API Call Component
The API Call component connects your agent to any HTTP API. You can fetch data, send updates, or trigger actions.
If you’ve used Postman or curl
, this will feel familiar — but with built-in security, observability, retries, and Vault integration.
Quick Start: Test Your First Call
- Method:
GET
- URL:
- Click Test → You should see a JSON object with
"id": 1
.
Once you confirm this works, you can add headers, authentication, and outputs.
Step 1: Choose Method and URL
Every request needs:
- Method: tells the server what you want to do.
- URL: the endpoint you’re calling.
Method | Common use | Body needed? | Safe to retry? |
---|---|---|---|
GET | Fetch data | No | Yes |
POST | Create a resource | Often | No |
PUT | Replace a resource | Yes | Yes |
PATCH | Update part of data | Yes | Yes |
DELETE | Remove a resource | Optional | Yes |
HEAD | Get only headers | No | Yes |
OPTIONS | Check allowed methods | No | Yes |
Example:
Step 2: Add Headers and Body
Most APIs need more than just a URL. You usually add:
- Headers → key-value pairs for metadata like authentication and content type.
- Body → the request payload (data you send), required for methods like POST, PUT, PATCH.
Headers
Header name | Purpose | Example |
---|---|---|
Authorization | Authentication token | Bearer {{KEY(MY_TOKEN)}} |
Content-Type | Format of request body | application/json |
X-API-Key | Vendor-specific key | {{KEY(API_KEY)}} |
Body
The body is required for most POST, PUT, and PATCH requests.
The format depends on the API’s Content-Type header.
Content-Type | Example payload | When to use |
---|---|---|
application/json | json{`{ "name": "Alice", "role": "admin" }`} | Most modern APIs |
multipart/form-data | file + { "title": "Avatar" } | File uploads |
application/x-www-form-urlencoded | name=Alex&age=30 | Web forms |
text/plain | Hello world | Simple text APIs |
application/xml | <user><name>Alex</name></user> | Legacy XML APIs |
application/octet-stream | Raw binary | Uploading files/blobs |
Example: POST with JSON body
{
"email": "[email protected]",
"active": true
}
When you send this with Content-Type: application/json
, the server expects properly formatted JSON.
Step 3: Add Authentication
APIs almost always require authentication. There are two main types supported here:
Option A: Header Keys (simplest)
You paste a static token or API key into the Authorization
header.
`Authorization: Bearer {{KEY(MY_TOKEN)}}`
- Good for: testing, personal tokens, simple APIs.
- Limitations: tokens may expire, often lower rate limits.
Option B: OAuth (recommended)
OAuth is like giving your agent a temporary pass instead of a permanent key. The system automatically handles token refresh, so you don’t have to rotate secrets manually.
Supported OAuth flows
Flow | When to use | Example |
---|---|---|
Authorization Code (with PKCE) | When a user needs to log in (e.g. “Login with Google”). | Connecting to Gmail, LinkedIn |
Client Credentials | When services talk directly, no user login needed. | Server-to-server APIs |
OAuth 1.0a | Older APIs still using this. | Legacy Twitter API |
Setup in the component
- Select OAuth as authentication type.
- Choose your provider (Google, LinkedIn, Twitter, or Custom).
- Enter the required fields (client ID, secret, scopes).
- Test the connection — tokens are fetched and managed automatically.
Why OAuth?
- Tokens refresh automatically.
- More secure than static keys.
- Often grants higher API rate limits.
Step 4: Test Your Call
- Fill in Method and URL.
- Add headers and authentication if required.
- Click Test.
- Inspect the Response tab — check status, headers, and body.
Step 5: Work With Outputs
The response is available as Response
and can be used in later steps.
Use JSONPath to extract values.
Use case | JSONPath expression |
---|---|
First item ID | Response.data[0].id |
Nested field | Response.user.profile.email |
Default fallback | Response.items[0] ?? 'guest' |
Step 6: Handle Errors and Retries
Status | Meaning | What to check |
---|---|---|
400 | Bad request | Check body, parameters, Content-Type |
401/403 | Unauthorized | Token validity, scopes |
404 | Not found | URL or resource ID |
429 | Too many requests | Rate limiting; enable retries/backoff |
5xx | Server error | Retry later, check provider status |
Retries and backoff are built in. Secrets are redacted in logs.
Step 7: Debug and Mock
- Preview request to see variables resolved before sending.
- Run logs show full request/response for troubleshooting.
- Mock Data lets you simulate responses safely without calling live APIs.