This topic describes the action block context of a REST API endpoint: declared variables, return value and response type, and endpoint-specific aspects of anonymous access. For an overview of the REST API configuration, see REST API.
Declared variables (tree view)
The tree view to the left of the action block reflects, in its upper area, selected characteristics of the data structure for the endpoint definition.
As the last element of the top hierarchy level, the Declared variables node appears. It lists all variables for the action block including type hints.
The following variables are declared by the system. You access them in the action block via the Variable value resolver.
NOTE If the node contains further declared variables, these originate from configurations in the action block or from the URI definition of the endpoint (see REST API: URI and URI parameters).
TIP During configuration, the tree view partially updates only once you touch the tree. Changed URI parameters, however, appear immediately after you leave the field.
Variable name | Type | Description | Direction |
|---|---|---|---|
|
| All request headers as a map that assigns | Inbound |
|
| All query parameters from the URL as a map that assigns | Inbound |
|
| Data object for the return value. | Outbound |
|
| HTTP response status code for the reply. Default on success: | Outbound |
|
| User-defined response headers as a map that assigns | Outbound |
|
| Controls the handling of a | Outbound |
|
| Only relevant when | Outbound |
Return value and response type
You define the regular return value of an endpoint in the action block by assigning it to the response variable.
The serialization of this data object, specifically the response type, is by default determined by the Accept header in the request.
EXCEPTION If you assign an object of type Content (Content) to the response variable, no automatic serialization takes place. Instead, the platform returns the payload of the Content object. This way, you return any amount of data via File reference, for example. The platform takes the Content-Type header from the mediaType field of the Content object.
NOTE You override this special handling of the Content type by assigning true to the disableContentHandling variable in the action block (see table above).
Anonymous vs. authorized access
For each endpoint, you decide individually via the Anonymous access option (allowAnonymousAccess) whether access without authorization is possible.
The general rules and the platform's behavior for anonymous and authenticated access are described in Access control for APIs. This section only adds the endpoint-specific aspects.
Review the security aspects of the functionality provided through the action block before releasing an endpoint for anonymous access.
You compensate for the missing session context (Role of session, Company of session, User of session) as needed via the Run as event action.
To execute a Search (Event action), you need a Role of session with read permissions for the entity types being searched.
CAUTION A Search (Event action) with a Role of session without owner restrictions, such as a "Super User" role, is a security risk. This could allow the anonymous endpoint to grant read access to sensitive data without access control.
IMPORTANT
If you access an endpoint from the same browser in which a Lobster Data Platform session is already running, the session cookie automatically takes effect. The call then inherits the existing session context. For genuine anonymous tests, use a private browser window or a REST client independent of the logged-in browser.
Otherwise, you authenticate via OAuth2 for API access.