# API sources

**API sources** connect FetchCatch to your existing HTTP APIs. Ingest an OpenAPI (Swagger) document and every operation becomes available as an **HTTP node** in the flow designer.

## Adding a source

1. Console → **API sources** → **Add**
2. Enter a name and the **OpenAPI document URL** (or base URL for manual sources)
3. Optionally pick an **auth profile** — or leave as None for public APIs

Common URL patterns:

| Stack | Typical path |
|-------|----------------|
| ASP.NET | `/swagger/v1/swagger.json` |
| Spring | `/v3/api-docs` |
| FastAPI | `/openapi.json` |

If you paste a Swagger **UI** page URL, FetchCatch attempts to discover the JSON document automatically.

## What gets imported

- Operation ids and HTTP methods
- Parameter names and locations (path, query, header, body)
- Request/response schemas (for intellisense)

Re-import or refresh when your upstream API changes.

## Auth profiles

Most APIs need authentication. Create an **auth profile** first, then link it to the source:

| Method | When to use |
|--------|-------------|
| None | Public endpoints |
| Bearer / API key | Static token in header |
| OAuth 2.0 | Client credentials or auth code with refresh |

Pick a profile when you **Add source**, or change it later: open the source → use the **Auth** dropdown in the bar under the header (saves automatically). The source list also shows which profile each source uses.

Each source has at most one profile. HTTP nodes inherit it at runtime — you do not set auth on individual nodes. Different backends can use different profiles; the same profile can be shared across multiple sources.

OAuth profiles support re-login from the console when tokens expire.

→ Create and manage credentials under **Auth profiles** in the sidebar.

## Using operations in flows

In the designer, add an **HTTP** node:

1. Select the API source
2. Choose **operation id** (from OpenAPI)
3. Map **inputs** — each parameter is a JSONata expression

Downstream nodes read results via:

```
nodes.{nodeId}.status
nodes.{nodeId}.body.someField
```

## Security

FetchCatch applies **SSRF protections** on outbound calls:

- Blocks private IP ranges and metadata endpoints
- Restricts schemes to HTTP(S)

Only register sources you trust. Credentials are stored encrypted per tenant.

## CLI note

API sources are **not** synced to `.fetchcatch/` today — only flows and response types. Configure sources in the console; reference them in flow JSON by `apiSourceId` GUID (visible after pull or in the designer).

## Troubleshooting

| Symptom | Check |
|---------|-------|
| Import failed | URL reachable from FetchCatch servers; returns valid OpenAPI JSON |
| 401 on HTTP node | Auth profile linked and token valid |
| Wrong parameters | Operation id matches spec; input mapping names match parameter names |
| Timeout | Upstream latency; consider async patterns with wait/resume |

## Related

- [Flow designer](flow-designer.md)
- [HTTP node reference](flow-nodes.md#http)
- [Auth profiles](console-guide.md#auth-profiles)