# Web Request

The **Web Request** [trigger](https://docs.getmesa.com/workflow-builder/triggers) creates a unique URL that you can call to execute a MESA workflow. Unlike the [Webhook](https://docs.getmesa.com/tools/webhook) trigger, the entire workflow will execute, and the result of the last step in the workflow will be returned as the response. Using the **Web Request** trigger, you can retrieve Shopify Customer Metadata values to use in your single page app, proxy an API call to a third party app, or even display an HTML table of data stored in a [Data](https://docs.getmesa.com/tools/data) table. If you would like to combine data retrieved from multiple steps in your response, we recommend making the last step of your workflow a Mapping or Editor [Transform](https://docs.getmesa.com/tools/transform) action.

## Configuration <a href="#configuring" id="configuring"></a>

### Passing Data <a href="#passing-data" id="passing-data"></a>

Querystring parameters appended to your URL will be available as [Variables](https://docs.getmesa.com/workflow-builder/fields/variables) in your workflow. For example, if you append `&limit=1` to the **Web Request URL**, it will be available as the `{{webrequest.querystring.limit}}` variable. To easily select the variable from the Variable selector modal, make a test request and refresh the builder. The querystring parameters sent in your previous workflow run will appear in the variable selector:

<figure><img src="https://3425906282-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1H6u1HQc3Iew7ATmmiCi%2Fuploads%2F9QLvjGvV0iigfcM5g0Ib%2FDW-web-request-querystring.png?alt=media&#x26;token=a02b94df-36ef-4b06-842c-f2398c9ac6a9" alt=""><figcaption></figcaption></figure>

If you make a POST request to the **Web Request** trigger, all data passed will be available in the body variable. For example: `{{webrequest.querystring.id}}`. Similar to querystring parameters, to see these variables in the variable selector model, make a test request and refresh the builder.

All headers passed in the request are also available as variables. For example, you could use the `Authorization` header to authenticate requests in a [Custom Code](https://docs.getmesa.com/tools/custom-code) step

### Custom Response Headers <a href="#custom-headers" id="custom-headers"></a>

The Response Headers returned by the completed automation can be customized under the **More options** section. Change the `Content-Type` value to `text/xml` and end your workflow with a Transform Editor step to return an XML document. Change the `Content-Type` to `text/html` and end your workflow with a Transform Editor step to return an HTML document that will render in the browser:

<figure><img src="https://3425906282-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1H6u1HQc3Iew7ATmmiCi%2Fuploads%2FTmf1c1boRORK8GQujVGi%2FEdit%20Automation%20Head%20Tag%20-%20Step%200.png?alt=media&#x26;token=428785b3-908e-4a91-abcf-f3dbe1c6fc2f" alt=""><figcaption></figcaption></figure>

You can make the response a redirect by including a `code` of either 301 or 302 and `location` in the response in the last step of your workflow:

<figure><img src="https://3425906282-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1H6u1HQc3Iew7ATmmiCi%2Fuploads%2F28FR6liugMpHgiYeaGjk%2FTheshoppad%20Workflow%20-%20Step%200%20(1).png?alt=media&#x26;token=3c52326b-4201-45ad-a7d6-36f75311c255" alt=""><figcaption></figcaption></figure>

You can remove the `.json` in the URL or replace it with `.html` or `.xml` to improve the clarity of your endpoints as well, but simply changing the URL suffix will do nothing if the `Content-Type` header is not changed as well.

<figure><img src="https://3425906282-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1H6u1HQc3Iew7ATmmiCi%2Fuploads%2FdtMloSu1iyQXtg1g88MY%2FDW-web-request-transform-editor.png?alt=media&#x26;token=d39c631b-7e04-4ca2-b8e9-876179558093" alt=""><figcaption></figcaption></figure>

The `Access-Control-Allow-Origin` and `Access-Control-Allow-Headers` headers can be customized to fine-tune your [CORS](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) security settings, and additional custom headers can be added with static values or values from variables passed from other steps.

### Technical Notes <a href="#technical-details" id="technical-details"></a>

* Each request executes a workflow and counts as an automation run. You can see a history of all automation runs within the[ Activity](https://docs.getmesa.com/workflow-activity) tab.
* Requests are rate-limited based on the [Incoming rate limit](https://docs.getmesa.com/going-further/platform-thresholds-and-limits#limits) of your plan.
* The maximum request time is limited based on the [Task compute](https://docs.getmesa.com/going-further/platform-thresholds-and-limits#limits) limit of your plan. There is also a limit of 60 seconds per request, even if your plan allows longer requests. Requests that take more time to execute will be timed out, and no response will be returned.
* Certain actions, including Loop and Delay, are not supported by the Web Request tool. If you need to delay a couple of seconds, you might be able to use [Mesa.request.sleep](https://docs.getmesa.com/tools/custom-code/sdk?q=sle#vendor-mesa.js-mesa.request.sleep) in a Custom Code step.
* The URL of your Web Request trigger is static and includes a mandatory `apikey` querystring parameter. If you want a shorter URL, we recommend using a URL shortener service like [bit.ly](http://bit.ly/).