Ephemeral Proxy
The Ephemeral Proxy is a one-shot HTTPS proxy. Unlike Routes, there is no pre-configured row — every call is its own invocation. You pass the upstream URL in a header, KnoxCall validates it, swaps any{{ token: ... }} references for the underlying vault values, and forwards the request.
The composition with Vaults is the killer feature: store the token in your database, send the token to KnoxCall, KnoxCall sends the raw value to the upstream. Your systems never hold the raw card number, SSN, or API secret.
When to use it
Use Ephemeral Proxy when:- The destination URL is dynamic — chosen per-request, not per-route.
- You want to detokenize vault tokens last-mile (PCI-scope reduction, PII handling).
- You need a quick passthrough without configuring a Route, ApiKey scope, environment overrides, etc.
- You call the same upstream repeatedly and want signing, rate limits, env overrides, and full per-request observability.
- You need IP allowlisting, mTLS, or method-specific configuration.
- You want logs grouped by route in the dashboard.
How a request flows
Quick example
tok_01HZX... came from a prior POST /v1/vaults/.../tokenize call — see the Vaults overview.
Template syntax
Two reference forms are supported in the JSON body and query string:
Templates are scanned in body and query only. Headers pass through unchanged in v1 — header-injection is a separate hardening pass.
If a token isn’t found, KnoxCall returns
400 token_not_found rather than silently sending an empty value to the upstream.
Required and optional headers
Reserved headers (
Authorization, Host, Content-Length, anything starting with X-Knox-) are stripped before the request reaches the upstream. Every other header you send is forwarded unchanged.
What you get back
KnoxCall passes the upstream response through verbatim — same status code, same headers (minus hop-by-hop), same body bytes. KnoxCall adds two headers so you can correlate:
If the upstream is unreachable, KnoxCall returns
502 upstream_error.
Limits and gates
Audit and observability
Every invocation writes:- An
api_requestsrow withproxy_mode = 'ephemeral', status code, latency, upstream host, token count, and source IP. The body, headers, and token values are not stored. - An
audit_logentry taggedephemeral_proxy.invoke. - A Fleet Graph signal carrying
(method, upstream_host, status_code, latency_ms)— never the body, never the token strings, never the customer’s path.
GET /v1/audit-logs?action=ephemeral_proxy.invoke (Audit Logs).
Comparison: Routes vs Ephemeral Proxy
Next steps
- See the Ephemeral Proxy API reference for the complete request/response schema.
- See Vaults to create the tokens you’ll reference.
- See Routes when you need a persistent, observable proxy instead.