Calling external APIs from an Iris App

Direct HTTP calls

For most use cases you can call external APIs directly from your extension code using the standard browser fetch API:

const response = await fetch("https://api.example.com/data", {
  method: "GET",
  headers: {
    "Authorization": `Bearer ${myApiKey}`,
    "Content-Type": "application/json",
  },
});

if (!response.ok) {
  throw new Error(`API error: ${response.status}`);
}

const data = await response.json();

CORS & CSP

For cross-origin requests to work, the external API must allow your app's origin via CORS headers. You also need to add the external domain to the cspHeader in your iris-app-manifest.ts — otherwise the browser will block the request even if CORS is correctly configured. See Project Structure for cspHeader details.

Server-side execution

⚠️ Early Access — Serverside API Extensions are currently in early access. Contact your Trackunit representative for more information.

For requests that require server-side execution — such as calls to APIs that cannot expose credentials to the browser, or logic that needs to run outside the iframe sandbox — you can use Serverside API Extensions. These run as managed server-side functions with access to app tokens scoped to the installing account.

Direct HTTP calls​

Server-side execution​

Direct HTTP calls

Server-side execution