Skip to content
flow8

Cryptography Modules

Cryptography Modules

AES-GCM — Symmetric Encryption

Encrypts and decrypts data using AES-256-GCM.

appId: aes-encrypt / aes-decrypt

{
  "appId": "aes-encrypt",
  "ref": "encryptPayload",
  "args": {
    "input": "{{ $prev.prepareData.json }}",
    "key": "{{ $kv.get 'encryptionKey' }}",
    "encoding": "base64"
  }
}
// Output: { "encrypted": "base64-encoded-ciphertext", "nonce": "base64-encoded-nonce" }


{
  "appId": "aes-decrypt",
  "ref": "decryptPayload",
  "args": {
    "input": "{{ $prev.receivedData.encrypted }}",
    "nonce": "{{ $prev.receivedData.nonce }}",
    "key": "{{ $kv.get 'encryptionKey' }}",
    "encoding": "base64"
  }
}
// Output: { "decrypted": "original plaintext" }

Security note: Never reuse a nonce with the same key. Generate a new nonce for each encryption operation. Store the nonce alongside the ciphertext.

HMAC-SHA256 — Message Authentication

Signs data and verifies signatures to ensure integrity.

appId: hmac-sign / hmac-verify

{
  "appId": "hmac-sign",
  "ref": "signWebhook",
  "args": {
    "input": "{{ $prev.buildPayload.json }}",
    "secret": "{{ $kv.get 'webhookSecret' }}",
    "encoding": "hex"
  }
}
// Output: { "signature": "a1b2c3d4..." }


{
  "appId": "hmac-verify",
  "ref": "verifySignature",
  "args": {
    "input": "{{ $prev.args.rawBody }}",
    "signature": "{{ $prev.args.receivedSignature }}",
    "secret": "{{ $kv.get 'webhookSecret' }}",
    "encoding": "hex"
  }
}
// Output: { "valid": true }

Use HMAC to verify incoming webhooks (e.g., GitHub, Stripe signature verification).

JWT — Generate and Verify

appId: jwt-sign / jwt-verify

{
  "appId": "jwt-sign",
  "ref": "createToken",
  "args": {
    "payload": {
      "userId": "{{ $prev.getUser.id }}",
      "email": "{{ $prev.getUser.email }}",
      "role": "viewer"
    },
    "secret": "{{ $kv.get 'jwtSecret' }}",
    "algorithm": "HS256",
    "expiresIn": "24h"
  }
}
// Output: { "token": "eyJ..." }


{
  "appId": "jwt-verify",
  "ref": "validateToken",
  "args": {
    "token": "{{ $prev.args.bearerToken }}",
    "secret": "{{ $kv.get 'jwtSecret' }}",
    "algorithm": "HS256"
  }
}
// Output: { "valid": true, "payload": {"userId":"...","email":"...","role":"viewer"}, "expired": false }