This workflow demonstrates:
-
Encoded secrets — The API key is never in config or code. It is resolved from the vault (DON secrets) via
vaultDonSecrets: [{ key: "myApiKey", owner: config.owner }]. The header uses{{.myApiKey}}; the key stays encoded in the confidential request path. -
Response encryption — The API response is encrypted inside the enclave before it leaves (
encryptOutput: true). The body is AES-GCM encrypted using the vault secretsan_marino_aes_gcm_encryption_key. The workflow outputs only the values you need to decrypt in your browser.
Decrypt the output: use CipherTools AES-GCM. The workflow prints two values to the console — copy each and paste into the tool:
| In CipherTools | What to use |
|---|---|
| Operation | Decrypt + verify tag |
| Tag length | 128 bits |
| Key size | 256 bit |
| Secret key | Your AES_KEY_ALL value from .env (64 hex characters) |
| Nonce / IV | The line printed as Nonce/IV in the console (hex) |
| Ciphertext + tag input | The line printed as Ciphertext + tag in the console (hex) |
The workflow calls API Ninjas Jokes API with the X-Api-Key header (from the vault). The response is encrypted; you decrypt it locally with your key and CipherTools.
From the project root, use a .env file. The simulator maps secrets from secrets.yaml to env vars.
Note: In the workflow config (config.staging.json / config.production.json) you may see "owner": "". This is intentional for local simulation: there is no real interaction with the Vault DON here, so owner is not required. In production, you would set the owner for vault secret access.
-
API Ninjas key (DON secret
myApiKey):MY_API_KEY_ALL=<your-api-ninjas-key>Get a free key at api-ninjas.com.
-
AES-256 key (DON secret
san_marino_aes_gcm_encryption_key). Same value is used as Secret key in CipherTools when decrypting:AES_KEY_ALL=<64-char-hex-string>Must be 256-bit (32 bytes) hex-encoded. Generate one:
openssl rand -hex 32. Do not commit the real key.
Optional (for chain writes): CRE_ETH_PRIVATE_KEY=...
Copy from example:
cp .env.example .env
# Edit .env: set MY_API_KEY_ALL and AES_KEY_ALL.Install the Chainlink CRE CLI and authenticate so you can simulate and deploy workflows. See Installing the CRE CLI for your platform (macOS, Linux, or Windows). Then log in:
cre loginIf bun is not installed, see https://bun.com/docs/installation.
cd my-workflow && bun installFrom the project root:
cre workflow simulate ./my-workflow --target=staging-settingsThe console will print, under clear labels:
- Nonce/IV — one line of hex; paste into the “Nonce / IV” field on CipherTools AES-GCM.
- Ciphertext + tag — one line of hex; paste into the “Ciphertext + tag input” field.
On CipherTools set: Operation = Decrypt + verify tag, Tag length = 128 bits, Key size = 256 bit, Secret key = your AES_KEY_ALL value from .env. Then paste the two values above. For the encrypted Ciphertext+tag input, ensure you change the type dropdown from "Base64" to "Hex". The decrypted plaintext is the API response (e.g. JSON with a joke).
"HTTP request failed with status: 400" — API Ninjas returns 400 when the X-Api-Key header is missing or invalid. Check that:
- You have a
.envfile at the project root (same directory assecrets.yaml) withMY_API_KEY_ALL=<your-api-key>. - You run
cre workflow simulate ...from the project root so the simulator can load.envand resolve themyApiKeysecret. - Your key is valid — get a free key at api-ninjas.com.
