Skip to main content

Ephemeral Proxy

The Ephemeral Proxy is a one-shot HTTPS proxy. Unlike Routes, there is no pre-configured row — every call is its own invocation. You pass the upstream URL in a header, KnoxCall validates it, swaps any {{ token: ... }} references for the underlying vault values, and forwards the request. The composition with Vaults is the killer feature: store the token in your database, send the token to KnoxCall, KnoxCall sends the raw value to the upstream. Your systems never hold the raw card number, SSN, or API secret.

When to use it

Use Ephemeral Proxy when:
  • The destination URL is dynamic — chosen per-request, not per-route.
  • You want to detokenize vault tokens last-mile (PCI-scope reduction, PII handling).
  • You need a quick passthrough without configuring a Route, ApiKey scope, environment overrides, etc.
Use Routes when:
  • You call the same upstream repeatedly and want signing, rate limits, env overrides, and full per-request observability.
  • You need IP allowlisting, mTLS, or method-specific configuration.
  • You want logs grouped by route in the dashboard.

How a request flows

The token strings, raw values, and bodies are never logged. Only metadata (upstream host, status code, latency, token count) lands in the audit chain and the Fleet Graph.

Quick example

The tok_01HZX... came from a prior POST /v1/vaults/.../tokenize call — see the Vaults overview.

Template syntax

Two reference forms are supported in the JSON body and query string: Templates are scanned in body and query only. Headers pass through unchanged in v1 — header-injection is a separate hardening pass. If a token isn’t found, KnoxCall returns 400 token_not_found rather than silently sending an empty value to the upstream.

Required and optional headers

Reserved headers (Authorization, Host, Content-Length, anything starting with X-Knox-) are stripped before the request reaches the upstream. Every other header you send is forwarded unchanged.

What you get back

KnoxCall passes the upstream response through verbatim — same status code, same headers (minus hop-by-hop), same body bytes. KnoxCall adds two headers so you can correlate: If the upstream is unreachable, KnoxCall returns 502 upstream_error.

Limits and gates

Audit and observability

Every invocation writes:
  • An api_requests row with proxy_mode = 'ephemeral', status code, latency, upstream host, token count, and source IP. The body, headers, and token values are not stored.
  • An audit_log entry tagged ephemeral_proxy.invoke.
  • A Fleet Graph signal carrying (method, upstream_host, status_code, latency_ms) — never the body, never the token strings, never the customer’s path.
You can query the audit chain via GET /v1/audit-logs?action=ephemeral_proxy.invoke (Audit Logs).

Comparison: Routes vs Ephemeral Proxy

Next steps