@realMissLiviRose is there a way to manage the Lists and the Groups using a Web Service as opposed to logging into High Fidelity webpage directly?
I’ve tried to add a user to a private list using the console but I’m not getting the Request Headers correct and thus I end in a 401.
example: trying to add user ‘thoys’ to a list using xhr in a console
cc: @b
Thank you for the follow up at the Community Meeting. I look forward to the possibility of this feature request!
Hey @humbletim!
This is the example of my attempt. You mentioned using the ‘bearer token’ it appears to be missing in my feeble attempt here. Since our discussion last night, I have followed your instructions on creating a said token and I’m curious; does it need to be included as a query param in the endpoint URL? Should I tack it onto the data payload?
Obviously, I won’t be pasting my created token here, but if you could generalize the process, it would be greatly appreciated.
THANKS!
Hey @AlphaVersionD!
Here is a general example of setting the bearer token on an XHR request:
var xhr = new XMLHttpRequest();
xhr.open(method, url, async);
xhr.setRequestHeader('Authorization', 'Bearer ' + token);
xhr.send(...);
Also this Answer on Stack Overflow shows one way to package things into a helper function that automatically adds the token to requests.
For the use case in your screenshot, I think you might also need to set a content type header and encode the data as JSON before sending; something like:
//...
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(JSON.stringify(data));
//...
Hope that helps!
Removing the ‘solved’ check mark from your suggestion. The XHR you have provided is functional when correctly structured. However, an escalation to support@highfidelity.io in lieu of a request for CORS on server for use ‘…as a service’
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'https://www.google.com' is therefore not allowed access.Clearly, this means when attempting to leverage this API as a service from a private server (aka not a google console. 
it will also fail.
Thanks again for helping take the concept this far.
Well… most web browsers block cross-origin requests by default, but that’s a good thing (I think).
Do you really need to hit the metaverse API from a web browser though? Or rather, client-side in a web browser?
What I would do instead is run a secure web server that was configured to handle a limited set of Group changes. The changes could still be submitted from a web browser, but all access to the metaverse API (and my Bearer token) would take place server-side…
ps: here are some example code snippets that show how to use a Bearer token with built-in server features to make “server-to-server” API requests: Node.js (with ‘request’ module) and PHP (with ‘cURL’ library).
While I agree this is the right approach for my needs, I’m still running into a refused connection when attempting to do this 'server-to-server’ using node.js
Hello @AlphaVersionD, @humbletim,
I am trying to do the same thing. Can you share any working code?
