The "API" folder Last updated: 10. Oct 2025

Create your custom JSON WEB API by placing JS files that will run server side in the #/API foider.

The #/API folder

Any .JS or .HASH file placed in this folder will automatically run on the server side and the response from JS files will be converted to JSON and returned.

This means if you put any .JS files in this folder they will run server side. Unlike any other folder where they will just be served raw to the front end.

HASH files will execute and return HTML if not .CSS.HASH or .CSS.TXT, etc extensions are specified. Then appropriate mime type will be attempted set by the system.

API functions (read and write)

Because the API functions are not cached on the server an extra set of functions are available when running JS from the API folder. These are here to make it possible to create dynamic web applications that your static frontend (always cached) can access data dynamically from.

This is according to PWA standards.

The extra functions available are:

  • Write data to docly

  • Get current user information

  • Call external API's

From the API you can read values for querystring from the "query" object and "form" object for posted form values.

See functions marked with API only in the JS reference:
https://developers.docly.net/JavaScript/

Security

Docly provides a comprehensive security framework for your API endpoints, including automated threat detection, progressive blocking mechanisms, and built-in protection against common attack vectors. Understanding how authentication and authorization work in Docly is essential for building secure applications.

Docly handles user authentication through its built-in login system. When you publish a folder or website with 'Login Required', Docly ensures that only invited users with valid accounts can access your application. However, you are responsible for implementing authorization logic in your API endpoints to verify that authenticated users have the appropriate permissions for specific operations.

When Docly's security system detects suspicious activity (which you can flag using docly.flagActivity()), it follows a progressive enforcement sequence to protect your API:

  1. The offending IP address is temporarily blocked

  2. To regain access, the user must pass a reCAPTCHA challenge

  3. Continued suspicious activity results in a hard block from your site

  4. Hard-blocked IPs must apply to be unblocked manually

Activity Flagging: Use docly.flagActivity() to flag suspicious activities such as:

  • Failed login attempts

  • Invalid API requests

  • Suspicious access patterns

  • Unauthorized access attempts

Path Security: All paths in Docly are absolute paths within each webapp. This design eliminates path traversal and injection vulnerabilities, as there is no way to escape the webapp's directory structure.

Authentication vs Authorization: Docly handles authentication - verifying that a user with an invitation to your application is logged in before they can access it. However, you must implement authorization in your API endpoints - checking whether an authenticated user has permission to perform specific actions or access particular data. Unless you're running a public application or implementing a custom login experience, you should maintain your own internal table of users and access rights to control what authenticated users can do within your application.

Docly provides built-in security features to protect your API endpoints from common attacks.

For applications requiring fine-grained access control, implement authorization checks in your API endpoints by maintaining user roles and permissions in your data structures, then validating these permissions before executing sensitive operations.

Caching

API functions are always executed on each call and not cached unlike .hash files in other folders. Which will be cached until any underlying data has changed, where they will be regenerated on demand on the next request.