Proxy API Use Cases
Proxy API Use Cases
1. Store Application Secrets Safely
Use the Proxy API to store DB credentials, third-party tokens, and internal keys without persisting plaintext in backend storage.
1
2
3
4
5
6
7
8
9
const valueB64 = btoa ( "postgres://app:pass@db:5432/main" );
await fetch ( "https://dev2-api.harden.cloud/v1/kv/db-connection" , {
method : "PUT" ,
headers : {
"X-Api-Key" : apiKey ,
"Content-Type" : "application/json"
},
body : JSON . stringify ({ valueB64 })
});
2. Runtime Secret Retrieval
Read decrypted values only at runtime with the user secret.
1
2
3
4
5
6
7
8
const res = await fetch ( "https://dev2-api.harden.cloud/v1/kv/db-connection" , {
headers : {
"X-Api-Key" : apiKey ,
"X-User-Secret" : userSecret
}
});
const payload = await res . json ();
const connectionString = atob ( payload . valueB64 );
3. Per-User Key Material Initialization
Generate user key material once before encrypted reads or encrypted file workflows.
1
2
3
4
5
6
7
await fetch ( "https://dev2-api.harden.cloud/v1/keys/generate" , {
method : "POST" ,
headers : {
"X-Api-Key" : apiKey ,
"X-User-Secret" : userSecret
}
});
4. Rotate The User Secret Without Reissuing The API Key
Change the secret that protects encrypted private keys while keeping the same user identity and API key.
1
2
3
4
5
6
7
8
await fetch ( "https://dev2-api.harden.cloud/v1/keys/rekey" , {
method : "POST" ,
headers : {
"X-Api-Key" : apiKey ,
"X-User-Secret" : oldUserSecret ,
"X-New-User-Secret" : newUserSecret
}
});
5. Encrypted File Vault
Store per-user encrypted files (for example config snapshots or signed documents).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
const contentB64 = btoa ( JSON . stringify ({ env : "dev" , token : "abc" }));
await fetch ( "https://dev2-api.harden.cloud/v1/files" , {
method : "POST" ,
headers : {
"X-Api-Key" : apiKey ,
"X-User-Secret" : userSecret ,
"Content-Type" : "application/json"
},
body : JSON . stringify ({
fileName : "snapshot.json" ,
contentB64 ,
contentType : "application/json"
})
});
6. Org-Scoped User Discovery
List users in the same organization when building trusted-user pickers or internal sharing flows.
1
2
3
4
const usersRes = await fetch ( "https://dev2-api.harden.cloud/v1/users/org" , {
headers : { "X-Api-Key" : apiKey }
});
const users = await usersRes . json ();
7. Share A Secret Without Exposing Plaintext To Backend
Grant a teammate read-only access to one encrypted value. Proxy unwraps the DEK locally, re-wraps it to the recipient’s public keys, and stores only the new wrapped key material plus encrypted alias metadata.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
await fetch ( "https://dev2-api.harden.cloud/v1/kv/db-connection/shares" , {
method : "POST" ,
headers : {
"X-Api-Key" : apiKey ,
"X-User-Secret" : userSecret ,
"Content-Type" : "application/json"
},
body : JSON . stringify ({
recipientUserId ,
permission : "read" ,
alias : "primary database" ,
expiresUtc : "2026-03-24T12:00:00Z"
})
});
8. Shared Secret Inbox For Recipients
Show the secrets currently shared with a user before they fetch the underlying plaintext.
1
2
3
4
5
6
7
const sharedRes = await fetch ( "https://dev2-api.harden.cloud/v1/kv/shared" , {
headers : {
"X-Api-Key" : apiKey ,
"X-User-Secret" : userSecret
}
});
const shares = await sharedRes . json ();
The recipient can later remove their own access with DELETE /v1/kv/shared/{shareId}.
9. Encrypted File Handoff Between Users
Share a file with another user in the same org without decrypting the ciphertext at rest in Backend.
1
2
3
4
5
6
7
8
9
10
11
12
13
await fetch ( `https://dev2-api.harden.cloud/v1/files/ ${ fileId } /shares` , {
method : "POST" ,
headers : {
"X-Api-Key" : apiKey ,
"X-User-Secret" : userSecret ,
"Content-Type" : "application/json"
},
body : JSON . stringify ({
recipientUserId ,
permission : "read" ,
expiresUtc : "2026-03-24T12:00:00Z"
})
});
Recipients can list inbound shares from GET /v1/files/shared and download them from GET /v1/files/shared/{shareId}.
10. Trusted-User Recovery
Store encrypted recovery shares for a trustee, then allow the trustee to submit restored encrypted private keys when recovery is needed.
1
2
3
4
5
6
7
8
9
10
11
12
13
await fetch ( `https://dev2-api.harden.cloud/v1/recovery/trustees/ ${ trusteeUserId } ` , {
method : "PUT" ,
headers : {
"X-Api-Key" : apiKey ,
"Content-Type" : "application/json"
},
body : JSON . stringify ({
encryptedPrivateKeyEccShareB64 : eccShareB64 ,
encryptedPrivateKeyKyberShareB64 : kyberShareB64 ,
xorApplied : true ,
xorSaltHint : "dog-name"
})
});
Trustee restore:
1
2
3
4
5
6
7
8
9
10
11
12
13
await fetch ( `https://dev2-api.harden.cloud/v1/recovery/restore/ ${ ownerUserId } ` , {
method : "POST" ,
headers : {
"X-Api-Key" : trusteeApiKey ,
"Content-Type" : "application/json"
},
body : JSON . stringify ({
encryptedPrivateKeyEccB64 : restoredEccB64 ,
encryptedPrivateKeyKyberB64 : restoredKyberB64 ,
usedXor : true ,
xorSaltHint : "dog-name"
})
});
11. Zero-Trust Internal Services
Use separate API keys per service user and rotate compromised keys with org admin tools.
Limits blast radius to one service account.
Preserves tenant isolation by org and user.
Keeps encrypted data at rest even in shared backend infrastructure.
12. Use Proxy As A Single Public Edge
If your deployment exposes Proxy as the main public API host, you can route both encrypted data calls and selected admin flows through the same hostname.
Typical split:
Proxy v1 routes for crypto-sensitive user data operations
Proxy /admin/* passthrough routes for bootstrap and org-user lifecycle
Backend kept private behind the Proxy and web apps