Two pre-built API Server end point workers are provided as standard. Each one has different API Server Security settings. An end point can be deployed to either or both of these workers.
The SERVERLIBRARY is the primary worker you should publish your end points to. Publishing to this worker means that the end point can only be called server-side by other workers. This will allow your end point to be accessed by other end points, by forms as their pages load (ie in server-side operations like field default functions), or by workflow processes.
The AJAXLIBRARY allows the end points published to it to be accessed in browser-side AJAX calls. They are completely unsecured.
The REMOTELIBRARY can only be used if you have configured the remote library worker and it is running on a remote API Server, installed in a third party environment and linked to the iCM infrastructure via a VPN. See Remote API Servers for more information.
The SECURELIBRARY is, in a fresh installation, identical to the serverlibrary. It is bound to the "local open" key and can only be called server-side. This worker can also be added to API keys you create and called browser-side in AJAX calls. Access will only be granted if a request has an appropriate API key.
During the development of an end point, it is best practice to enable "Development mode". This disables caching (which has a default timeout of 120 seconds) so your changes will be picked up immediately. The development mode setting is itself cached, so when you enable it (and publish your end point), it may take a minute or two for the current cache to expire and development mode to be registered.
Version history can also, optionally, be disabled while an end point is in development mode. See End Point Version History for more information.
Once development is complete, development mode should be disabled so that standard caching is used.
During development, or when trouble-shooting, additional request/response tracing will be written to the API Server console if this check box is checked.
Calls to the trace and log functions within the end point will only get written to the API Server console when this checkbox is checked. See Writing an End Point for more information.
An end point that has the "Internal only" checkbox checked may only be called from other end points on the same worker (and hence the same API Server) using the this.invokeEP function.
This flag should be set on all end points that interact with low level workers, such as the iCM API and Form Utils.
Check the "Validate parameters" checkbox if the Parameters Schema (defined via the Schema tab) should be used to validate the parameters that are supplied when the end point is called. Likewise, check the "Validate return" checkbox if the Return Schema should be used to validate the data that is returned by the end point.
This provides an added level of security, especially if the end point may be called externally. Leaving this unchecked means that the parameters will not be validated.
We recommend that all live end points validate their parameters and return values.
Prior to iCM 10.1.0.36 a longstanding bug meant that schemas were not correctly validated - types were not being checked.
Due to the number of end points in use, and the number that unfortunately relied on schemas not being properly validated, we were unable to fix the validation without breaking many existing end points.
We highly recommend you uncheck this box and test your end points and schemas thoroughly! You should also review any existing end points written prior to iCM 10.1.0.36 (February 2024) and uncheck this box once you are confident your schemas are working as expected.