ThingWorx Flow > Installation and Configuration > Configuring ThingWorx Flow > Making an External Call to ThingWorx Flow
Making an External Call to ThingWorx Flow
Use one of the following methods to make an external call to ThingWorx Flow:
Make a REST Call from an external website to ThingWorx Flow
If a website tries to make a REST call to the ThingWorx Flow server, the server blocks the request, as it is a Cross-Origin request. To allow this, the ThingWorx Flow server must be configured to allow Cross-Origin requests from websites. Add a CORS (Cross-Origin Resource Sharing) filter to the ThingWorx Flow server to enable Cross-Origin requests. Other websites deployed on a different server can then access data from the ThingWorx Flow server.
Complete the following steps to enable a website to make a REST call to ThingWorx Flow:
1. Shut down any running Nginx instances.
2. Open the vhost-flow.conf file at the following location under your Nginx installation.
Windows: C:/Program Files/nginx-<version>/conf/conf.d
Linux: /etc/nginx/conf/conf.d
3. In the vhost-flow.conf file, under the location /Thingworx section, locate the proxy_set_header X-Content-Type-Options nosniff; line, and add the following lines:
set $cors '';
# Right side of condition can be regular expression:
# if ($http_origin ~ '^https?://(localhost|www\.yourdomain\.com|www\.yourotherdomain\.com)')
if ($http_origin = '<Origin_that_calls_ThingWorx_Flow>') {
set $cors 'true';
if ($cors = 'true') {
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
# OPTIONS indicates a CORS pre-flight request
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '$http_origin';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
4. If you have installed ThingWorx Foundation and ThingWorx Flow on different machines, then do the following:
Find the following line in the vhost-flow.conf file:
# add_header Content-Security-Policy
Add the following lines under the above line:
add_header Content-Security-Policy "frame-ancestors 'self' <Origin_that_calls_ThingWorx_Flow>;";
You can hard-code the domain name or provide a RegEx. For example: add_header Content-Security-Policy "frame-ancestors 'self' https://*;";
5. Replace <Origin_that_calls_ThingWorx_Flow> with the URL of the website that is trying to access ThingWorx Flow.
6. Restart the Nginx service.
Make a WebSocket call to ThingWorx Flow
By default, you can make WebSocket Secure (wss) calls to ThingWorx Flow.
WebSocket (ws) calls are not supported.
Was this helpful?