A Go implementation of a Temporal Codec server that provides encryption and decryption capabilities for Temporal payloads. This server implements the Temporal Codec Server specification.
/encodeendpoint for encrypting payloads using AES-GCM/decoderendpoint for encdecryptingypting payloads using AES-GCM/decodeendpoint for decrypting payloads- CORS support for Temporal Web UI integration
- Health check endpoint
- Key rotation support via key IDs
The server uses AES-GCM encryption with:
- 256-bit key size
- Secure random nonce generation
- Authenticated encryption
- Base64 encoding for transport
- Key rotation support
The server can be configured using environment variables:
PORT: Server port (default: "8080")KEY_ID: Encryption key identifier (default: "test-key")ENCRYPTION_KEY: 32-byte encryption key (default: test key, change in production!)
For detailed implementation examples and usage instructions, see codec/README.md.
- docker compose up
- docker compose down
- Install dependencies:
go mod download- Set your encryption key (optional, but recommended for production):
export ENCRYPTION_KEY="your-32-byte-encryption-key"
export KEY_ID="your-key-id"- Run the server:
go run main.go- Always use a strong, unique encryption key in production
- The encryption key should be at least 32 bytes long
- Consider using a key management service in production
- The server should be run in a secure environment with proper access controls
- Use different key IDs for different environments or key rotation
- Consider adding authentication to the codec server endpoints
- Use HTTPS in production