How to access the secure iparams in server.js and send to frontend app

I want to access the secure iparams in frontend app,
it isn’t directly available to the frontend app.

sample code to create an event in server.js and call the event in frontend code

Hi @Marri_Sri_Rahul_Sidd,

It’s not possible to get the secure iparam in the frontend app. It’s also not a best practice to get the admin’s secure input from the serverless function and send it to the frontend app, further leaking it to the browser accessible by any agents using the account.

Could you describe why the secure iparam is needed in the frontend app? Is it not possible to complete those actions in the serverless function via Server Method Invocation?

HI @Raviraj we do some AI computation for articles , tickets, and canned responses at our end.

in order to fetch the articles,tickets and canned responses we need apikey (which is secure iparam)

How to access the iparams in the server.js??

hi @Raviraj

i tried to use axios in my server.js ended up with this error

although if i use the my secure iparam from server.js and make api call, does that not leaking through the browser ??

hi @Raviraj
couple of questions i have,
i marked the apikey as secured, which then isn’t accessible to the frontend app.
i can access the secure iparams from the server.js. so, can i create a event in server.js and invoke the event from the frontend app, which will make a api call via request template sending the api key in the request ?( can this be possible and acceptable )

Hey @Marri_Sri_Rahul_Sidd

yes you can. That is what @Raviraj referred to as Server Method Invocation.

So you configure the serverless part and invoke it from frontend when needed without the necessity for having the apiKey in frontend.

If I understood your usecase correctly, there may be an alternative to Server Method Invocation.
If you use Freshworks own Request-Method to make the API calls, you can configure the request with the api key as secure iparam and invoke the request directly from frontend app.

So if there’s no necessity to use Axios library, I’d recommend to use the Request feature from Freshworks.

Hope that helps.

1 Like

hi @ThomasH

we need to send the apikey in the request body.
we have couple of requests where we need apikey in the body of requests.

although i was also invoking the request template in frontend app (by apikey is secure param and isn’t available in frontend app, and we can’t construct the body request without the apikey in the frontend app and we need to construct the body in server.js and invoke the request template.)

@Marri_Sri_Rahul_Sidd If you need to send the API key in the request body, Server Method Invocation (SMI) and Request Method within the SMI function can be used as well.

All the serverless functions will get all the iparams, including the secure iparams, in the function argument. Check out the SMI payload; it will have all the iparams in the iparams object in the argument, as mentioned in the sample payload here.

The secure iparam can then be used in the request body of the $request.invokeTemplate() method within the SMI function.

Thanks for the update @Raviraj

1 Like

hi @Raviraj @ThomasH

i get the following error. i was trying to make call from server.js

and this is the code

Hi @Marri_Sri_Rahul_Sidd,

This error happens if the app cannot reach the API server.

  1. Is the API server endpoint available for the public internet? If not, these IPs have to be added to your API server network to receive the API request from the app.
  2. Are the request’s host and path on the app valid? Could you verify this by hard-coding those values in case they are dynamic?

Just to be sure, could you hard-code all the values in the requests.json file except for the body and check if it works? After it works, the the respective values can be moved to variables.

hi @Raviraj , the host and path are hardcoded. the body of the request is constructed/dynamic while sending the request from server.js

Although, these error only comes when status code is not 200.