Coming Soon

Secure API calls
for Webflow sites

Webflow is client-side only. Any API that needs a secret key — reCAPTCHA, Stripe, OpenAI — is impossible without a backend. EnvProxy is the missing piece.

// Add to your Webflow site
<script src="envproxy.com/v1/snippet.js"></script>

const data = await EnvProxy.verify(
  'recaptcha-v3',
  { response: token }
);

// score: 0.5 — human verified
if (data.score >= 0.5) {
  form.submit();
}

The problem

Without EnvProxy

You spin up a Vercel function, a Cloudflare Worker, or an AWS Lambda just to make a single POST request with a secret key. That's a disproportionate amount of infrastructure for what should be trivial.

With EnvProxy

Paste a snippet into your Webflow site. Configure your integration in the dashboard. Done. No servers, no functions, no infrastructure to maintain.

Create a project

Add your Webflow site's domain and choose which integrations you need.

Add your secrets

Store your API secret keys securely. They never leave our server.

Paste the snippet

Drop a lightweight JS snippet into your Webflow site. Under 2KB, zero dependencies.

Ship it

Your Webflow site now makes secure API calls. Origin-locked, rate-limited, encrypted.

We create robust integrations

Each integration is purpose-built: validated inputs, encrypted secrets, and normalized responses. Starting with the most requested — more on the way.

🛡

reCAPTCHA v3 Server-side token verification with score-based filtering

Live

💳

Stripe Checkout sessions and payment intent creation

Planned

🤖

OpenAI Chat completions with usage limits and key rotation

Planned

✉

SendGrid Transactional email delivery from client-side forms

Planned

Built for Webflow developers

Origin-locked

Requests only work from your whitelisted domains. Yes, Origin headers can be spoofed server-side — we know. That's why origin checking is just the first layer: per-project rate limits, per-IP abuse detection, and request logging work together to catch what origin validation alone can't.

Rate-limited

Per-project rate limits prevent abuse. Configurable RPM right from the dashboard, plus per-IP spike detection that automatically flags suspicious patterns — like a single address hammering your endpoint 100 times a minute.

Encrypted secrets

Your API keys are protected with envelope encryption backed by a dedicated KMS. Each secret gets its own data key, decrypted only in memory during the proxy call. Secrets never appear in logs, error messages, or client responses — and the master key never touches the database.

Request logging

Full audit trail of every proxied request. See reCAPTCHA scores, upstream status codes, response times, and origin domains. Paginated and filterable from the dashboard so you can debug issues or spot abuse at a glance.

Tiny footprint

The client snippet is under 2KB with zero dependencies. It loads synchronously so it's guaranteed to be available when your code runs — no async race conditions, no loading states. One script tag and you're done.

No backend required

No Vercel functions, no Lambda, no Workers. You shouldn't need to spin up infrastructure just to make a single POST with a secret key. EnvProxy handles the server-side call so your Webflow site stays purely client-side.

Get early access

EnvProxy is currently in development. Join the waitlist and we'll let you know when it's ready.