Run any Skill in Manus with one click

$pwd:

electric-proxy-auth

Name: Electric Proxy Auth
Author: electric-sql

// Set up a server-side proxy to forward Electric shape requests securely. Covers ELECTRIC_PROTOCOL_QUERY_PARAMS forwarding, server-side shape definition (table, where, params), content-encoding/content-length header cleanup, CORS configuration for electric-offset/electric-handle/ electric-schema/electric-cursor headers, auth token injection, Bun fetch concurrency cap (BUN_CONFIG_MAX_HTTP_REQUESTS default 256), ELECTRIC_SECRET/SOURCE_SECRET server-side only, tenant isolation via WHERE positional params, onError 401 token refresh, and subset security (AND semantics). Load when creating proxy routes, adding auth, or configuring CORS for Electric.

Run Skill in Manus

$ git log --oneline --stat

stars:10,216

forks:335

updated:May 25, 2026 at 16:01

SKILL.md

readonly

related-skills.json

same repository

designing-entities.md

from "electric-sql/electric"

Use when an app developer wants to build an entity (a.k.a. an agent) for their Electric Agents app — designing a single entity type, picking a coordination pattern when needed (single-agent, manager-worker, pipeline, map-reduce, dispatcher, blackboard, reactive-observer), defining state, handler, schemas, and implementing it in one entity file. Applies to any use of `registry.define(...)` / `defineEntity(...)` in a `@electric-ax/agents-runtime` app.

2026-05-2810.2k

electric-deployment.md

from "electric-sql/electric"

Deploy Electric via Docker, Docker Compose, or Electric Cloud. Covers DATABASE_URL (direct connection, not pooler), ELECTRIC_SECRET (required since v1.x), ELECTRIC_INSECURE for dev, wal_level=logical, max_replication_slots, ELECTRIC_STORAGE_DIR persistence, ELECTRIC_POOLED_DATABASE_URL for pooled queries, IPv6 with ELECTRIC_DATABASE_USE_IPV6, Kubernetes readiness probes (200 vs 202), replication slot cleanup, and Postgres v14+ requirements. Load when deploying Electric or configuring Postgres for logical replication.

2026-05-2510.2k

entity-stream-queries.md

from "electric-sql/electric"

Querying electric agent runtime entity streams and manifest state with @durable-streams/state queryOnce and useLiveQuery. Use when reading built-in entity collections like manifests, wakes, child_status, inbox, runs, or shared state from runtime code, tests, examples, or CLI code. Prefer direct typed queries over one-off read helpers.

2026-04-2310.2k

electric-debugging.md

from "electric-sql/electric"

Troubleshoot Electric sync issues. Covers fast-loop detection from CDN/proxy cache key misconfiguration, stale cache diagnosis (StaleCacheError), MissingHeadersError from CORS misconfiguration, 409 shape expired handling, SSE proxy buffering (nginx proxy_buffering off, Caddy flush_interval -1), HTTP/1.1 6-connection limit in local dev (Caddy HTTP/2 proxy), WAL growth from replication slots (max_slot_wal_keep_size), Vercel CDN cache issues, and onError/backoff behavior. Load when shapes are not receiving updates, sync is slow, or errors appear in the console.

2026-03-0610.2k

electric-new-feature.md

from "electric-sql/electric"

End-to-end guide for adding a new synced feature with Electric and TanStack DB. Covers the full journey: design Postgres schema, set REPLICA IDENTITY FULL, define shape, create proxy route, set up TanStack DB collection with electricCollectionOptions, implement optimistic mutations with txid handshake (pg_current_xact_id, awaitTxId), and build live queries with useLiveQuery. Also covers migration from old ElectricSQL (electrify/db pattern does not exist), current API patterns (table as query param not path, handle not shape_id). Load when building a new feature from scratch.

2026-03-0610.2k

electric-orm.md

from "electric-sql/electric"

Use Electric with Drizzle ORM or Prisma for the write path. Covers getting pg_current_xact_id() from ORM transactions using Drizzle tx.execute(sql) and Prisma $queryRaw, running migrations that preserve REPLICA IDENTITY FULL, and schema management patterns compatible with Electric shapes. Load when using Drizzle or Prisma alongside Electric for writes.

