault Dashboard showing a configuration which adds email and password as fields to encrypt

If you run the above code snippet again, you’ll notice that the email and password fields in the response have been encrypted.

Summary

This architecture means you can now retrieve and encrypt card data from a third-party service without handling it in plaintext on your server. This is a common patterns for companies that need to collect and encrypt sensitive credentials from third-party services on behalf of their users.