Group List Management As A Service


@realMissLiviRose is there a way to manage the Lists and the Groups using a Web Service as opposed to logging into High Fidelity webpage directly?

I’ve tried to add a user to a private list using the console but I’m not getting the Request Headers correct and thus I end in a 401.

example: trying to add user ‘thoys’ to a list using xhr in a console

cc: @b


Thank you for the follow up at the Community Meeting. I look forward to the possibility of this feature request!


Hey @humbletim!

This is the example of my attempt. You mentioned using the ‘bearer token’ it appears to be missing in my feeble attempt here. Since our discussion last night, I have followed your instructions on creating a said token and I’m curious; does it need to be included as a query param in the endpoint URL? Should I tack it onto the data payload?

Obviously, I won’t be pasting my created token here, but if you could generalize the process, it would be greatly appreciated.



Hey @AlphaVersionD!

Here is a general example of setting the bearer token on an XHR request:

var xhr = new XMLHttpRequest();, url, async);
xhr.setRequestHeader('Authorization', 'Bearer ' + token);

Also this Answer on Stack Overflow shows one way to package things into a helper function that automatically adds the token to requests.

For the use case in your screenshot, I think you might also need to set a content type header and encode the data as JSON before sending; something like:

xhr.setRequestHeader('Content-Type', 'application/json');

Hope that helps!



Tim… seriously; thank you very much.


Removing the ‘solved’ check mark from your suggestion. The XHR you have provided is functional when correctly structured. However, an escalation to in lieu of a request for CORS on server for use ‘…as a service’

Response to preflight request doesn't pass access control check:
   No 'Access-Control-Allow-Origin' header is present on the requested resource.
   Origin '' is therefore not allowed access.

Clearly, this means when attempting to leverage this API as a service from a private server (aka not a google console. :slight_smile: it will also fail.

Thanks again for helping take the concept this far.


Well… most web browsers block cross-origin requests by default, but that’s a good thing (I think).

Do you really need to hit the metaverse API from a web browser though? Or rather, client-side in a web browser?

What I would do instead is run a secure web server that was configured to handle a limited set of Group changes. The changes could still be submitted from a web browser, but all access to the metaverse API (and my Bearer token) would take place server-side


ps: here are some example code snippets that show how to use a Bearer token with built-in server features to make “server-to-server” API requests: Node.js (with ‘request’ module) and PHP (with ‘cURL’ library).


While I agree this is the right approach for my needs, I’m still running into a refused connection when attempting to do this 'server-to-server’ using node.js


Hello @AlphaVersionD, @humbletim,
I am trying to do the same thing. Can you share any working code?