5 Replies Latest reply on Jun 16, 2017 7:49 AM by beverly

    REST API Server Response Headers



      Is it possible to define the servers response headers?


      I get a 405 error calling the REST API from a browser that isn't on the same domain.

      If I use the same method on the server locally there's no problems.

      I have a valid SSL certificate.

        • 1. Re: REST API Server Response Headers



          Thank you for your post.


          What is the syntax of the HTTPS request?  What client application is sending the request?


          What exactly are you trying to accomplish when you get the 405 error?


          What is the SSL certificate being used?



          FileMaker, Inc.

          • 2. Re: REST API Server Response Headers

            What exactly do you mean by a "browser that is not on the same domain"? Browsers (or 'user-agents' in general) do not need to be in a specific domain and FileMaker Server doest not validate any client credentials other than those used with the API itself.


            HTTP error 405 refers to a HTTP method issue (i.e. a GET instead of a POST, or a POST with a non expected payload) so probably there is an issue with your request.


            Could you post here the HTTP request (HTTP method, HTTP headers and data)?

            • 3. Re: REST API Server Response Headers

              Thank you for your reply.


              Here's an example of the code I use:


                    type: 'POST',  

                   url: 'https://exampleserver.dsc.com/fmi/rest/api/auth/examplesolution',    

                   data: '{"user":"exampleuser","password":"examplepassword","layout":"examplelayout"}',   

                   success: function(data) {

                        console.log('data.token: ' + data.token);


                   contentType: "application/json",

                   dataType: 'json'



              The issue I have if I take a HTML file with this exact code(I did switch out the domains and main informations such as user and password) and host it on the server which hosts the REST API and has the SSL certificate, I have no problems. That means I take the HTML file, host it on the server and open it through my browser like this:



              If I take the exact same file and host it on another server with a valid SSL certificate or I open the file locally on my Windows or MAC machine, I get the 405 error.


              So I'm trying to get the login token for starters, which is, as mentioned, not a problem if the file is hosted on the same server.

              That's why I'm wondering if it's possible to define the response headers on the server so I can set the 'Access-Control-Allow-Origin' header and hereby allow other domains or servers to make calls to the server.


              The SSL certificate is from DigiCert.


              If you need any other information please let me know.

              • 4. Re: REST API Server Response Headers

                OK, now I get it, it wasn't clear for me that you were using client side scripting. You are right, I found too that it only works if the origin is in the same domain, i.e. the same server. This is a security feature implemented by FileMaker. AFAIK there are currently no ways to configure FMS to allow specified origins.


                Todd Geist mentions this in this video as well: FileMaker 16 Data API and OAuth - Geist Interactive


                While building a PHP client application connecting to the FM REST API using OAuth  I found exactly the same, that the code only works when running on the same machine as the FileMaker Server WPE. I will soon publish a blog article on that, meanwhile the PHP connector is freely available on Github: GitHub - ClickWorks/FMDataAPIOAuthConnector: OAuth Connector for the FileMaker Data API

                2 of 2 people found this helpful
                • 5. Re: REST API Server Response Headers

                  HTH and why 'iframes' or 'frames' fail sometimes on websites or Web Viewer fails in Web Direct sometimes:

                  Same-origin policy - Wikipedia

                  It's an ISP's nightmare to prevent theft of content into another's domain!