JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 30
  • Score
    100M100P100Q105771F
  • License MIT

Protect HTTP API keys with runtime injection and one SDK integration

Package Exports

  • @elding/sdk
  • @elding/sdk/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@elding/sdk) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

@elding/sdk

Protect HTTP API keys without keeping them in your code or .env. In development, Elding's local proxy injects the real key into the outgoing request. In production, the SDK retrieves the key at runtime and your application calls the provider directly.

npm install @elding/sdk

Always install the scoped package @elding/sdk. The unscoped elding package is unrelated.

Quickstart

npx @elding/cli login
npx @elding/cli init
import OpenAI from "openai";
import { configure } from "@elding/sdk";

const openai = new OpenAI(
  await configure("OPENAI_API_KEY", "https://api.openai.com")
);

Start development behind the local proxy:

npx @elding/cli proxy -- npm run dev

Use configure(name, target) for HTTP API keys such as OpenAI, Anthropic, Stripe, Resend, Mistral, or any provider authenticated through HTTPS headers.

const { apiKey, baseURL, defaultHeaders } = await configure(
  "PEXELS_API_KEY",
  "https://api.pexels.com"
);

const response = await fetch(`${baseURL}/v1/search?query=nature`, {
  headers: {
    ...defaultHeaders,
    Authorization: apiKey,
  },
});

In development, apiKey is a placeholder and baseURL points to the local proxy. In production, apiKey is retrieved from the vault and baseURL is the provider URL.

Raw API key access

secret(name) and client() are advanced APIs for HTTP API keys that must be loaded into the application process. Prefer configure() whenever the provider supports a custom baseURL and headers.

import { secret, client } from "@elding/sdk";

const apiKey = await secret("OPENAI_API_KEY");

const elding = await client();
const stripeKey = elding.secret("STRIPE_SECRET_KEY");

Elding does not manage non-HTTP application secrets. Keep DATABASE_URL, JWT_SECRET, REDIS_URL, certificates, and database passwords in your platform's environment variables.

Production

Generate a scoped deployment token locally:

npx @elding/cli deploy

Add the emitted variables to your hosting platform:

ELDING_REFRESH_TOKEN=eld_rt_...
ELDING_SET_ID=...

Your application code stays unchanged.

Documentation: https://docs.elding.app/en/sdk/installation