Make APIs private

Right now, I have APIs (or server actions? Do these terms refer to the same thing?) that, if someone happens to go to that URL, they can directly call. Is it possible to make it so that people/bots finding these URLs cannot use these APIs, but so that my Wappler app can continue working using these server actions. To use a programming word, I’d like to make these server actions “private”. Using “Security Restrict” doesn’t seem to be the solution I’m looking for because I wouldn’t like any logged in users to be able to access these server actions directly.

Security Restrict should be the ideal solution. Just set up access levels so even logged in people can’t access them. I generally have at least two levels - admin and at least one other - and set the restriction on them accordingly.

I would set yourself as an admin and everyone else as something else and then set the restrictions so only the admin can access it.

However, this would mean the pages won’t work for them so perhaps that’s not the solution you want. Them finding the URLs and running them directly won’t give them any more access than them viewing the pages which use them, though, so I wouldn’t have thought there was an issue there. They would just send data to the URL and get the JSON responses back. Your front-end would most likely do this anyway.

1 Like

Ah, I think this is related to the main piece of information I might be missing. I’m not familiar with web dev stuff, so I wasn’t sure if the front-end was the only to interact with website or if people can do stuff like this too.

Say I had a server action X that I wanted several other server actions to call (e.g. via “API action” or via other future functionality that I imagine Wappler might add). Is there a way to make it so that server action X is private and only accessibe by other server actions?

Yes. Library.

Any SA created inside library does not have direct URL access.
Only way to use them is inside SA using Include or Exec steps.

2 Likes

Aah, I didn’t realise that. Very useful to know. :+1:

If I’m not mistaken, direct access to endpoint API server user can get if you configured work with REST API in App Connect (client side).
In SA server retraslate data from API endpoint to JSON, and if you uncheck “Output” user can’t read JSON data.

Yes, that’s correct but keep in mind that the front-end pages won’t be able to read the JSON data, either, so you need output checked in order to return the responses (data) to the front-end.

I don’t think the requirement here is about what is returned to client side.
But your understanding is correct.
Using security restrict is also good enough to restrict invalid calls to the SA URL.

Creating library does not really help as whatever SA is using that library, will still have its URL exposed.
I suggested that because it fits the requirement described.

Security restricts and other checks with making sure only required data is outputted are best practices in my experience.

2 Likes