HTTP
Make HTTP requests to any API endpoint.
The HTTP node makes arbitrary HTTP requests to external APIs. Use it for integrations not covered by dedicated nodes.
Prerequisites
No credential required. Authentication (if needed) is configured via headers.
Configuration
| Field | Type | Required | Description |
|---|---|---|---|
| url | string | Yes | Request URL (supports template expressions) |
| method | string | Yes | GET, POST, PUT, PATCH, DELETE |
| headers | array | No | Key-value header pairs |
| body | string/object | No | Request body (for POST/PUT/PATCH) |
| timeout | number | No | Timeout in ms (max: 120000) |
Security
- SSRF protection: requests to private/internal IPs are blocked
- On cross-origin redirects, auth headers are automatically stripped
- Maximum response size: 10 MB
- Response text is truncated at 100,000 characters
Template expressions
Use upstream data in the URL, headers, or body:
https://api.example.com/tokens/{birdeyeResponse.data.address}Authentication
The node has no built-in auth - add the header your API expects.
Bearer token (most APIs):
Header key: Authorization
Header value: Bearer {credentialResponse.apiKey}API key in a custom header:
Header key: X-API-Key
Header value: {trigger.apiKey}On a cross-origin redirect, all auth-looking headers (Authorization, Cookie, Proxy-*, etc.) are stripped before the next hop, so a redirect to a third-party host cannot exfiltrate the credential.
POST body
For POST, PUT, and PATCH, provide the body as JSON. Templates inside the body are resolved before the request fires.
{
"token": "{webhook.token}",
"price": "{birdeyeResponse.data.value}",
"alert": "above_threshold"
}Use the {json …} prefix when you need to interpolate an object or array as JSON (so {json codeResponse.data} produces valid JSON, not [object Object]).
If you set a non-JSON Content-Type such as application/x-www-form-urlencoded, the body is sent as the resolved string verbatim.
Output
{
"status": 200,
"statusText": "OK",
"headers": { "content-type": "application/json" },
"data": { "result": "..." }
}When the response is JSON, data is the parsed object. For non-JSON responses, data is the response text, truncated at 100,000 characters (the full payload is still capped at 10 MB at the network layer).
Reference fields downstream with the response name, for example {httpResponse.data.result} or {httpResponse.status}.
SSRF protection
Requests to private, loopback, and link-local destinations are rejected before any network call. This includes localhost, 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, and the IPv6 equivalents. Use a public DNS name; a private intranet endpoint will not work even if reachable from your browser.
Common use cases
- Call APIs without a dedicated Solaris AI Flow node
- Post data to custom webhooks
- Fetch external configuration or feature flags