Skip to main content

Securing Public URLs

Last updated 4/09/2025

Securing a public URL to secure your data is optional, but highly recommended. Following the Internet Engineering Task Force (IETF) standards are recommended for best practice protocols when securing your data.

This documentation, will cover using a Bearer Token as the authorization method to retrieve data from Five.

The Bearer Token in this example is a generated UUID, this UUID is stored in the Server Options field on the instance record and is called by your function. This token needs to be shared with who you want to receive the response data. When using a third-party platform such as Postman, the authorization method needs to be Bearer Token.

Add Your Access Token

Your token value can be added straight into your code, however, the recommended way is to add a key: value pair on your instance record and call the key in your code to retrieve the Bearer Token.
info
Whenever you make a change to an instance record, you need to remove your deployment from the development environment and re-deploy your application for your changes to be applied.

1. Select Setup in the menu followed by Instances in the sub-menu.


Instances menu item
Figure 1 - Instances menu item

2. Select your instance record (default) in the list.

3. Click in the Server Options field.


Server Options field
Figure 2 - Server Options field

4. Click the Add Field Data button.


Add Field Data button
Figure 3 - Add Field Data button

5. Type <YOUR_KEY> in the Key field.

tip
Remember your key to add in your function!

6. Type <YOUR_ACCESS_TOKEN> in the Value field.

7. Click the Save button in the editor app bar.


Save button
Figure 4 - Save button

8. Click the Save button in the form app bar.


Save button
Figure 5 - Save button

GetCustomers Function

The example function is called

GetCustomers()
, this function was used in the previous chapter, Add a URL to Retrieve Data, it selects the first name and last name of the customers from the Customer table and returns it as an array in a JSON formatted string. Extra code will be added to this function to demonstrate how to add a Bearer Token to secure your data.

The HTTP Authorization request header can be used to provide a token for authorizing access to your data. Without the correct authorization token you will receive an error. The user needs to supply the Authorization method and their token, then make a request to the public URL endpoint from a platform such as Postman.

The

getOptionServer()
function is used on the

Five
object to pass in the value of the associated key. For this example, the
accessToken
key is passed into the function to get the Bearer Token value.

The

headers
property is used on the

Five
object to access
headers
supplied in the request.

The

createError()
function is used on the

Five
object to indicate an error if the Bearer Token is incorrect.

Edit GetCustomers Function

1. Select Logic in the menu followed by Functions in the sub-menu.


Functions menu item
Figure 6 - Functions menu item

2. Select the GetCustomers record in the list.

3. Click in the Code field.


Code field
Figure 7 - Code field

4. Click the Copy button on the below code block.

JavaScript
Retrieve an array of customer names securely
function GetCustomers(five, context, result)  {
    ////////////////////////////////////////////////////////////////////////////////////////////////
    // First ensure the secret we have sent to the calling api is valid
    ////////////////////////////////////////////////////////////////////////////////////////////////
    const accessToken = five.getOptionServer('accessToken');
    const secret = five.headers.Authorization;
    if (secret !== `Bearer ${accessToken}`) {
        return five.createError('Access denied');
    }

5. Paste the code in the
GetCustomers()
function on line 2.

6. Click the Save button in the Code Editor app bar.


Save button
Figure 8 - Save button

7. Click the Save button in the form app bar.


Save button
Figure 9 - Save button

note
Below is the full code block that was entered in the
GetCustomers()
function via the Add a URL to Retrieve Data and Securing Public URLs chapters.

JavaScript
Retrieve an array of customer names securely
function GetCustomers(five, context, result)  {
    ////////////////////////////////////////////////////////////////////////////////////////////////
    // First ensure the secret we have sent to the calling api is valid
    ////////////////////////////////////////////////////////////////////////////////////////////////
    const accessToken = five.getOptionServer('accessToken');
    const secret = five.headers.Authorization;
    if (secret !== `Bearer ${accessToken}`) {
        return five.createError('Access denied');
    }

    ////////////////////////////////////////////////////////////////////////////////////////////////
    // query the data
    ////////////////////////////////////////////////////////////////////////////////////////////////
    const customerData = five.executeQuery('Select FirstName, LastName from Customer', -1);
    if (customerData.isOk() === false) {
        return five.createError(customerData, 'Error executing query');
    }

    ////////////////////////////////////////////////////////////////////////////////////////////////
    // create a resultsData object, which is where we will attach data to be returned
    ////////////////////////////////////////////////////////////////////////////////////////////////
    const resultsData = {};

    ////////////////////////////////////////////////////////////////////////////////////////////////
    // attach the records from the query results to the resultsData object,
    // and return the data by attaching the data to the FiveError object customerResult using setData
    ////////////////////////////////////////////////////////////////////////////////////////////////
    resultsData['customers'] = customerData.records;
    const customerResult = five.success();
    customerResult.setData(five.MIMETypeJSON, resultsData);
    return customerResult;
}

Response Data in Postman

The Bearer Token value needs to be entered into a third-party platform such as Postman.
Bearer Token
Figure 10 - Bearer Token

The URL for your running application and

/action/<YOUR_URL_NAME>
need to be entered into Postman and click the Send button, the response data will be returned.
Response data
Figure 11 - Response data

Access to the reponse data in the browser will be denied now, as authorization has been applied.
Access denied
Figure 12 - Access denied