Skip to Content (Press Enter)
CommunityForgeAssets listLocal REST API
local-rest-api
Service icon

Local REST API

Stable version 1.0.3 (Compatible with OutSystems 11)
Uploaded
 on 27 November 2025
 by 
5.0
 (1 rating)
local-rest-api

Local REST API

Documentation
1.0.3
REST API optimised for use on localhost for high performance. Similar to a Service Action, supporting Tenant and User, but allows dynamic URLs to suit optional plugins.

Fullsize_screenshot
Asset screenshot_0

This is intended to allow easier management of plugins within an application, where Service Actions are not possible, because the module may not be present or needs to be switched to another module. It simplifies the process of creating a REST API using a single action in the OnRequest and OnBeforeRequest events that does all of the following:

  1. Allows the module in the API request to be changed dynamically, so http://localhost/MyAPI/rest/Local/Method can be switched to http://localhost/MyOtherAPI/rest/Local/Method
  2. It defaults to overriding the hostname to be http://localhost so the request never leaves the machine, for better performance. This is also validated in the exposed API to reject external requests. If localhost not allowed (for example, in some cloud environments), then you can set the Hostname site property and this will validate the request is from https://<Hostname>
  3. The TenantId is passed via the API to allow use in multi-tenant scenarios.
  4. The UserId is passed via the API token and can optionally be used to Login. Often this is not required as the UserId is only needed for logging and this reduces the overhead of creating a session.
  5. The Token is secured using a key in the secret site property InternalKey. This makes it hard to break as the key is never exposed. In the case of localhost, it never even leaves the machine. If the Hostname is configured, then as it enforces https, it will be secured during network transit. This is only intended for scenarios where the machine(s) can access to the site property. If you are connecting to another server, it is better to use OAuth 2 to allow proper key management.

Security notes:

  1. The module uses GeneratePassword using 16 alphanumeric characters for the InternalKey making it unfeasible to guess, even if the attacker is on the local machine. External attacks are difficult as it would require spoofing of localhost.
  2. You could insert a Sleep action (e.g. 5 seconds) to deter brute force attacks if the key validation fails, but this is probably not necessary.
  3. For an Internet hosted system using deployment zones, you could limit the deployment of modules using LocaRest so they are not accessible externally, or further protect with a firewall appliance.  

Icon: icons8.com


1.0.2
  1. Select Authentication: Custom to add OnAuthentication to your exposed API and add the call to ValidateRequest:
  2. Add OnBeforeRequest to your consumer API, following the example in the demo API module, passing/setting the BaseURL and Headers:

  3. In the consumer API call, add a Header parameter called RestModule - this will appear to be unused, but it is passed to the OnBeforeRequest event handler:
  4. Then in the calls to this method, set this parameter to the module name that you wish to consume e.g. "LocalRestDemo_API", without any prefix or suffix (these are added automatically):
  5. If you get a 403 error, then it is probably due to http://localhost requests not being allowed, so set the Hostname property to your domain, e.g. yourname.outsystemscloud.com (without the https://)

1.0.1
  1. Select Authentication: Custom to add OnAuthentication to your exposed API and add the call to ValidateRequest:
  2. Add OnBeforeRequest to your consumer API, following the example in the demo API module, passing/setting the BaseURL and Headers:

  3. In the consumer API call, add a Header parameter called RestModule - this will appear to be unused, but it is passed to the OnBeforeRequest event handler:
  4. Then in the calls to this method, set this parameter to the module name that you wish to consume e.g. "LocalRestDemo_API", without any prefix or suffix (these are added automatically):
  5. If you get a 403 error, then it is probably due to http://localhost requests not being allowed, so set the Hostname property to your domain, e.g. yourname.outsystemscloud.com (without the https://)

1.0.0
    1. Select Authentication: Custom to add OnAuthentication to your exposed API and add the call to ValidateRequest:
    2. Add OnBeforeRequest to your consumer API, following the example in the demo API module, passing/setting the BaseURL and Headers:

    3. In the consumer API call, add a Header parameter called RestModule - this will appear to be unused, but it is passed to the OnBeforeRequest event handler:
    4. Then in the calls to this method, set this parameter to the module name that you wish to consume e.g. "LocalRestDemo_API", without any prefix or suffix (these are added automatically):
    5. If you get a 403 error, then it is probably due to http://localhost requests not being allowed, so set the Hostname property to your domain, e.g. yourname.outsystemscloud.com (without the https://)