# HTTP (/docs/nodes/utility/http) Make HTTP requests to any API endpoint. The HTTP node makes arbitrary HTTP requests to external APIs. Use it for integrations not covered by dedicated nodes. Prerequisites [#prerequisites] No credential required. Authentication (if needed) is configured via headers. Configuration [#configuration] | Field | Type | Required | Description | | ------- | ------------- | -------- | ------------------------------------------- | | url | string | Yes | Request URL (supports template expressions) | | method | string | Yes | `GET`, `POST`, `PUT`, `PATCH`, `DELETE` | | headers | array | No | Key-value header pairs | | body | string/object | No | Request body (for POST/PUT/PATCH) | | timeout | number | No | Timeout in ms (max: 120000) | Security [#security] * SSRF protection: requests to private/internal IPs are blocked * On cross-origin redirects, auth headers are automatically stripped * Maximum response size: 10 MB * Response text is truncated at 100,000 characters Template expressions [#template-expressions] Use upstream data in the URL, headers, or body: ``` https://api.example.com/tokens/{birdeyeResponse.data.address} ``` Authentication [#authentication] The node has no built-in auth - add the header your API expects. Bearer token (most APIs): ```text Header key: Authorization Header value: Bearer {credentialResponse.apiKey} ``` API key in a custom header: ```text Header key: X-API-Key Header value: {trigger.apiKey} ``` On a cross-origin redirect, all auth-looking headers (`Authorization`, `Cookie`, `Proxy-*`, etc.) are stripped before the next hop, so a redirect to a third-party host cannot exfiltrate the credential. POST body [#post-body] For `POST`, `PUT`, and `PATCH`, provide the body as JSON. Templates inside the body are resolved before the request fires. ```json { "token": "{webhook.token}", "price": "{birdeyeResponse.data.value}", "alert": "above_threshold" } ``` Use the `{json …}` prefix when you need to interpolate an object or array as JSON (so `{json codeResponse.data}` produces valid JSON, not `[object Object]`). If you set a non-JSON `Content-Type` such as `application/x-www-form-urlencoded`, the body is sent as the resolved string verbatim. Output [#output] ```json { "status": 200, "statusText": "OK", "headers": { "content-type": "application/json" }, "data": { "result": "..." } } ``` When the response is JSON, `data` is the parsed object. For non-JSON responses, `data` is the response text, truncated at 100,000 characters (the full payload is still capped at 10 MB at the network layer). Reference fields downstream with the response name, for example `{httpResponse.data.result}` or `{httpResponse.status}`. SSRF protection [#ssrf-protection] Requests to private, loopback, and link-local destinations are rejected before any network call. This includes `localhost`, `127.0.0.0/8`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `169.254.0.0/16`, and the IPv6 equivalents. Use a public DNS name; a private intranet endpoint will not work even if reachable from your browser. Common use cases [#common-use-cases] * Call APIs without a dedicated Solaris AI Flow node * Post data to custom webhooks * Fetch external configuration or feature flags Next steps [#next-steps] * [Transform](/docs/nodes/utility/transform) - reshape HTTP response data * [Condition](/docs/nodes/utility/condition) - branch based on response values