Skip to main content

Advanced Route Configuration

Take full control of your API routing with advanced configuration options including header injection, body injection, method-specific behaviors, and secret injection.

Header Injection

Automatically add or modify headers on all requests forwarded to your backend.

Static Headers

Add fixed headers to every request: 
{
  "X-API-Version": "v2",
  "X-Service-Name": "knoxcall-proxy"
}
Configuration:
  1. Edit route → Config tab → Header Injection section
  2. Add headers in JSON format
  3. Save
Example request: 
# Client sends:
curl https://a1b2c3d4.acme.knoxcall.com/api/users \
  -H "x-knoxcall-route: my-route"

# KnoxCall forwards with injected headers:
GET /api/users
X-API-Version: v2
X-Service-Name: knoxcall-proxy

Secret Injection in Headers

Inject encrypted secrets as headers using the {{secret:name}} syntax: 
{
  "Authorization": "Bearer {{secret:api_token}}",
  "X-API-Key": "{{secret:stripe_key}}",
  "X-Custom-Auth": "{{secret:custom_credential}}"
}
KnoxCall automatically:
  • Retrieves secret from encrypted vault
  • Decrypts at request time
  • Injects into header
  • Never logs the actual value
You can also reference secrets by ID using {{secret_id:uuid}} syntax.

Multiple Secrets

Use multiple secrets in a single header configuration: 
{
  "Authorization": "Bearer {{secret:primary_key}}",
  "X-Webhook-Secret": "{{secret:webhook_secret}}",
  "X-Partner-Key": "{{secret:partner_api_key}}"
}
All secrets are decrypted and injected in a single pass.

Body Injection

Inject fields into JSON request bodies. This merges your injected fields with the client’s original request body.

Static Fields

Add fixed fields: 
{
  "source": "knoxcall",
  "version": "1.0",
  "metadata": {
    "proxied": true
  }
}
Original request body: 
{
  "username": "john",
  "email": "john@example.com"
}
Forwarded body: 
{
  "username": "john",
  "email": "john@example.com",
  "source": "knoxcall",
  "version": "1.0",
  "metadata": {
    "proxied": true
  }
}

Secret Injection in Body

Inject secrets into request bodies: 
{
  "api_key": "{{secret:printnode_key}}",
  "client_secret": "{{secret:oauth_client_secret}}",
  "credentials": {
    "username": "{{secret:service_username}}",
    "password": "{{secret:service_password}}"
  }
}
Body injection only works with JSON payloads. Non-JSON bodies are passed through unchanged.

Nested Field Injection

Inject into nested structures: 
{
  "auth": {
    "type": "bearer",
    "token": "{{secret:bearer_token}}"
  },
  "options": {
    "timeout": 30,
    "retry": true
  }
}

Method-Specific Configuration

Configure different behaviors per HTTP method. This lets you use different credentials and settings for reads vs. writes.

Setup

  1. Edit route → Config tab → Method Configurations section
  2. Add configuration for each method
  3. Configure headers, body, secrets per method

Example: Read/Write Separation

GET requests — read-only key: 
{
  "Authorization": "Bearer {{secret:read_only_key}}"
}
POST/PUT requests — write key: 
{
  "Authorization": "Bearer {{secret:write_key}}"
}
DELETE requests — admin key with signature: 
{
  "Authorization": "Bearer {{secret:admin_key}}"
}

Benefits

  • Security: Use different credentials per action
  • Rate Limiting: Restrict writes more than reads
  • Auditing: Track who performs each action type
  • Compliance: Enforce stricter rules on destructive operations
See Method-Specific Config for a full guide.

Environment Overrides

Configure different target URLs, headers, and secrets per environment. This is managed from the Environment tab on the route detail page.

How It Works

Base route (production): 
Target: https://api.production.com
Headers: {
  "Authorization": "Bearer {{secret:prod_key}}"
}
Development override: 
Target: https://localhost:3000
Headers: null  (inherited from base)
Staging override: 
Target: https://api.staging.com
Headers: {
  "Authorization": "Bearer {{secret:staging_key}}"
}
NULL values inherit from the base configuration. See Environments for a full guide.

Best Practices

1. Always Use Secrets for Sensitive Data

Bad: 
{
  "Authorization": "Bearer sk_live_abc123xyz789"
}
Good: 
{
  "Authorization": "Bearer {{secret:api_token}}"
}

2. Use Method-Specific Configs

Different security for different operations: 
GET: read_only_key
POST/PUT/DELETE: write_key with signature required

3. Test in Staging First

Always verify configuration changes in a staging environment before deploying to production.

4. Keep Header Injection Simple

Only inject headers your backend actually needs. Don’t add unnecessary headers that could cause conflicts.

Next Steps

Method-Specific Config

Deep dive into method configs

Secret Management

Learn about secrets

Rate Limiting

Configure rate limits

Request Signing

Add signature verification

📊 Statistics

  • Level: advanced
  • Time: 15 minutes

🏷️ Tags

advanced, configuration, headers, body-injection, secrets