Encryption Proxy
The Encryption Proxy is a secure gateway that runs in your environment and connects to Subnoto’s enclave on your behalf. It performs remote attestation and establishes an encrypted tunnel to the enclave, so you can call the Subnoto API with plain HTTP (e.g. curl or any REST client) while the proxy handles authentication, attestation, and the secure channel. You send requests to the proxy; it forwards them to the enclave over the tunnel and returns the responses.
Security: To verify the container’s authenticity and inspect its SBOM, see the Attestation & Verification Guide.
Using the Container
Section titled “Using the Container”Run the Encryption Proxy container with Docker:
docker run -p 8080:8080 subnoto/api-proxy:latestThe container exposes the API proxy service on port 8080. You can map this to any port on your
host machine by changing the first port number (e.g., -p 3000:8080 to expose on port 3000).
Mac users (Apple Silicon): If you encounter connection issues, explicitly bind to localhost and specify the platform:
docker run --platform linux/amd64 -p 127.0.0.1:8080:8080 subnoto/api-proxy:latestNote: The container does not require environment variables to run. API credentials are provided when making requests, not when starting the container.
API Authentication
Section titled “API Authentication”To use the Encryption Proxy, you need an access key and secret key. See Create API keys for how to create and manage them in your Subnoto workspace.
Making Authenticated Requests
Section titled “Making Authenticated Requests”Include your credentials in the Authorization header using the Bearer token format:
Authorization: Bearer $ACCESS_KEY:$SECRET_KEYBasic API Usage
Section titled “Basic API Usage”Test your connection with the whoami endpoint:
curl http://localhost:8080/public/utils/whoami \ -H "Authorization: Bearer $ACCESS_KEY:$SECRET_KEY" \ -H "Content-Type: application/json" \ -d '{}'Replace:
localhost:8080with your deployment URL if the container is running elsewhere$ACCESS_KEYwith your actual access key$SECRET_KEYwith your actual secret key
A successful response will return information about your authenticated session:
{ "teamUuid": "...", "teamName": "...", "ownerEmail": "...", "ownerUuid": "...", "accessKey": "..."}Tutorials
Section titled “Tutorials”Troubleshooting
Section titled “Troubleshooting”If you encounter connection issues:
- Verify that Docker is running
- Check that port 8080 (or your mapped port) is not already in use
- For Mac users with Apple Silicon, use the
—platform linux/amd64flag and bind to localhost explicitly - Ensure the container is accessible at the expected URL
If you receive authentication errors:
- Verify your API credentials are correct
- Check that you’re using the correct format:
Bearer $ACCESS_KEY:$SECRET_KEY - Ensure your API key is active in your Subnoto workspace
- Verify the credentials are properly escaped in your requests
If document uploads fail:
- Check that the file size is under 40 MB
- Verify the file is a valid PDF / Word document
- Ensure the
workspaceUuidis correct - Check that you’re using multipart/form-data format
- Verify your network connection is stable