Node.js SDK

A full reference of our Node.js SDK.

You can use our Node.js SDK to:

  1. Encrypt data at your server
  2. Run your Functions
  3. Encrypt/decrypt data with Relay

You can use our Node.js SDK to encrypt data — rather than with Relay — and still send it to a third-party via Outbound Interception. Encrypting with our backend SDKs is best for developers who want to avoid the network latency of Relay and/or want to avoid sending plaintext data to Relay to be encrypted.

Encrypting data with our backend SDKs instead of Relay may expose you to greater compliance burden because plaintext data touches your server before it is encrypted.

You don’t need to change your database configuration. You can store Evervault-encrypted data in your database as you would the plaintext version.


Our Node.js SDK is distributed via npm, and can be installed using your preferred package manager.

# Install using npm
npm install @evervault/sdk
# Install using Yarn
yarn add @evervault/sdk


const Evervault = require('@evervault/sdk');
// Initialize the client with your team’s API key
const evervault = new Evervault('<YOUR_API_KEY>');
// Encrypt your data
const encrypted = await evervault.encrypt({ name: 'Alice' });
// Process the encrypted data in a Function
const result = await'hello-function', encrypted);


The Evervault Node.js SDK exposes four functions:

  • @evervault/sdk() (constructor)
  • evervault.encrypt()
  • evervault.createRunToken()


The SDK constructor accepts two parameters:

  1. Your team's API key
  2. Optional configuration parameters
const Evervault = require('@evervault/sdk');
const evervault = new Evervault(apiKey: String, config: Object);
apiKeyStringYour team's API key
configObjectOptions for the SDK session
decryptionDomainsArray[]Requests sent to any of the domains listed will be proxied through outbound interception. Wildcard domains are supported. See Outbound Interception to learn more.
enableOutboundRelay (beta)BooleanfalseEnables Outbound Relay by syncing your Outbound Relay Destinations configured in your Evervault App.
retryBooleanfalseRetry failed Cage operations (maximum of 3 retries; false by default).
curveStringsecp256k1The elliptic curve used for cryptographic operations. Pass prime256v1 to enable the secp256r1 curve. See Elliptic Curve Support to learn more.
debugRequestsBooleanfalseOutput request domains and whether they were sent through outbound interception

We provide two curve options. You can set them as part of your config as follows:

  • { curve: Evervault.CURVES.SECP256K1, ... } or
  • { curve: Evervault.CURVES.PRIME256V1, ... }


evervault.encrypt() encrypts data for use in your Functions and through Relay. To encrypt data at the server, simply pass an object or string into the evervault.encrypt() function. Store the encrypted data in your database as normal.

async evervault.encrypt(data: Object | Array | String | Number);
dataObject, Array, String or NumberData to be encrypted. lets you invoke a Function with a given payload.

async String, data: Object[, options: Object]);
functionNameStringName of the Function to be run.
dataObjectPayload for the Function.
optionsObjectOptions for the Function run.
asyncBooleanfalseRun your Function in async mode. Async Function runs will be queued for processing.
versionNumberundefinedSpecify the version of your Function to run. By default, the latest version will be run.


evervault.createRunToken() creates a single use, time bound token for invoking a function.

async evervault.createRunToken(functionName: String, payload: Object);
functionNameStringName of the Function the run token should be created for.
dataObjectPayload that the token can be used with.

Was this page useful?