npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@rossetta-api/client

v0.1.2

Published

Zero-config obfuscated API client for browser and Node.js - protect your APIs from reverse engineering

Downloads

278

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

yiheinchaiyiheinchai

Keywords

apiclientencryptionobfuscationsecurityrossettafetchhttp-clientapi-securityweb-cryptoaes-256

Readme

@rossetta-api/client

Zero-config obfuscated API client for browser and Node.js

Features

  • 🔒 Automatic endpoint obfuscation - Endpoints are hashed before requests
  • 🔐 Request/response encryption - AES-256-CBC encryption
  • Session-based keys - Secure key management
  • 🛡️ Request signatures - HMAC-SHA256 for integrity
  • 🌐 Universal - Works in browser and Node.js

Installation

npm install @rossetta-api/client

Quick Start

import RossettaClient from '@rossetta-api/client';

const client = new RossettaClient('http://localhost:3000');

// Make obfuscated API calls
const todos = await client.get('/todos');
const newTodo = await client.post('/todos', { text: 'Buy milk' });

All requests are automatically encrypted and obfuscated!

Usage

Creating a Client

import RossettaClient from '@rossetta-api/client';

const api = new RossettaClient('http://localhost:3000', {
  // Options (all optional)
});

Making Requests

// GET request
const data = await api.get('/endpoint');

// POST request
const result = await api.post('/endpoint', { key: 'value' });

// PUT request
const updated = await api.put('/endpoint', { id: 1, key: 'new value' });

// DELETE request
const deleted = await api.delete('/endpoint', { id: 1 });

Using the Generic Request Method

const data = await api.request('/endpoint', 'GET');
const result = await api.request('/endpoint', 'POST', { data: 'test' });

Session Management

The client automatically initializes a session on first request:

const api = new RossettaClient('http://localhost:3000');

// Session is automatically initialized on first API call
const data = await api.get('/data'); // Session initialized here

// Subsequent calls reuse the same session
const more = await api.get('/more'); // Uses existing session

Manual Session Initialization

const api = new RossettaClient('http://localhost:3000');

// Initialize session manually
await api.initialize();

// Now make requests
const data = await api.get('/data');

How It Works

  1. Session Initialization: On first request, obtains session keys from server
  2. Endpoint Obfuscation: Hashes endpoint names using session salt
  3. Request Encryption: Encrypts request payload with session key
  4. Request Signing: Adds HMAC signature for integrity
  5. Response Decryption: Automatically decrypts server responses

Network Request Example

Traditional API:

GET /api/todos
Response: {"todos": [{"id": 1, "text": "Buy milk"}]}

With Rossetta:

GET /api/a7f3e9b2c1d4f5e6
Response: y8mzdtGaO3L/UQVshQvnfg==:zZzXwE57rStz...

Completely obfuscated and encrypted!

Browser Usage

<script type="module">
  import RossettaClient from '@rossetta-api/client';
  
  const api = new RossettaClient('http://localhost:3000');
  
  async function loadData() {
    const data = await api.get('/data');
    console.log(data);
  }
  
  loadData();
</script>

Node.js Usage

import RossettaClient from '@rossetta-api/client';

const api = new RossettaClient('http://localhost:3000');

async function main() {
  const users = await api.get('/users');
  console.log(users);
}

main();

Error Handling

try {
  const data = await api.get('/endpoint');
} catch (error) {
  console.error('Request failed:', error);
}

Security Features

  • No Hardcoded Secrets: Keys obtained from server per session
  • Session-Based Encryption: Each session has unique keys
  • Automatic Key Rotation: New session = new keys
  • Request Integrity: HMAC signatures prevent tampering
  • Replay Protection: Timestamp validation on server

⚠️ Security Considerations

This client provides obfuscation and encryption, but you should also:

  1. Always use HTTPS/TLS in production
  2. Implement proper authentication (JWT, OAuth, etc.)
  3. Validate server certificates
  4. Handle credentials securely
  5. Use environment variables for API URLs

This package is designed to work alongside standard security practices, not replace them.

API Reference

new RossettaClient(baseURL, options)

Creates a new Rossetta API client.

Parameters:

  • baseURL (string): Base URL of the API server
  • options (object): Configuration options (currently unused, reserved for future)

Methods

async initialize()

Manually initialize session with server.

async get(endpoint)

Make a GET request.

async post(endpoint, data)

Make a POST request with data.

async put(endpoint, data)

Make a PUT request with data.

async delete(endpoint, data)

Make a DELETE request with data.

async request(endpoint, method, data)

Generic request method.

License

MIT