2026-03-0610.2k

package.json

"author": "electric-sql"

"repository": "electric-sql/electric"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Software DevelopersComputer and Mathematical Occupations15-1252L4

name	electric-proxy-auth
description	Set up a server-side proxy to forward Electric shape requests securely. Covers ELECTRIC_PROTOCOL_QUERY_PARAMS forwarding, server-side shape definition (table, where, params), content-encoding/content-length header cleanup, CORS configuration for electric-offset/electric-handle/ electric-schema/electric-cursor headers, auth token injection, Bun fetch concurrency cap (BUN_CONFIG_MAX_HTTP_REQUESTS default 256), ELECTRIC_SECRET/SOURCE_SECRET server-side only, tenant isolation via WHERE positional params, onError 401 token refresh, and subset security (AND semantics). Load when creating proxy routes, adding auth, or configuring CORS for Electric.
type	core
library	electric
library_version	1.5.10
requires	["electric-shapes"]
sources	["electric-sql/electric:packages/typescript-client/src/constants.ts","electric-sql/electric:examples/proxy-auth/app/shape-proxy/route.ts","electric-sql/electric:website/docs/guides/auth.md","electric-sql/electric:website/docs/guides/security.md"]

This skill builds on electric-shapes. Read it first for ShapeStream configuration.

Electric — Proxy and Auth

Setup

import { ELECTRIC_PROTOCOL_QUERY_PARAMS } from '@electric-sql/client'

// Server route (Next.js App Router example)
export async function GET(request: Request) {
  const url = new URL(request.url)
  const originUrl = new URL('/v1/shape', process.env.ELECTRIC_URL)

  // Only forward Electric protocol params — never table/where from client
  url.searchParams.forEach((value, key) => {
    if (ELECTRIC_PROTOCOL_QUERY_PARAMS.includes(key)) {
      originUrl.searchParams.set(key, value)
    }
  })

  // Server decides shape definition
  originUrl.searchParams.set('table', 'todos')
  originUrl.searchParams.set('secret', process.env.ELECTRIC_SOURCE_SECRET!)

  const response = await fetch(originUrl)
  const headers = new Headers(response.headers)
  headers.delete('content-encoding')
  headers.delete('content-length')

  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers,
  })
}

Client usage:

import { ShapeStream } from '@electric-sql/client'

const stream = new ShapeStream({
  url: '/api/todos', // Points to your proxy, not Electric directly
})

Core Patterns

Tenant isolation with WHERE params

// In proxy route — inject user context server-side
const user = await getAuthUser(request)
originUrl.searchParams.set('table', 'todos')
originUrl.searchParams.set('where', 'org_id = $1')
originUrl.searchParams.set('params[1]', user.orgId)

Auth token refresh on 401

const stream = new ShapeStream({
  url: '/api/todos',
  headers: {
    Authorization: async () => `Bearer ${await getToken()}`,
  },
  onError: async (error) => {
    if (error instanceof FetchError && error.status === 401) {
      const newToken = await refreshToken()
      return { headers: { Authorization: `Bearer ${newToken}` } }
    }
    return {}
  },
})

CORS configuration for cross-origin proxies

// In proxy response headers
headers.set(
  'Access-Control-Expose-Headers',
  'electric-offset, electric-handle, electric-schema, electric-cursor'
)

Subset security (AND semantics)

Electric combines the main shape WHERE (set in proxy) with subset WHERE (from POST body) using AND. Subsets can only narrow results, never widen them:

-- Main shape: WHERE org_id = $1 (set by proxy)
-- Subset: WHERE status = 'active' (from client POST)
-- Effective: WHERE org_id = $1 AND status = 'active'

Even WHERE 1=1 in the subset cannot bypass the main shape's WHERE.

Common Mistakes

CRITICAL Forwarding all client params to Electric

Wrong:

url.searchParams.forEach((value, key) => {
  originUrl.searchParams.set(key, value)
})

Correct:

import { ELECTRIC_PROTOCOL_QUERY_PARAMS } from '@electric-sql/client'

url.searchParams.forEach((value, key) => {
  if (ELECTRIC_PROTOCOL_QUERY_PARAMS.includes(key)) {
    originUrl.searchParams.set(key, value)
  }
})
originUrl.searchParams.set('table', 'todos')

Forwarding all params lets the client control table, where, and columns, accessing any Postgres table. Only forward ELECTRIC_PROTOCOL_QUERY_PARAMS.

Source: examples/proxy-auth/app/shape-proxy/route.ts

CRITICAL Not deleting content-encoding and content-length headers

Wrong:

return new Response(response.body, {
  status: response.status,
  headers: response.headers,
})

Correct:

const headers = new Headers(response.headers)
headers.delete('content-encoding')
headers.delete('content-length')
return new Response(response.body, { status: response.status, headers })

fetch() decompresses the response body but keeps the original content-encoding and content-length headers, causing browser decoding failures.

