EvoConfig SDK (Node.js)

![Enterprise Grade](#)
![Security: AES-256-GCM](#)
![Security: HMAC-SHA256](#)

EvoConfig is a secure-by-default, production-ready SDK for remote configuration and feature flagging. It is designed for high-compliance environments where security and observability are non-negotiable.

Key Features

- Zero-Plaintext Rule: Configuration values are NEVER stored in plaintext on disk. They are decrypted only in memory.
- End-to-End Encryption: AES-256-GCM encryption ensures data remains private from the EvoConfig server to your application.
- Request Integrity: Every request is signed using HMAC-SHA256 with a timestamp and nonce to prevent replay attacks.
- Deterministic Rollouts: Feature flags support percentage rollouts with stable hashing based on user/tenant context.
- Observability First: Built-in hooks for OpenTelemetry integration and custom monitoring.

Installation

``bash npm install evoconfig-sdk`

`Usage Modes`

`$3`


Fetches and updates config from the EvoConfig API. Best for dynamic environments.

`typescript const config = new EvoConfig({ appId: "APP_ID", apiKey: "API_KEY", encryptionKey: "ENCRYPTION_KEY" });`

`$3`


Perfect for high-performance edge functions. Provide an encrypted object directly.

`typescript const config = new EvoConfig({ encryptionKey: "ENCRYPTION_KEY", localConfig: { config: { ... }, flags: { ... } } });`

`$3`


Total network isolation. Reads from an encrypted local file.

`typescript const config = new EvoConfig({ encryptionKey: "ENCRYPTION_KEY", configPath: "./configs.json" });`

`Security Architecture`

`$3`


All outgoing requests are signed:

Signature = HMAC-SHA256(Secret, Timestamp + Nonce + Payload)


The server validates the signature and ensures the timestamp is within a 5-minute window to prevent replay attacks.
$3

Config values are stored as encrypted blobs:

json
{
  "ciphertext": "...",
  "iv": "...",
  "authTag": "..."
}


The SDK decrypts these using the

encryptionKey

 provided at initialization. This key never leaves your application environment.
$3

Values are cached in-memory with a configurable TTL (default 5 mins). No decrypted values are ever written to the file system.
 Observability (Hooks)
Integrate with Datadog, New Relic, or Prometheus:

`typescript const config = new EvoConfig({ // ... hooks: { onCacheHit: (key) => metrics.increment("config.cache.hit", { key }), onError: (err) => logger.error(EvoConfig Error: ${err.message}), onFlagEval: (name, result) => metrics.gauge("feature_flag", result ? 1 : 0, { name }) } });`

`Error Handling`

The SDK uses typed errors for precise handling:

`typescript try { await config.get("SECRET_KEY"); } catch (error) { if (error instanceof AuthenticationError) { // Check your API keys } else if (error instanceof CryptoError) { // Check your encryptionKey } }``

---

Built by the Daksha Dubey.

EvoConfig SDK (Node.js)

![Enterprise Grade](#)
![Security: AES-256-GCM](#)
![Security: HMAC-SHA256](#)

Key Features

Installation

``bash npm install evoconfig-sdk`

`Usage Modes`

`$3`


Fetches and updates config from the EvoConfig API. Best for dynamic environments.

`typescript const config = new EvoConfig({ appId: "APP_ID", apiKey: "API_KEY", encryptionKey: "ENCRYPTION_KEY" });`

`$3`


Perfect for high-performance edge functions. Provide an encrypted object directly.

`typescript const config = new EvoConfig({ encryptionKey: "ENCRYPTION_KEY", localConfig: { config: { ... }, flags: { ... } } });`

`$3`


Total network isolation. Reads from an encrypted local file.

`typescript const config = new EvoConfig({ encryptionKey: "ENCRYPTION_KEY", configPath: "./configs.json" });`

`Security Architecture`

`$3`


All outgoing requests are signed:

Signature = HMAC-SHA256(Secret, Timestamp + Nonce + Payload)


The server validates the signature and ensures the timestamp is within a 5-minute window to prevent replay attacks.
$3

Config values are stored as encrypted blobs:

json
{
  "ciphertext": "...",
  "iv": "...",
  "authTag": "..."
}


The SDK decrypts these using the

encryptionKey

 provided at initialization. This key never leaves your application environment.
$3

Values are cached in-memory with a configurable TTL (default 5 mins). No decrypted values are ever written to the file system.
 Observability (Hooks)
Integrate with Datadog, New Relic, or Prometheus:

`Error Handling`

The SDK uses typed errors for precise handling:

---

Built by the Daksha Dubey.