HTTP functions allow you to expose the functionality of your site as a service. That means other people can write code to consume the functionality you expose by calling the functions of the API that you define.
Important: This API is only intended for use in server-to-server communications. If you use this API to set a cookie on a site visitor's browser you may no longer be in compliance with applicable data privacy regulations.
To learn more about HTTP functions, see Exposing a Site API with HTTP Functions.
To add an HTTP function, add a file named http-functions.js to the Backend section of your site. The code for your HTTP functions is added to that file.
HTTP functions are defined using the following pattern:
<prefix> is one of
<functionName> is the name users use to reach your function.
These are not functions that you call in your code, rather they are functions that you define. They are called when your users make HTTP requests using the associated URLs as described below.
For example, the following code creates a function that responds to GET requests by querying a collection to find items based on the path of the request. If matching items are found, an OK response is returned. If no matches are found, a Not Found response is returned.
Warning: This code is an example for educational purposes only. It's not secure, and using it can leave your site's data exposed. To learn about securing your HTTP endpoints, see Keep Your Site Secure.
Clients consume your HTTP functions by reaching endpoints with the following patterns.
You test your HTTP functions by reaching endpoints using the following patterns.
Note: You must publish your site at least once before using both the testing and production endpoints. After that, you save your site for changes you make to testing endpoints to take effect and you publish your site for changes you make to the production endpoints to take effect.
HTTP functions expose your site's data and functionality to anyone making requests to your endpoints. You can keep your site secure by authenticating requests. For example, the following code retrieves a secret key from the 'auth' property in a request's headers. This key is compared to one stored in the site's Secrets Manager using the Secrets API. If the keys match, the request is authenticated.
Valid requests to this endpoint must now include
"auth" : "My-Secret-Key" in their
If another Wix site is sending requests to your endpoints, you can use the HMAC Authentication Velo package for even more security.
Was this helpful?