Source: examples/proxy-auth/app/shape-proxy/route.ts:49-56

CRITICAL Exposing ELECTRIC_SECRET or SOURCE_SECRET to browser

Wrong:

// Client-side code
const url = `/v1/shape?table=todos&secret=${import.meta.env.VITE_ELECTRIC_SOURCE_SECRET}`

Correct:

// Server proxy only
originUrl.searchParams.set('secret', process.env.ELECTRIC_SOURCE_SECRET!)

Bundlers like Vite expose VITE_* env vars to client code. The secret must only be injected server-side in the proxy.

Source: AGENTS.md:17-20

CRITICAL SQL injection in WHERE clause via string interpolation

Wrong:

originUrl.searchParams.set('where', `org_id = '${user.orgId}'`)

Correct:

originUrl.searchParams.set('where', 'org_id = $1')
originUrl.searchParams.set('params[1]', user.orgId)

String interpolation in WHERE clauses enables SQL injection. Use positional params ($1, $2).

Source: website/docs/guides/auth.md

HIGH Bun fetch concurrency cap (256) bottlenecks the proxy under load

Wrong:

bun run proxy.ts

Correct:

BUN_CONFIG_MAX_HTTP_REQUESTS=4096 bun run proxy.ts

Bun caps simultaneous fetch() calls at 256 per process by default. Excess requests queue silently — the proxy keeps accepting inbound connections but upstream calls to Electric stall, surfacing as latency spikes rather than errors. Raise BUN_CONFIG_MAX_HTTP_REQUESTS (max 65,336) to match your expected concurrent shape requests. Node and Deno do not impose this cap.

Source: https://bun.com/docs/runtime/networking/fetch

HIGH Not exposing Electric response headers via CORS

Wrong:

// No CORS header configuration — browser strips custom headers
return new Response(response.body, { headers })

Correct:

headers.set(
  'Access-Control-Expose-Headers',
  'electric-offset, electric-handle, electric-schema, electric-cursor'
)
return new Response(response.body, { headers })

The client throws MissingHeadersError if Electric response headers are stripped by CORS. Expose electric-offset, electric-handle, electric-schema, and electric-cursor.

Source: packages/typescript-client/src/error.ts:109-118

CRITICAL Calling Electric directly from production client

Wrong:

new ShapeStream({
  url: 'https://my-electric.example.com/v1/shape',
  params: { table: 'todos' },
})

Correct:

new ShapeStream({
  url: '/api/todos', // Your proxy route
})

Electric's HTTP API is public by default with no auth. Always proxy through your server so the server controls shape definitions and injects secrets.

Source: AGENTS.md:19-20

See also: electric-shapes/SKILL.md — Shape URLs must point to proxy routes, not directly to Electric. See also: electric-deployment/SKILL.md — Production requires ELECTRIC_SECRET and proxy; dev uses ELECTRIC_INSECURE=true. See also: electric-postgres-security/SKILL.md — Proxy injects secrets that Postgres security enforces.

Version

Targets @electric-sql/client v1.5.10.

electric-proxy-auth

More from this repository

More from this repository

Electric — Proxy and Auth

Setup

Core Patterns

Tenant isolation with WHERE params

Auth token refresh on 401

CORS configuration for cross-origin proxies

Subset security (AND semantics)

Common Mistakes

CRITICAL Forwarding all client params to Electric

CRITICAL Not deleting content-encoding and content-length headers

CRITICAL Exposing ELECTRIC_SECRET or SOURCE_SECRET to browser

CRITICAL SQL injection in WHERE clause via string interpolation

HIGH Bun fetch concurrency cap (256) bottlenecks the proxy under load

HIGH Not exposing Electric response headers via CORS

CRITICAL Calling Electric directly from production client

Version

Electric — Proxy and Auth

Setup

Core Patterns

Tenant isolation with WHERE params

Auth token refresh on 401

CORS configuration for cross-origin proxies

Subset security (AND semantics)

Common Mistakes

CRITICAL Forwarding all client params to Electric

CRITICAL Not deleting content-encoding and content-length headers

CRITICAL Exposing ELECTRIC_SECRET or SOURCE_SECRET to browser

CRITICAL SQL injection in WHERE clause via string interpolation

HIGH Bun fetch concurrency cap (256) bottlenecks the proxy under load

HIGH Not exposing Electric response headers via CORS

CRITICAL Calling Electric directly from production client

Version