API sources
API sources connect FetchCatch to your existing HTTP APIs. Ingest an OpenAPI (Swagger) document and every operation becomes available as an HTTP node in the flow designer.
Adding a source
- Console → API sources → Add
- Enter a name and the OpenAPI document URL (or base URL for manual sources)
- Optionally pick an auth profile — or leave as None for public APIs
Common URL patterns:
| Stack | Typical path |
|---|---|
| ASP.NET | /swagger/v1/swagger.json |
| Spring | /v3/api-docs |
| FastAPI | /openapi.json |
If you paste a Swagger UI page URL, FetchCatch attempts to discover the JSON document automatically.
What gets imported
- Operation ids and HTTP methods
- Parameter names and locations (path, query, header, body)
- Request/response schemas (for intellisense)
Re-import or refresh when your upstream API changes.
Auth profiles
Most APIs need authentication. Create an auth profile first, then link it to the source:
| Method | When to use |
|---|---|
| None | Public endpoints |
| Bearer / API key | Static token in header |
| OAuth 2.0 | Client credentials or auth code with refresh |
Pick a profile when you Add source, or change it later: open the source → use the Auth dropdown in the bar under the header (saves automatically). The source list also shows which profile each source uses.
Each source has at most one profile. HTTP nodes inherit it at runtime — you do not set auth on individual nodes. Different backends can use different profiles; the same profile can be shared across multiple sources.
OAuth profiles support re-login from the console when tokens expire.
→ Create and manage credentials under Auth profiles in the sidebar.
Using operations in flows
In the designer, add an HTTP node:
- Select the API source
- Choose operation id (from OpenAPI)
- Map inputs — each parameter is a JSONata expression
Downstream nodes read results via:
nodes.{nodeId}.status
nodes.{nodeId}.body.someField
Security
FetchCatch applies SSRF protections on outbound calls:
- Blocks private IP ranges and metadata endpoints
- Restricts schemes to HTTP(S)
Only register sources you trust. Credentials are stored encrypted per tenant.
CLI note
API sources are not synced to .fetchcatch/ today — only flows and response types. Configure sources in the console; reference them in flow JSON by apiSourceId GUID (visible after pull or in the designer).
Troubleshooting
| Symptom | Check |
|---|---|
| Import failed | URL reachable from FetchCatch servers; returns valid OpenAPI JSON |
| 401 on HTTP node | Auth profile linked and token valid |
| Wrong parameters | Operation id matches spec; input mapping names match parameter names |
| Timeout | Upstream latency; consider async patterns with wait/resume |