FAQ

When your frontend sends a request to Bounce, Bounce looks up your config, injects your upstream API key server-side, applies any header transformations you've defined, and forwards the request to the target URL. The response comes back through Bounce and is returned to your client. Your upstream credentials never touch the browser.

Any API that accepts HTTP requests works with Bounce. You configure the base URL and the endpoints you want to allow, and Bounce handles the rest. There is no list of supported providers. As long as you can make an HTTP call to it, Bounce can proxy it.

Yes. The Bounce key is a public identifier, not a secret. Your actual upstream API credentials are stored encrypted on Bounce's servers and are never exposed to the client. The Bounce key just identifies which config to use. Security is enforced through CORS origin locking and endpoint allowlists, so even if someone finds your key, they cannot use it from an unauthorized origin or hit endpoints you have not explicitly allowed.

Your upstream credentials are encrypted with a combination of your Bounce key and an internal server secret. Neither value alone can decrypt the data. An attacker with only the database would have ciphertext with no way to decrypt it. Even with your Bounce key, they still cannot read your config without being authenticated as the account that owns it, which Bounce enforces on every request.

Yes. When a request includes Accept: text/event-stream, Bounce switches to a streaming path and pipes chunks directly to your client as they arrive, without buffering the full response. The connection stays open for as long as the upstream keeps it open. Standard requests use a normal buffered path.

Yes. You can attach a JWT auth group to any endpoint in your config. Bounce will validate the token against your JWKS issuer (Firebase, Auth0, Clerk, and others are supported) before forwarding the request. Unauthenticated calls are rejected at the proxy level and never reach your upstream API. The user token is stripped from the forwarded request so your upstream never sees it.

Requests that Bounce rejects before forwarding (invalid key, CORS block, rate limit exceeded) do not count against your quota. Requests that Bounce forwards but that return an error from the upstream do count, since the proxy work was completed. Egress is measured as the combined size of outbound request bytes and inbound response bytes (The total egress from our servers).

The daily limit (requests_per_day) is configured by you on a per-key basis. It acts as a safeguard against a single key being abused or running away, and resets at midnight UTC. The monthly limit is account-wide across all your keys and determines your plan usage. Exceeding the daily key limit returns 429. Exceeding your monthly account limit returns 402.