Proxy Function Configuration
This guide covers the three main configuration areas for proxy functions: secret mappings, CORS allowed origins, and request body handling.
Secret Mappings
Secret mappings define how your secret variables are injected into the proxied request. Each mapping connects a secret variable from your environment to a specific location in the outgoing API request.
Adding a Secret Mapping
Open the Proxy Form
Create a new proxy or edit an existing one.
Click Add Secret Mapping
In the Secret Mapping section, click Add secret mapping to add a new row.
Select a Variable
Choose the secret variable to inject from the dropdown. Only secret (encrypted) variables from the current environment are shown.
Choose the Injection Method
Select where the secret should be injected:
| Method | Description | Example Use Case |
|---|---|---|
| Header | Adds the value as an HTTP header | API keys sent as Authorization: Bearer sk_... or api-key: your-key |
| Body | Injects the value into the JSON request body | APIs that expect credentials in the POST body |
| Query | Appends the value as a URL query parameter | APIs that use ?api_key=your-key style authentication |
Set the Key Name
Enter the key name for the injection:
- Header: the header name (e.g.,
Authorization,api-key,X-API-Key) - Body: the JSON field name (e.g.,
api_key,credentials.token) - Query: the query parameter name (e.g.,
api_key,token)
Set a Template (Optional)
For headers, you can use a template to format the value. For example, many APIs expect Bearer <token> format. Enter Bearer ${value} in the template field, and the proxy will replace ${value} with your actual secret at runtime.
Leave the template empty to inject the raw secret value.
Multiple Mappings
You can add multiple secret mappings to a single proxy. This is useful when an API requires multiple credentials (e.g., both an API key and a project ID).
Removing a Mapping
Click the trash icon on a mapping row to remove it. Empty mappings (no variable selected or no key set) are automatically ignored when saving.
CORS Allowed Origins
CORS (Cross-Origin Resource Sharing) controls which websites can call your proxy. This prevents unauthorized sites from using your proxy endpoint.
How It Works
When a browser makes a request to your proxy from a different domain, the browser checks the CORS headers in the response. If the requesting domain is not in the allowed origins list, the browser blocks the response.
Configuring Allowed Origins
Open the CORS Origins Section
In the proxy creation or edit form, find the CORS Origins section.
Add Origins
By default, a new proxy allows all origins (*). To restrict access:
- Remove the
*entry - Click Add origin
- Enter the full origin URL (e.g.,
https://mywebsite.com) - Repeat for each domain that needs access
Save
Click Create Proxy or Update Proxy to apply the changes.
Origin Format
| Format | Description |
|---|---|
* | Allow all origins (default, least restrictive) |
https://example.com | Allow only this specific origin |
http://localhost:3000 | Allow local development (useful during testing) |
Using * allows any website to call your proxy. For production proxies, always specify the exact domains that should have access.
Multiple Origins
You can add multiple allowed origins. The proxy checks each incoming request's Origin header against the list and responds with the matching origin in the Access-Control-Allow-Origin header.
Request Body
The request body configuration controls what data is sent to the third-party API.
Pass Through (Default)
When Pass through client body is enabled, the proxy forwards the request body from the caller to the target API exactly as received. This is the most common setting -- your frontend sends the body, and the proxy passes it along while injecting the secret headers.
Body Template
When pass-through is disabled, you can define a fixed JSON body template. This is useful when:
- The third-party API expects a specific body format that never changes
- You want to prevent the frontend from sending arbitrary data
- The API credentials need to be embedded in the body (combined with body-type secret mappings)
Enter the body template as valid JSON in the text area. Invalid JSON will show an error and prevent saving.
Static Headers
Static headers are sent with every proxied request, in addition to any headers injected by secret mappings. Common uses include:
| Header | Value | Purpose |
|---|---|---|
Content-Type | application/json | Tell the API you're sending JSON |
Accept | application/json | Request a JSON response |
User-Agent | MyApp/1.0 | Identify your application |
Adding Static Headers
Find the Static Headers Section
In the Target API section of the proxy form, find Static Headers.
Add a Header
Click Add header to create a new row. Enter the header name and value.
Remove a Header
Click the trash icon on a header row to remove it.
Secret mappings with inject_as: header are merged with static headers at runtime. If a secret mapping uses the same header name as a static header, the secret mapping takes precedence.