tronsec-worker-starter
July 4, 2026 · View on GitHub
Minimal Cloudflare Worker that proxies TRON-related APIs so API keys never ship to the browser.
Used in production by TRONSEC — this repo is a clean, deployable starter without app-specific internals.
Routes
| Prefix | Upstream | Secret |
|---|---|---|
/grid/* | TronGrid | TRONGRID_API_KEY |
/scan/* | TronScan API | TRONSCAN_API_KEY |
/vt/* | VirusTotal v3 | VIRUSTOTAL_API_KEY |
/cmc/* | CoinMarketCap Pro | COINMARKETCAP_API_KEY |
/cg/* | CoinGecko (public) | — |
/health | liveness | — |
Browser calls https://your-worker.workers.dev/scan/... instead of hitting providers directly.
Quick start
npm install
npx wrangler secret put TRONGRID_API_KEY
npx wrangler secret put TRONSCAN_API_KEY
npx wrangler deploy
Optional: restrict CORS in wrangler.toml:
ALLOWED_ORIGINS = "https://your-app.example,http://127.0.0.1:5500"
Client snippet
const PROXY = 'https://your-worker.workers.dev';
function proxyUrl(route, params) {
const url = new URL(PROXY + route);
if (params) Object.entries(params).forEach(([k, v]) => url.searchParams.set(k, v));
return url.toString();
}
// TronScan approvals list
fetch(proxyUrl('/scan/api/account/approve/list', { address: 'T...', limit: 50 }));
Security
- Store keys only as Worker secrets (
wrangler secret put). - Set
ALLOWED_ORIGINSin production instead of*. - This worker forwards requests — it does not authenticate end users. Protect your app separately.
License
MIT — see LICENSE.