A signed live-data node for Node-RED.
A Dynamic Feed node turns any Node-RED flow into a consumer of signed live data: set a tool name and an args object, and the node calls the keyless API and hands your flow the full Ed25519-signed envelope on msg.payload — wire it to an inject, an MQTT topic, a dashboard, or a PLC bridge.
The call
Keyless. Install from source today (it's a reference package, not yet on npm); the node uses the runtime's global fetch and has zero runtime dependencies.
# Install into your Node-RED user dir (Node 18+, zero runtime deps), then restart:
npm install /path/to/packages/node-red-dynamicfeed
# (once published, installable by name: node-red-contrib-dynamicfeed)
# In the editor: drop a "Dynamic Feed" node, set Tool + Args, wire to a debug node.
# It POSTs this to /v1/batch:
{ "calls": [ { "tool": "current_weather", "args": { "city": "Sydney" } } ] }
# and sets:
# msg.payload = { count, results:[{tool,ok,data}], signature{alg,key_id,sig} }
# msg.dynamicfeed = { tool, ok, data, signature, endpoint }
# Per-message: leave Tool blank, set msg.tool + msg.payload (args) upstream.Sample response
// msg.payload after the node runs:
{ "count": 1,
"results": [ { "tool": "current_weather", "ok": true,
"data": { "temperature_c": 18.0, "humidity_pct": 77, "conditions": "Light drizzle",
"provenance": { "source": "Open-Meteo", "measured_at": "2026-06-14T05:00:00Z" } } } ],
"signature": { "alg": "Ed25519", "key_id": "df-ed25519-4cb32e72f333",
"canonicalization": "json-sorted-compact", "sig": "..." } }Why live data
Node-RED is the glue of countless home, building and industrial automations, but most live-data nodes hand a flow a bare number with nothing to check. The Dynamic Feed node puts the full signed envelope on msg.payload: every datapoint carries a freshness + provenance envelope (source, source URL, measured_at, age, freshness state) so a flow can decide how much to trust a reading and reject stale data, and the response carries a detached Ed25519 signature you can verify on the Node-RED host. It has zero runtime dependencies (Node 18+ global fetch) and stores any optional API key in Node-RED credentials, never in the flow JSON. A signed response is proof a datapoint existed unchanged at a time — not proof the value is true, accurate, or safe to act on. The node makes no safety guarantee about your device; your flow and device logic own every decision.
Use it for
- Trigger a flow on live weather, air quality, grid carbon or GPS-interference
- Bridge a signed datapoint onto MQTT or into a dashboard widget
- Gate an action on freshness — skip the step if the reading is stale
- Verify the signature on the Pi-class host, then pass only trusted data downstream
FAQ
Is it on npm yet?
Not yet — it is published here as a reference package for the Dynamic Feed founder to release. Until then install from source (npm install /path/to/packages/node-red-dynamicfeed). Once published it installs by name as node-red-contrib-dynamicfeed from Manage palette.
Does it need an API key?
No. Keyless tools work without one. You can supply an optional key for key-gated tiers / higher quotas; it is sent as the X-API-Key header and stored in Node-RED credentials, never in the exported flow.
Where should I verify the signature?
On the Node-RED host — typically a Raspberry-Pi-class device, edge gateway or server — which is well able to do Ed25519 + JSON re-canonicalization. It is not appropriate to verify on an 8-bit Arduino Uno; verify on the host and pass only the trusted result to constrained nodes.