Functions

Evervault Functions are secure serverless functions which allow you to process data encrypted by Evervault products. When you pass encrypted data to a Function, it is automatically decrypted. You can then process this data by running custom logic written in Node.js or Python as you usually would, but without ever handling it in plaintext on your infrastructure.

Deploying a Function

The quickest way to deploy your first Evervault Function is by signing into the Evervault Dashboard and creating a starter template Function by connecting your GitHub account.

Sign in to the Evervault Dashboard
Create or open an App and navigate to the Functions tab
Click Create Function
Select "Choose template"
Authenticate with GitHub
Select a starter template and deploy your Function

Using the CLI

You can also use the Evervault CLI to deploy a function directly from your machine.

Running a Function

Functions can be invoked using our SDKs, or using our REST API. Any encrypted data within the payload sent to the Function will be decrypted before being passed to the Function handler.

1const Evervault = require('@evervault/sdk');
2const evervault = new Evervault('<APP_ID>', '<API_KEY>');
3
4const encryptedName = await evervault.encrypt("Claude Shannon");
5const result = await evervault.run("hello-function", {
6    name: encryptedName
7});
8
9console.log(result);

Client-side execution

API Keys are sensitive and should not be used client-side. When invoking Functions from frontend applications, we recommend using a Run Token. Run Tokens are single use, time bound tokens for invoking a Function with a given payload. Run Tokens will only last for 5 minutes and must be used with the same payload that was used to create the Run Token.

Run Tokens should be created in your backend using our API and handed off to your client.

1await fetch("https://api.evervault.com/functions/:function-name/runs", {
2  method: "POST",
3  headers: {
4    Authorization: "RunToken <RUN_TOKEN>",
5    "Content-Type": "application/json",
6  },
7  body: JSON.stringify({
8    payload: { message: "ev:tk9d:wjfiw..." },
9  }),
10});

Responses

The response from a Function run will contain a status field. The status field will be either success or failure, depending on whether the function completed successfully or not. Any payload returned from the Function will be inside of the result field of the response object.

1{
2  "id": "func_run_bd9e16a08f18",
3  "status": "success",
4  "result": {
5    "message": "Hello from a Function!"
6  }
7}

Error handling

If there is a failure in the course of a Function run, the response will contain an error object with a message and stack field. The message field will contain a human readable error message, and the stack field will contain a stack trace of the error.

1{
2  "id": "func_run_6de494a86a7d",
3  "status": "failure",
4  "error": {
5    "message": "Oh no! Something went wrong",
6    "stack": "Error: Oh no! Something went wrong\n    at exports.handler (/runtime/app/index.js:26:15)\n    at /runtime/index.js:65:26\n    at new Promise (<anonymous>)\n    at /runtime/index.js:52:16"
7  }
8}

FunctionNotReady

Functions that have been idle for extended periods of time may return FunctionNotReady HTTP 409 errors. This can be resolved by retrying the request.

Encryption within a Function

An encrypt function is available within your Function and can be accessed through the context parameter. This allows you to encrypt data in your response using your App’s keys.

1exports.handler = async (data, context) => {
2  return {
3    secret: await context.encrypt("Super Secret String"),
4  };
5};

Configuration

Evervault Functions are configured using a function.toml configuration file which can be committed to source control. Simply provide a function.toml file in the root of your repository and Evervault will automatically include it at build time.

1[function]
2# Customize your Function's timeout by providing a positive integer value.
3# The timeout is defined in seconds.
4# Timeouts of greater than 55 seconds are only permitted for asynchronous Function runs.
5# Default: 30
6# Maximum: 900
7timeout = 45
8
9# Customize your Function's entry point by specifying the handler in the form `<FILE>.<FUNCTION>`
10handler = "main.myFunc"
11
12# The name of your Function
13name = "your-function-name"
14
15# The language of your Function
16# Node: node@18, node@20
17# Python: python@3.9, python@3.10, python@3.11
18language = "node@18"

Dependencies

When you deploy a Function to Evervault, we will locate your package.json (for Node.js) and requirements.txt file (for Python) and install any non-development dependencies.

For Node.js Functions, if a node_modules folder is included then dependency installation will be skipped; this can be used to include private dependencies.

If there are any issues with your dependencies, for example if you have missed one in your package.json, an InitializationError will be thrown.

Environment Variables

Environment Variables for a Function can be configured using either the Evervault Dashboard or CLI. Secrets can be encrypted on creation and will be made available to your Function handler in plaintext on startup.

Secrets are available in plaintext in the Function handler, but will be in their encrypted form when accessed from anywhere else within the Function.

Networking

Limiting access to your Function

By default, Functions will respond to requests invoked from any client with a valid Evervault API key or Run Token. By adding an IP address to the Inbound Whitelist in the Dashboard, your Function will only be invoked when a request is made from a whitelisted IP address.

Limiting egress from your Function

By default, Functions can send requests to any third-party endpoint. By adding a domain name to the Outbound Whitelist in the Dashboard, your Function will only have network access to the hostnames you specify.

Resource Limits

Evervault Functions have a maximum memory consumption of 1024MB, 2 available CPU cores, and 512MB of ephemeral filesystem storage. However, using ephemeral storage is not recommended for sensitive data, as it cannot be guaranteed that data won't be available to a future invocation — increasing the risk of an accidental data leak.

Evervault Functions scale automatically to many thousands of requests per second without a noticeable drop in throughput or latency.

If you require more memory or CPU cores, check out Evervault Enclaves — the easiest way to build, deploy, and scale Secure Enclaves.

Execution Time

Evervault Functions have a default execution time of 30 seconds. This can be increased to a maximum of 55 seconds (for synchronous invocations) by setting the timeout in the function.toml.

Asynchronous Functions

Asynchronous Function runs up to 15 minutes are also permitted. To execute a Function in async mode, you must set the async argument on your request payload to true.

1fetch("https://api.evervault.com/functions/hello-function/runs", {
2  method: "POST",
3  headers: {
4    "Content-Type": "application/json",
5    Authorization: "Basic <credentials>",
6  },
7  body: JSON.stringify({
8    async: true,
9    payload: {
10      name: "ev:Tk9D:oVPHsPvwFHNk73DU:AglNWOgZekolcrxdxSpZJOusBgE+C9eWSapGIZkgTsUj:JKeSkdhVE9SCXqQINID4oBRCE/VhTb56VWGqyObP:$",
11    },
12  }),
13});

Observability

Logs for all function runs can be viewed inside of the Evervault Dashboard. You can learn more about observability in our observability guide.

What's next

Relay
Encrypt or decrypt data in transit—between your app and your own APIs, or any third-party APIs.
Card Collection
Learn how to use Card Collection to collect cardholder data.

Functions

Using the CLI

FunctionNotReady

On this page