tronsec-worker-starter

July 4, 2026 · View on GitHub

Minimal Cloudflare Worker that proxies TRON-related APIs so API keys never ship to the browser.

Used in production by TRONSEC — this repo is a clean, deployable starter without app-specific internals.

Routes

PrefixUpstreamSecret
/grid/*TronGridTRONGRID_API_KEY
/scan/*TronScan APITRONSCAN_API_KEY
/vt/*VirusTotal v3VIRUSTOTAL_API_KEY
/cmc/*CoinMarketCap ProCOINMARKETCAP_API_KEY
/cg/*CoinGecko (public)
/healthliveness

Browser calls https://your-worker.workers.dev/scan/... instead of hitting providers directly.

Quick start

npm install
npx wrangler secret put TRONGRID_API_KEY
npx wrangler secret put TRONSCAN_API_KEY
npx wrangler deploy

Optional: restrict CORS in wrangler.toml:

ALLOWED_ORIGINS = "https://your-app.example,http://127.0.0.1:5500"

Client snippet

const PROXY = 'https://your-worker.workers.dev';

function proxyUrl(route, params) {
  const url = new URL(PROXY + route);
  if (params) Object.entries(params).forEach(([k, v]) => url.searchParams.set(k, v));
  return url.toString();
}

// TronScan approvals list
fetch(proxyUrl('/scan/api/account/approve/list', { address: 'T...', limit: 50 }));

Security

  • Store keys only as Worker secrets (wrangler secret put).
  • Set ALLOWED_ORIGINS in production instead of *.
  • This worker forwards requests — it does not authenticate end users. Protect your app separately.

License

MIT — see LICENSE.