Skip to content
Orvanta Docs

HTTP Routes

Overview

Section titled “Overview”

Orvanta’s HTTP routes feature enables triggering scripts or flows via external HTTP requests. Routes support various HTTP methods (GET, POST, PUT, PATCH, DELETE) and can be secured through multiple authentication mechanisms.

Key features

Section titled “Key features”

Execution modes:

  • Synchronous execution with immediate result return
  • Asynchronous execution returning a job ID
  • Sync SSE mode for Server-Sent Events streaming

Route creation methods:

  1. Manual creation through the Custom HTTP routes interface
  2. Batch generation from OpenAPI 2.0+ specifications (JSON/YAML)

Authentication options

Section titled “Authentication options”

The platform supports several security approaches:

  • None — Open access (development only)
  • Orvanta Auth — JWT bearer tokens with scope-based access control
  • API Key — Header-based validation against stored resources
  • Basic Auth — HTTP standard authentication
  • Signature Auth — HMAC validation with preset options (Stripe, GitHub) or custom logic
  • Custom Script — Full control via preprocessor functions

Workspace prefix configuration

Section titled “Workspace prefix configuration”

On Orvanta Cloud, routes are automatically prefixed with workspace IDs. Self-hosted instances can optionally enable this feature to prevent path collisions across multiple workspaces. Instance administrators can enforce workspace prefixes globally.

Body processing

Section titled “Body processing”

Routes can provide request data through:

  • Wrap body — Injects payload under the body key
  • Raw body — Passes unprocessed request body as the raw_string argument

OpenAPI integration

Section titled “OpenAPI integration”

Orvanta can both:

  • Generate HTTP routes from OpenAPI specifications
  • Export existing routes and webhooks as compliant OpenAPI 3.1 documents

Generated routes initially lack script bindings; users must assign runnables before requests will execute successfully.

CORS headers

Section titled “CORS headers”

Default permissive CORS configuration allows browser-based access. Only headers that are not already present in the response are filled in with the defaults, enabling per-route customization via the wm_headers mechanism.

Static content hosting

Section titled “Static content hosting”

Routes can serve static files or entire websites directly from S3 storage, with automatic index.html fallback support.

Access control

Section titled “Access control”

Only workspace admins can create routes. Other authenticated users with write access may modify route properties except HTTP paths. Disabled routes return 404 responses without deletion.