DocsGuidesReference
Dashboard

Share Encrypted Data with a Third-Party API

Using Encryption as a Service allows you to keep sensitive data encrypted at all times: at rest, in transit and in use. Although this is a powerful security enhancement, third-party APIs need data in plaintext. We need a way to decrypt that data after it leaves our infrastructure, and before it reaches a third-party endpoint. We can achieve this using the Outbound Relay Primitive.

Outbound Relay is a network proxy that can be configured to decrypt data during a request. If we proxy our request to a third-party endpoint through Outbound Relay, any encrypted data in the payload will be decrypted, allowing the request to be processed as normal.

process

First, we’ll integrate the proxy, then we’ll configure Outbound Relay to decrypt the encrypted fields.

Integrate the Proxy

We’ll use RequestBin to simulate a third-party API. In practice, this could be an endpoint from any third-party service. We can create a RequestBin by navigating to requestbin.com/r, where we will be given a temporary endpoint that we can send requests to.

To use Outbound Relay, first include and initialize the Evervault Node.js SDK in your application and enable Outbound Relay.

1
const Evervault = require('@evervault/sdk');
2
const evervault = new Evervault('<APP_ID>', '<API_KEY>');
3
evervault.enableOutboundRelay();

Then, using an HTTPclient, we can send a request to the RequestBin endpoint, and the Evervault SDK will automatically intercept the request and route it through Outbound Relay. Since Outbound Relay intercepts HTTP requests, the proxy will work regardless of whether you’re sending a request directly to a REST endpoint, or using a third-party SDK.

1
const Evervault = require('@evervault/sdk');
2
const axios = require('axios');
3
const evervault = new Evervault('<APP_ID>', '<API_KEY>');
4
evervault.enableOutboundRelay();
5
const REQUESTBIN_URL = '<YOUR_REQUESTBIN_URL>';
6
7
(async () => {
8
  const data = {
9
    email: 'claude@shannon.com',
10
    password: '12345678',
11
  };
12
13
  const encryptedData = await evervault.encrypt(data);
14
  const result = await axios.post(REQUESTBIN_URL, {
15
    encryptedData,
16
  });
17
})();

If you run the snippet, you’ll see the request in your RequestBin logs. You’ll notice that the email and password fields are still encrypted. Next, we’ll configure Outbound Relay to decrypt any encrypted data that gets sent to this endpoint.

Configure the Proxy

Once you have included the Evervault SDK in your application, Outbound Relay can be configured to perform encryption and decryption operations on specific domains. In our case, we want to use Outbound Relay to decrypt data as it's proxied to our RequestBin endpoint.

If you navigate to the Outbound Relay tab in the Evervault Dashboard, you can specify the hostnames of the APIs you want to configure. We’ll add our RequestBin URL as an Outbound Relay Destination.

A screenshot of the Evervault dashboard showing a new Outbound Relay being created. The destination of the Outbound Relay proxy is a RequestBin endpoint

If we send request again, we’ll see another request in our RequestBin logs. This time, the encrypted email and password values that we sent from our application was automatically decrypted by Outbound Relay before being forwarded to the RequestBin endpoint.

Summary

Using architecture with Outbound Relay means you can still interact with any third-party API that requires sensitive data in plaintext, while keeping it encrypted at all times within your application.