Generic HTTP Connector
The Generic HTTP Connector enables integration between Descope and any third-party HTTP API. Use it to pull data into Descope flows (e.g., user information) or push data to external services.
Connector Settings
Setting | Description |
---|---|
Name | A custom name to help distinguish between multiple connectors. |
Description | Optional internal description of the connector's purpose. |
Base URL | Root URL of the third-party API (e.g., https://api.example.com ). |
Authentication Type | Supported methods: Bearer Token, API Key, Basic Auth, OAuth 2.0 Client Credentials, or None. |
Headers (Optional) | Key-value pairs to be included in API requests. |
HMAC Secret (Optional) | Used to generate an x-descope-webhook-s256 signature header. Learn more. |
Trust any certificate | If enabled, disables SSL verification. Default is disabled (recommended). |
Include response headers in Context | Adds response headers to the connector context (context.headers ). Default is off. |
Once you've configured all of these settings, you can test the connector in the connector configuration page.
Authentication Methods
The Generic HTTP Connector supports several authentication mechanisms. You can choose the one that matches the requirements of the third-party API you are connecting to:
Method | Description |
---|---|
Bearer Token | Requires a token. It is included in the Authorization header as Bearer <token> . |
API Key | Requires a key name and key value. The key is sent as a header (e.g., x-api-key: <value> ). |
Basic Authentication | Requires a username and password, which are sent as a Basic Authorization header (Basic <base64-encoded-credentials> ). |
OAuth 2.0 (Client Credentials) | Requires client credentials to dynamically obtain and use an access token. See details below. |
OAuth 2.0 (Client Credentials Flow)
When using OAuth 2.0, Descope will handle token retrieval and injection into requests automatically. You must provide the following:
- Client ID
- Client Secret
- Token Endpoint URL
- Scopes (optional; space-separated string)
- Credential Placement: Choose whether to send the credentials:
- In the request body
- In the Authorization header using HTTP Basic (default)
Descope will fetch and cache the access token using the client credentials flow and include it in the Authorization
header for subsequent requests.
Testing the Connector
Use the Descope Console to test your HTTP connector and verify the integration. For example, you can pull user details from an external API and review them in the test panel.
Handling HTTP Status Codes
You can handle different HTTP responses in your flow using conditionals based on the status code.
Step 1: Enable Custom Error Handling
Configure the connector action to use Custom error handling for the Generic HTTP Error
event. Doing this will result in the flow redirecting to a new path in the flow if the response code is not 200.
You can also set Connector Execution error handling to Custom to handle errors with the connector itself.
Step 2: Add Conditional Logic
You'll need to rely on the context key for your connector to access the response code in a condition block.
Use the key connectors.<Context Key>.statusCode
to access the response code in flow conditions.
Example use cases:
- 404 → Show "User Not Found" screen.
- 429 → Return to login screen.
- Other errors → Restart the flow.
For a complete list of response codes, you can visit the HTTP Status Codes page.
Step 3: Build Flow Logic
Connect conditions and screens to build the complete flow logic. This is an example of a flow that will restart the process if a 429 rate limit error occurs, but will show a "User Not Found" screen if a 404 error occurs.
Accessing HTTP Response Headers
Enable the Include response headers in Context option in the connector settings to access headers in your flow (context.headers
).
For example, you can:
- Extract custom headers.
- Use them in a Custom Claims action.
- Add the values to the JWT.
HMAC Signature Customization
You can customize the HMAC signature template used to sign requests sent from Descope.
Configure Signature Template
In the connector settings, set a x-descope-signature-template
header with a comma-separated list of elements to sign:
Example template:
METHOD,URI,HEADER_x-descope-timestamp,BODY
Descope will compute the HMAC and send it in the x-descope-webhook-s256
header.
Example Headers Sent
Validating the Signature
Use the following example to validate the HMAC signature in your backend:
Dynamic Values in Headers
You can inject dynamic values (e.g., form fields or flow inputs) into headers. These can also be dynamic values generated from a connector or scriptlet.
Using Values from Other Connectors
A common use case is chaining connectors together, where one connector's output becomes another connector's input.
You can use the output of a connector and include it in the request body of your generic HTTP connector in the flow itself. However, if the output of the one connector must be included in the headers of your generic HTTP connector, you can do that as well. Here's an example:
- First, use a Database Connector to fetch a user's profile
- Then, use the Generic HTTP connector to call an external API, passing the user's data in headers
Example flow:
This can also be used if there a dynamic token that needs to be included in the headers of the generic HTTP connector for authentication, that doesn't rely on OAuth 2.0 Client Credentials flow.
Example
Header configuration in the connector:
Example of received headers:
Static IP Addresses
When using the Generic HTTP Connector, you may want to restrict access to your third-party API by IP address. Descope provides the option to route all requests from the connector through a set of static IPs.
In the connector configuration screen, you can enable Use Static IPs. When this option is selected:
- Descope will route all outgoing requests through a predefined set of IP addresses.
- These IPs are displayed in the UI for you to copy and whitelist on your API gateway, firewall, or server.