Java SDK

A full reference of our Java SDK.

You can use our Java SDK to:

  1. Encrypt data at your server
  2. Run your Cages
  3. Encrypt/decrypt data with Relay

You can use our Java SDK to encrypt data — rather than with Relay — and still send it to a third-party via Relay. Encrypting with our backend SDKs is best for developers who want to avoid the network latency of Relay and/or want to avoid sending plaintext data to Relay to be encrypted.

Encrypting data with our backend SDKs instead of Relay may expose you to greater compliance burden because plaintext data touches your server before it is encrypted.

You don’t need to change your database configuration. You can store Evervault-encrypted data in your database as you would the plaintext version.


Our Java SDK is distributed via maven and can be installed using your preferred build tool.


implementation 'com.evervault:lib:2.1.1'




// Import Evervault
import com.evervault.Evervault;
// Initialize the client with your team’s API key
var evervault = new Evervault("<YOUR_API_KEY>");
// Encrypt your data
var encrypted = evervault.encrypt("Claude");
// Process the encrypted data in a Cage
var result ="hello-cage", encrypted, false, null);

Relay Interception

The Evervault Java SDK can be used to route all outbound HTTPS requests through Relay for decryption. This can be done by setting up a proxy to Evervault on your HTTP client.

To disable this behaviour, set intercept to false in the initialization options.

Evervault CA

To allow outbound interception with Relay the Evervault Root Ca certificate must be added to the JVM keystore.

curl --output evervault-ca.cert
sudo keytool -import -alias evervault-ca -file evervault-ca.cert -keystore <path/to/jdk/cacerts>
Setting up HTTP Client With Proxy

The Apache Closeable HTTP Client requires the proxy and credentials to be explicitly set. When initialising your http client, you will need to get the CredentialsProvider from the Evervault SDK and the host from the Evervault ProxySystemSettings class. If you set ignoreDomains when initialising the SDK, you will need to add the Evervault HttpRoutePlanner to the builder.

// Import ProxySettings for setting proxy host
import com.evervault.utils.ProxySystemSettings;
// Initialise Evervault SDK
var evervault = new Evervault(apiKey)
// Build httpClient with proxy
CloseableHttpClient httpClient = HttpClientBuilder
.setRoutePlanner(evervault.getEvervaultHttpRoutePlanner()) //This route planner has the ignoreDomains array loaded into it.
We currently only support CONNECT-over-TLS in order to avoid transmitting credentials in plaintext. The Apache Http Client does support this. The core Java Http Clients do NOT currently support this.

Manual Proxy

If you use a different http client to the Apache HTTPClient above and it supports CONNECT-over-TLS, you can setup relay interception by setting the http client to proxy requests through relay with these details:

userYour Evervault Team's UUID (Can be found in the Evervault Dashboard)
passwordYour Evervault Team's API_KEY (Can be found in the Evervault Dashboard)

Make sure to set intercept to false in the SDK if you are setting up the proxy manually. This will stop any conflicts.


The Evervault Java SDK exposes a constructor and two functions:

  • evervault.encrypt()

Evervault Constructor

Evervault constructor expects your api key which you can retrieve from evervault website. There are also optional parameters.

var evervault = new Evervault(API_KEY);
apiKeyStringThe API key of your Evervault Team
curveEvervault.EcdhCurveThe elliptic curve used for cryptographic operations. See Elliptic Curve Support to learn more.
interceptBooleanRoute outbound requests through Evervault to automatically decrypt encrypted fields.
ignoreDomainsString[]An array of hostnames which will not be routed through Evervault for decryption. eg("", "")


encrypt will encrypt your data and return an object which is a String in case you passed a literal type like bool, string, int, float, char, byte.

In case you pass a map<literal, literal> then the key will be preserved and the value will be an encrypted string. If value is another map for example, it will follow the sample principle recursively.

In case you pass a vector with literals the return will be vector with encrypted strings.

var name = (String) evervault.encrypt(plaintext_name);
dataObjectData to be encrypted. lets you invoke a Cage with a given payload.

var cageResult =, encryptedData, false, null);
cageNameStringName of the Cage to be run.
dataObjectPayload for the Cage.
asyncStringRun your Cage in async mode. Async Cage runs will be queued for processing.
versionObjectSpecify the version of your Cage to run. By default, the latest version will be run.

Was this page useful?