This page provides detailed design information about the web API object and its configuration options.
Web APIs provide a way to expose Appian data and services to outside systems.
Web APIs are created much like expression rules. However, there are two main differences between them:
To learn about web API authentication, see Web API Authentication.
HTTP requests made by one website to another are said to be "cross-origin" because the origin (the url) of the first website is different than the origin of the other site.
By default, web browsers block requests of this nature for security reasons. However, you may want certain websites to allow requests from other websites. You can allow other sites to access a website using a standard called Cross-Origin Resource Sharing (CORS).
To configure CORS in Appian, you must add any sites you wish to expose data or services to in the allowed origins list in the Admin Console.
PATCH web APIs, adding a website to the allowed origins list will also exempt that website from Appian's built-in cross-site request forgery (CSRF) protection.
HTTP headers allow you to pass additional information with the response. Appian will automatically send several response headers, including
Server, and more. You can pass any additional headers as needed.
When a document is returned in the body, two headers are automatically added:
Content-Type header returns the type of the document. For example, if a GIF file is returned, the value of
Content-Disposition header holds a value of
inline, indicating that the document will be viewed inline in the browser, rather than being downloaded as an attachment for local viewing. This
Content-Disposition header also contains the filename of the returned document.
You can override these headers by manually setting them in the
headers parameter of
Appian Cloud does not guarantee that request headers will maintain their original casing. See the Appian Cloud FAQ for more details.
When creating or editing a web API, you can select from one of the following HTTP methods:
The HTTP methods
HEAD are automatically handled by the system based on the web APIs that exist in the system for a given Endpoint.
HEADrequests will execute the web API for the
GETmethod for the Endpoint and return the result, minus the response body.
OPTIONSrequests will return a list of methods for which web APIs exist for a given Endpoint.
For example, let's say you have two web APIs with the Endpoint field set to customer, one for
GET and one for
POST, and you make an
OPTIONS request to
https://www.example.com/suite/webapi/customer, the response will looks something like this:
1 2 3 4 5 6 7 8 9 10 11 12 HTTP/1.1 200 OK Date: Tue, 19 Apr 2016 15:27:22 GMT Server: Apache Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Frame-Options: SAMEORIGIN Allow: GET, POST, OPTIONS Content-Length: 0 Keep-Alive: timeout=20, max=100 Connection: Keep-Alive Content-Type: text/plain
Allow header contains entries for both
Only web APIs for the
PATCH methods may execute smart services.
Web APIs for the
GET method will not execute any smart services included in their expression. Attempting to do so will result in the following error message:
Smart Services cannot be executed in Web APIs that have a method of "GET."
Additionally, web APIs with the
PATCH method can be used to upload a document to Appian and download a document from Appian a binary request body. The size of this document is limited to 75 MB.
There are several factors that affect what HTTP status code a web API returns.
|404||There is no web API with the specified endpoint and HTTP method.|
|404||The user is not in the viewer role or higher for the web API.|
|500||There was an error evaluating the web API's expression.|
|500||The result of the expression evaluation was not an HTTP Response object.|
You can also specify the status code to return if an error occurs. This allows you to do things like return a
404 code if data that does not exist is requested.
A user must have at least Viewer permissions to a web API in order to execute it.
The security role map of a web API controls which users can see or modify it and its properties.
If default security groups are configured for your application, the default security groups pre-populate the role map when you create a web API.
If default security groups are not configured for your application, you are automatically assigned Administrator permissions for any web API you create. System administrators can always access a web API, regardless of object-level permissions.
The following table outlines the actions that can be completed for each permission level in a web API's security role map:
|Execute the web API*||Yes||Yes||Yes|
|View the web API definition||Yes||Yes||Yes|
|View the security||Yes||Yes||Yes|
|Update the web API definition||Yes||Yes||No|
|Update the security||Yes||No||No|
|Delete the web API||Yes||No||No|
*The Administrator user may view, edit, and delete web APIs but may not execute them. This includes testing them inside the web API object.
While editing your web APIs, you may encounter design guidance.
Appian design guidance reinforces best practice design patterns that should be implemented in your objects. Design guidance for web APIs is prompted while editing the web API or when a precedent of the web API is updated.
When a recommendation or warning is triggered, you'll see an indicator icon in the header (A) and next to the corresponding line in the expression editor (B).
Click on the icon in the header to learn more about the suggested guidance (C) and how it can be addressed.
If a recommendation is not applicable to your use case, you can Dismiss (D) that individual recommendation for that web API. Learn more about recommendation dismissal. Warnings cannot be dismissed and should always be addressed to avoid complications when the logic in the object is executed.
Web API guidance is also visible outside of web APIs on the Health Dashboard.
See design guidance for the full list of possible guidance.
You can enable request/response logging on web APIs to more easily troubleshoot when web APIs fails.
When enabled, Appian enforces a number of safeguards to prevent storing any sensitive data:
|Credentials||Credentials sent in the HTTP request will be masked. This includes API key authentication, Oauth 2.0 client credentials authentication, and basic authentication.|
|HTTP request body||Appian will only log the first 100,000 characters of the HTTP request body. Anything beyond that will be truncated. Additionally, any binary files sent in the request body will be replaced with the string
|Log rollover policy||The log files roll over based on time and size. No HTTP request/response log will ever last more than 7 days. The cumulative size of all rollver over HTTP request/response logs will never exceed 100 MB. To learn more about the log rollover policy, see the Logging page.|
However, you should not enable request/response logging if there is sensitive data in HTTP requests or responses. If there is sensitive data, like credit card numbers, in the request body, HTTP headers, or query parameters, it will be stored as plain text.
To enable HTTP request/response logging for web APIs:
Under HTTP Request/Response Logging, select the checkbox Enable HTTP request/response logging for this web API object.
Each time you modify and save a web API, a new version is created. All objects that use the web API will use the latest version. All versions are accessible to developers who can view the web API, and a web API can be reverted back to a previous version at any time.
For information on how to manage object versions, see Managing Object Versions.
Web APIs do not support deleting versions.
If there is an error executing the expression associated with a web API, the error message appears in
logs/design_errors.csv rather than in the standard application server error log.
The OpenAPI Specification defines a standard which allows both humans and computers to discover and understand the web APIs available to them. These files can even be consumed in order to automatically configure the client being used to call Appian.
To generate an OpenAPI definition for your web APIs:
Click EXPORT > OpenAPI Definition.
This will only be enabled when you have exactly one application selected, and it contains at least one web API.
Review the list of APIs to export.
This will export a JSON file that uses OpenAPI version 3.0.1. The OpenAPI definition includes: the file name and description, the environment's base URL, and the available authentication options. For each endpoint, it specifies the method, path, and description.
You can also include HTTP headers, query parameters, path parameters, and an example request body in your OpenAPI definition by setting default test values.
To set default test values:
In the Test Inputs pane, add your query parameters, headers, and path parameters.