Nen LogoNen

Quickstart

From zero to an encrypted API call in about ten lines. TLS stays exactly as it is — Nen adds the layer that survives TLS termination.

1. Scaffold

npx create-nen-app

This detects your Next.js App Router project, installs @withnen/client and @withnen/server, patches next.config.ts for WebAssembly, and generates the session routes.

Already have a project? Install manually:

npm install @withnen/client @withnen/server

2. Mount the session routes

src/app/api/nen/[action]/route.ts:

import { handleHandshake, handleRotate, handleTerminate, handleStatus } from '@withnen/server';

export async function POST(req: Request, { params }: { params: Promise<{ action: string }> }) {
  const { action } = await params;
  if (action === 'handshake') return handleHandshake(req);
  if (action === 'rotate')    return handleRotate(req);
  if (action === 'terminate') return handleTerminate(req);
  return new Response('Not Found', { status: 404 });
}

export async function GET(req: Request, { params }: { params: Promise<{ action: string }> }) {
  const { action } = await params;
  return action === 'status' ? handleStatus(req) : new Response('Not Found', { status: 404 });
}

3. Protect an endpoint

src/app/api/secure-data/route.ts:

import { withNen } from '@withnen/server';

export const POST = withNen(async (req, body) => {
  // body is already decrypted and authenticated
  return { ok: true, received: body };
});

4. Call it encrypted

import { createNenFetch } from '@withnen/client';

const nenFetch = createNenFetch(''); // same-origin

const data = await nenFetch('/api/secure-data', {
  method: 'POST',
  body: JSON.stringify({ ssn: '412-55-9087' }),
});
// the body left your tab as ciphertext; data is the decrypted response

That's it. Your CDN, logs, and proxies now see only base64 ciphertext for that payload.

Where to go next

  • Usage — streaming, rotation, identity mode, and the full client/server API.
  • Protocol spec — the exact wire format an auditor reads.
  • Threat model — what Nen does and does not protect.
  • Error codes — every ISO-xxxx failure, with cause and fix.