Proxy Functions
Proxy functions let you make API calls to third-party services from your static website without exposing secret keys in your frontend code. Instead of embedding API keys directly in your JavaScript, you route requests through a secure proxy that injects your secrets server-side.
Why Use Proxy Functions?
Static sites (built with frameworks like Next.js, Nuxt, Astro, or plain HTML) run entirely in the browser. Any API key you include in your frontend code is visible to anyone who opens the browser developer tools. This creates a serious security risk for services like Stripe, Brevo, OpenAI, and other APIs that require secret keys.
Proxy functions solve this by acting as a secure middleman:
- Your frontend sends a request to the proxy URL
- The proxy injects your secret keys server-side
- The proxy forwards the request to the third-party API
- The response is returned to your frontend
Your secret keys never leave the server and are never visible in the browser.
Two Modes
EnvManager offers two ways to use proxy functions:
Hosted Proxy
EnvManager hosts the proxy for you. Your frontend calls an EnvManager URL, and we handle the rest. This is the simplest option and requires no additional infrastructure.
- Proxy URL format:
https://your-supabase-url/functions/v1/proxy-handler/{proxy-id} - Authenticated with a per-proxy token via the
x-proxy-tokenheader - CORS protection via configurable allowed origins
Downloadable Code
If you prefer to host the proxy yourself, you can download platform-specific code for:
- Vercel (Edge Functions)
- Netlify (Edge Functions)
- Cloudflare (Workers)
- AWS Lambda
The generated code reads your secrets from environment variables on the respective platform. You manage the secrets there using EnvManager's platform integrations or manually.
Before You Begin
To use proxy functions, you need:
- An EnvManager account
- A project with at least one environment
- At least one secret variable stored in that environment (the secret you want to inject)
- Admin or Owner role to create, edit, or delete proxy functions
Members without admin access can view proxy functions but cannot create, modify, or delete them.
Key Concepts
| Concept | Description |
|---|---|
| Target URL | The third-party API endpoint the proxy forwards requests to |
| Secret Mapping | A rule that injects a secret variable into the proxied request as a header, body field, or query parameter |
| Proxy Token | A unique token required in the x-proxy-token header to authenticate requests to your proxy |
| Allowed Origins | The domains permitted to call your proxy (CORS protection) |
| Template | A pre-configured starting point for common APIs (Stripe, Brevo, OpenAI, etc.) |
Plan Limits
Proxy functions are available on all plans with the following limits:
| Feature | Free Plan | Pro Plan |
|---|---|---|
| Proxy functions | 3 | 25 |
| Monthly invocations (included) | 500 | 5,000 |
When you reach your included invocation limit, requests continue to work and overage is tracked. A 10x safety valve stops requests if usage reaches 10 times your plan's included amount. See Usage & Billing for full details.
When you reach the proxy function count limit, existing proxies continue to work but you cannot create new ones until you upgrade or remove unused proxies.
Next Steps
Creating Proxy Functions
Step-by-step guide to creating your first proxy function.
Configuration
Set up secret mappings, CORS origins, and request bodies.
Testing
Test your proxy functions before going live.
Downloading Code
Get platform-specific code for self-hosted proxies.
Managing Proxies
Enable, disable, regenerate tokens, and delete proxy functions.
Rate Limiting
Limit requests per minute to protect against abuse and runaway scripts.
Usage & Billing
Understand invocation quotas, overage billing, and how to track usage.
Analytics Dashboard
Monitor invocation trends, error rates, response times, and top proxies.
Integrating in Your Code
Replace direct API calls with your proxy URL in your frontend.
Templates
Pre-configured proxies for Brevo, Stripe, and OpenAI.