Skip to content

RequestTap/RequestTap-Adapter

BranchesTags

Repository files navigation

RequestTap

RequestTap Adapter

A secure authentication layer for API providers connecting with the RequestTap marketplace.

  • Fast setup — guided onboarding of your API through the RequestTap app
  • Private key never leaves your server — HMAC-SHA256 signing keeps your secret local
  • Automatic request routing — requests are routed to/from your API automatically
  • Auto sync — your API routes sync to the marketplace during verification

The adapter serves two purposes:

  1. Endpoint ownership verification — proves you control your API via HMAC-SHA256 challenge-response
  2. Authenticated request forwarding — only HMAC-signed requests from RequestTap, targeting synced routes, reach your backend

This is not an open proxy.

Every request must be cryptographically signed by RequestTap using your shared secret. Routes are synced from RequestTap during the verification handshake — you configure them in the RequestTap dashboard, not locally. Anything not on the synced allowlist is rejected. Your backend is never exposed directly; the adapter acts as an authenticated gateway that only RequestTap can talk to.

How It Works

                         ┌─── x402
                         ├─── x8004
Consumer → RequestTap ───┼─── AP2        → [HMAC-signed request] → Adapter → Your Backend
                         ├─── SKALE/BITE                              ↑
                         └─── BASE L2                        Verifies signature
                                                             Checks synced route allowlist
                                                             Strips internal headers
  1. You register your API on the RequestTap dashboard and define which routes consumers can access.
  2. RequestTap sends a /verify challenge-response to your adapter, including the route allowlist in the request body.
  3. The adapter validates the challenge, persists the routes to disk (.requesttap/synced-routes.json), and enforces them on all /proxy/* requests.
  4. On restart, the adapter loads previously synced routes from disk so it can serve immediately without waiting for a new verification.
  5. On first boot (no prior sync), only /health and /verify respond. All /proxy/* requests return 403 until routes are synced.

Quick Start

npm install requesttap-adapter

1. Configure

Interactive setup (recommended):

npx requesttap-adapter-init

This prompts for your API key, secret, backend URL, and port, then writes a .env file.

Or manually create a .env file (see .env.example):

RT_API_KEY=rt_key_...
RT_API_SECRET=your_secret
RT_BACKEND_URL=http://localhost:4000/api

Routes are not configured locally — they are synced from RequestTap during the verification handshake.

2. Start

CLI:

npx requesttap-adapter

Programmatic:

const { createAdapter } = require('requesttap-adapter');

const adapter = createAdapter({
  apiKey: 'rt_key_...',
  apiSecret: 'your_secret',
  backendUrl: 'http://localhost:4000/api',
});

await adapter.start();

Endpoints

Method Path Auth Purpose
GET /health None Liveness probe
GET /test None Allowlist enforcement diagnostic — returns 403 if working correctly
POST /verify HMAC Challenge-response verification + route sync
ALL /proxy/* HMAC + Allowlist Forward requests to provider backend

Configuration

Required

Variable Description
RT_API_KEY API key from RequestTap dashboard
RT_API_SECRET API secret from RequestTap dashboard
RT_BACKEND_URL Your backend API URL

Optional

Variable Default Description
RT_PORT 4450 Port the adapter listens on
RT_DATA_DIR .requesttap Directory for synced route data
RT_RATE_LIMIT 100 Max requests per minute per IP
RT_BODY_LIMIT 1mb Max request body size
RT_BACKEND_AUTH_TYPE - bearer or apikey
RT_BACKEND_AUTH_TOKEN - Token for backend authentication
RT_LOG_LEVEL info Log level: error, warn, info, debug

Security

The adapter is locked down by default. No request reaches your backend unless it passes every check:

  • Not an open proxy — unsigned or unrecognized requests are rejected immediately
  • Routes synced from RequestTap — you configure routes in the dashboard, not locally; the adapter enforces whatever was last synced
  • First-boot safety — before the first verification handshake, all proxy requests are rejected (403)
  • HMAC-SHA256 authentication — every request must be cryptographically signed with your shared secret
  • Replay protection — requests older than 5 minutes are rejected
  • Timing-safe comparison — prevents side-channel attacks on signature verification
  • Rate limiting — configurable per-IP rate limit (default: 100 req/min)
  • Helmet security headers
  • Configurable body size limit — default 1MB
  • Response header filtering — no internal infrastructure details leak to the outside

Docker

docker build -t requesttap-adapter .
docker run --env-file .env -p 4450:4450 requesttap-adapter

Or with Docker Compose:

docker compose up

Windows

The adapter runs on Windows. Graceful shutdown handles SIGBREAK (Ctrl+Break) in addition to SIGINT/SIGTERM.

Troubleshooting

Proxy returns 403 on all requests

This means routes haven't been synced yet. The adapter cannot initiate verification on its own — it only responds to challenges from RequestTap. Go to your RequestTap dashboard and trigger verification. Once the handshake completes, your synced routes will start accepting requests.

Testing

npm test

Support

For questions, issues, or feedback, reach out at support@requesttap.ai.

License

MIT

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages