Enkryptify secret-injecting HTTP proxy. Built with Hono on Bun.
Runs on Vercel's Bun runtime via bunVersion: 1.x in apps/proxy/vercel.json.
Vercel project settings
| Setting | Value |
|---|---|
| Root Directory | apps/proxy |
| Install / Build | Handled by vercel.json (cd ../.. && bun install / bun run build:vercel) |
| Production branch | main |
The Deploy button pre-fills every environment variable below. Replace the placeholder secrets (DATABASE_URL, PROXY_KEY, JWT_*) before going live.
| Variable | Example | Required | Description |
|---|---|---|---|
DATABASE_URL |
postgres://user:pass@host:5432/proxy?sslmode=require |
Yes (admin panel) | PostgreSQL for users, whitelist, tunnel logs |
DATABASE_LOGGING |
true |
No | Write tunnel requests to tunnel_log |
DATABASE_MIGRATE_ON_START |
true |
No | Run Drizzle migrations on cold start |
PROXY_KEY |
ek_live_… |
Yes (admin + vault) | Enkryptify API token — resolves workspace |
ENKRYPTIFY_API_URL |
https://api.enkryptify.com |
No | Vault base URL |
JWT_ACCESS_SECRET |
random-32+-char-string |
Yes (admin panel) | HMAC secret for access tokens (min. 32 chars) |
JWT_REFRESH_SECRET |
different-32+-char-string |
Yes (admin panel) | HMAC secret for refresh tokens — must differ |
JWT_ACCESS_TTL_SECONDS |
900 |
No | Access token lifetime (default 15 min) |
JWT_REFRESH_TTL_SECONDS |
2592000 |
No | Refresh cookie lifetime (default 30 days) |
ADMIN_WEB_ORIGINS |
https://enkryptify-proxy.vercel.app |
Yes (admin panel) | CORS + cookie origin(s), comma-separated |
COOKIE_SECURE |
true |
Yes (Vercel) | httpOnly refresh cookie only over HTTPS |
ENABLE_ADMIN_WEB |
true or false |
No | Build and serve the admin dashboard (see below) |
NODE_ENV |
production |
No | Set automatically on Vercel |
PORT |
3000 |
No | Local default; ignored on Vercel serverless |
| Value | Result |
|---|---|
true (default in Deploy button) |
Proxy + admin panel on one domain (/, /login, /api/*, tunnel on /{workspace}/…) |
false |
Proxy only — no SPA build; all routes hit the Bun handler |
When the panel is enabled, update ADMIN_WEB_ORIGINS to your real Vercel URL after the first deploy.
The monorepo build (bun run build:vercel) uses Turbo to:
- Always bundle the proxy →
apps/proxy/api/index.js - Optionally build the admin SPA →
apps/proxy/public-admin/whenENABLE_ADMIN_WEBis notfalse
Configure secrets through Enkryptify — do not commit .env files:
# From the monorepo root:
bun install
ek run -- bun run db:migrate
ek run -- bun run admin:create -- --email you@example.com --username you --password '<strong>'
ek run -- bun run dev # proxy :3000 + panel :5173
ENABLE_ADMIN_WEB=false ek run -- bun run dev # proxy onlyHealth check: curl http://localhost:3000/health
bun install
ek run -- bun run build:vercel
ENABLE_ADMIN_WEB=false ek run -- bun run build:vercel # proxy only
cd apps/proxy && bunx vercel deploy --prodReact/Vite SPA with Tailwind CSS v4 (@tailwindcss/vite). Talks to the proxy via /api/auth/* and /api/admin/*. The
JWT lives only in memory (never localStorage/sessionStorage); a 30-day
httpOnly refresh cookie restores the session on cold start and a silent refresh
runs 60s before the access token expires.
- Dashboard —
/healthstatus, request counts, average + p95 response time - Whitelist — per-workspace allow-list of upstream hostnames
- Logs — paginated tunnel-log table
- Settings — whitelist-mode toggle
With ENABLE_ADMIN_WEB enabled, the panel is built into apps/proxy/public-admin/
on the same origin; leave VITE_API_BASE_URL empty.
To host the panel on a separate origin, set ENABLE_ADMIN_WEB=false, deploy
apps/web elsewhere, set VITE_API_BASE_URL to the proxy URL, and add the panel
origin to ADMIN_WEB_ORIGINS.