Start a new topic

Execute an customEndpoint without logged in?


i wanna execute an endoioint in my backend without a current User logged-in.


How is this possible, due there is not authentication data i can use ?!

(I thought about calling the request itself from our node.js server to "outsource" the call. )

Any idea/comment?

Hi, we currently only support accessing endpoints using user or master secret. The two most straightforward workarounds I can see are to either do as you suggest and call the REST API with the master secret from your node code, or to create a special user for this purpose, and use the user's credentials to authenticate.

thans for the quick response. I'll try this.

Are there any plans to optain "public" methods/endpoints?

A totally often usecase (to me) seems like displaying some countings on a webpage. For example how many users are using the application, how many Objects in datastore "XY" are available and so on.

Best, Nico
There are plans to allow you to define the security level of endpoints on our roadmap, but as of now there isn't a specific date for which this is scheduled.

As for the specific use case you mentioned, I would actually argue that you would probably **not** want a public endpoint that allows access to such information, since unless you are very careful, that could allow a malicious to obtain data that you did not wish to expose. Since your webpage presumably requires a server, the approach I would take instead is to implement one of the two access methods I described on the server side of your page.
So just to be clear:


Create a user (for example "username" = createuserMasterUser" passwort = 1234

1. Call of an Endpoint inside of the application

2. Call (per REST-API) a login on this user inside of the business-logic script (Endpoint)

3. After login, do some stuff (in this case create users - like mentioned in the other thread (or any other stuff requiering a logged-in user) - or is there a way to acces the mastersecret inside the businesslogic?

4. everything is fine ?!

(Enforcing the sript on our node.js server seems to be a solution, too - but if i can, i will all this stuff on the kinvey side ...)

Best, Nico
Ok - it works like a charme now. :)


on the example-code on the bottom of the page - there is an error.

function onRequest(request, response, modules){

var context = modules.backendContext;

var request = modules.request;

var uri = 'https://' + +

Will result in not founding the header of course, cause the variable of the "onRequest" and the modules-shortcut are both named "request".
Hi, glad you worked it out. To address some points in your previous posts:

1. Thanks for letting us know about the mistake in the BL example!

2. You can get the master secret from within BL by using modules.backendContext.getMasterSecret()

3. In your BL code, you don't actually **have** to first login and then authenticate your queries using the generated auth token. You certainly **can** do that, and I don't see anything wrong with that approach, but you should be aware that as an alternative, you can simply use basic auth for every request.

4. You say "...After login, do some stuff (in this case create users..." -- just wanted to remind you that to create users, you use the app secret rather than a logged-in user.
Hey thanks for that informations!
Login or Signup to post a comment