Skip to main content

Base URLs and session headers power every browser-executed request. If this step is wrong, backend tools and widget token refresh will fail.

Base URLs

Base URLs tell the widget where to send backend tool requests for each environment. At minimum, create:
EnvironmentPurposeExample
locallocal developmenthttp://localhost:8000
productionlive environmenthttps://api.yourcompany.com
The selected environment on Activate Agent is what powers the install snippet.

Session headers

Session headers map values from browser storage into outgoing request headers. Supported storage sources:
  • localStorage
  • sessionStorage
  • JavaScript-readable cookies
For each mapped header, the widget:
  1. reads the stored value from the browser
  2. builds the request header
  3. sends the backend tool request to your configured base URL
Widget -> Browser storage : read configured key
Browser storage -> Widget : token or value
Widget -> Widget          : build request headers
Widget -> Customer API    : fetch baseUrl + path
Customer API -> Widget    : response

Start with authorization

In most setups, the first header should be:
  • Header: authorization
  • Source: wherever your auth token is stored
  • Key: the exact storage key name
If the header name is authorization, Warpy can format the value for you:
Auth typeSent value
BearerBearer <stored value> unless it is already prefixed
BasicBasic <stored value> unless it is already prefixed
No prefixthe stored value exactly as-is

How to find the right storage key

  1. Sign in to your product.
  2. Open browser DevTools.
  3. Check Application or Storage for localStorage, sessionStorage, or cookies.
  4. Find the value your app uses for authenticated requests.
  5. If the stored value already includes Bearer , use No prefix.
  6. If the stored value is just the raw token, use Bearer.

Common mappings

What your app storesSourceKeyHeaderAuth type
raw JWT tokenlocalStorageaccess_tokenauthorizationBearer
full Bearer ... stringlocalStorageauth_headerauthorizationNo prefix
tenant or workspace idcookiestenant_idx-tenant-idnot applicable

The widget can only map cookies visible to JavaScript through document.cookie. If your auth cookie is HttpOnly, you cannot extract it into a Session Header mapping.

If your app relies on same-origin cookies, normal browser cookie behavior may still apply to same-origin requests. Session Header mappings are the explicit path when you want deterministic header-based auth.

Cross-origin note

Warpy executes backend tool requests from the browser, not from a hidden server-side proxy. The configured base URL must be reachable from the user’s browser and compatible with your CORS and auth setup. For the first launch:
  • add local and production
  • map authorization
  • verify one backend tool manually
  • only then continue to Features and tools