All Collections
Working with Cloud Code
Is there a way to prevent a client apps from making certain API calls?
Is there a way to prevent a client apps from making certain API calls?

How to restrict sensitive APIs to cloud code only...

Paul Winterhalder avatar
Written by Paul Winterhalder
Updated over a week ago

Security is an important consideration for applications.

From the beginning, brainCloud has been designed with security in mind.  Our client API ensures that:

  • All calls require an authenticated client connection

  • All calls are encrypted (via SSL)

  • All messages are stamped with a check-code (based on the app's secret key) to prevent tampering

  • All messages also have packet ids to prevent replay attacks

  • Data is owned by users - and access is protected via ACL (Access Control Lists)

In addition, we also actively restrict certain APIs to be cloud-code callable only (for exapmle, currency APIs, leaderboard creation, etc.). 

Of course, all apps are not the same, and you may find that you would like to restrict additional APIs to be callable from cloud-code only. 

Although this isn't directly built into the solution, brainCloud's powerful API Hook mechanism does provide a way to do this!  Here is how:



Pre-hooks are special cloud code scripts that are configured to be called immediately before a specific API Call. Pre-hooks can be used to check the parameters sent to an API call, and potentially change them and/or reject the call entirely if the script desires. 

Cloud Code Flag

Every brainCloud call receives a few standard parameters when it is invoked - like the service and operation of the method being called for example. An additional parameter that is automatically inserted by the API Dispatcher is the ccCall  flag. This flag is true  if the API method (or script) is being called as from a cloud code script, or false  if it is being called from an client.

The Script!

Create a script called PREHOOK_DisallowCallFromClient  with the following contents:


Checks to see if the call is from the client, and if so, disallows it. Uses the special ccCall flag to determine whether the call was made via cloud code.


  "service": "aService",
  "operation": "AN_OPERATION",
  "message": {"ccCall": false },
  "parms": {}


var results = {};

// By default, everything is okay - tell system to keep processing
results.status = 200;

// If this call wasn't from cloud-code, log and disallow it.
if ( ! data.message.ccCall ) {
    // Overriding the status disallows processing of the call.
    results.status = 403;
    results.reasonCode = 99999;
    results.errorMessage = "VIOLATION: Not allowed to call "
        + data.service + ":" + data.operation + " from client.";
    // Also log what happened...
    var _log = bridge.getLogServiceProxy();
    var logMsg = "VIOLATION: Protected API ("
        + data.service + ":" + data.operation
        + ") called from client with profileId "
        + bridge.getProfileId() + ". Disallowed.";
    _log.logWarning( logMsg, JSON.stringify( data.message ) );

// return the results

Hooking it up

You can attach this script to any API call that you would like.
To do so:

  • go to Design | Cloud Code | API Hooks

  • Click on [+ Create] to bring up the Add Hook dialog

  • Choose the Service and Operation that you would like to attach the script to

  • Be sure to choose "Pre" from the Pre/Post selector

  • And finally choose your script - PREHOOK_DisallowCallFromClient .

  • You can leave the hook parameters blank - our hook doesn't use them.

  • Click [Save] to put your hook into place.

And voila - now that API call can be called from cloud code only!

Good luck!

Your feedback is important to us. Please rate this response below. Thanks! 

Did this answer your question?