Request context propagation

Propagate incoming HTTP request headers and query parameters to outgoing REST API calls.

Overview

OMS can capture incoming HTTP request headers and query parameters and make them available throughout the service execution, enabling following benefits:

  • Token reuse
  • Correlation ID propagation
  • Gateway-based security models
  • MCP and API Gateway integrations

Security model

Request context propagation uses a whitelist-based security model:

  • Whitelist-based header propagation
  • Explicit opt-in via configuration
  • Read-only access for customers
  • No automatic leakage of headers

Header whitelisting

Default whitelisted headers:

Authorization, Content-Type, Accept, X-*

These headers are whitelisted by default:

  • Authorization - Authentication tokens
  • Content-Type - Request content type
  • Accept - Response content type preference
  • X-* - All headers starting with X- such as X-Correlation-ID, X-Request-ID, X-API-Key

You can override the default whitelist by configuring the following property:

yfs.rest.allowed.headers=Authorization,Content-Type,Accept,X-*,Custom-Header
Note: Only whitelisted headers are available via #{h:} syntax.

Header propagation

You can override incoming headers by specifying a different value in the service definition.

Example: Use incoming header:
<Header Name="Authorization" Value="#{h:authorization}"/>
Example: Override with static value:
<Header Name="Authorization" Value="Bearer my-static-token"/>
Example: Override with property:
<Header Name="Authorization" Value="Bearer ${my.override.token}"/>
Header whitelisting

Default whitelisted headers:

Authorization, Content-Type, Accept, X-*

These headers are whitelisted by default:

  • Authorization - Authentication tokens
  • Content-Type - Request content type
  • Accept - Response content type preference
  • X-* - All headers starting with X- such as X-Correlation-ID, X-Request-ID, X-API-Key

You can override the default whitelist by configuring the following property:

yfs.rest.allowed.headers=Authorization,Content-Type,Accept,X-*,Custom-Header
Note: Only whitelisted headers are available via #{h:} syntax.

Query parameter propagation

You can propagate incoming query parameters to the outgoing REST API call using the #{q:paramName} syntax.

Examples:
- `#{q:itemId}` - Propagates the `itemId` query parameter
- `#{q:page}` - Propagates the `page` query parameter
- `#{q:limit}` - Propagates the `limit` query parameter

You can also use static values (`"value"`), properties (`${property}`), or extract from JSON/XML (`$.json` or `/xpath`) for query parameters. For more information, see Dynamic variable resolution.

Programmatic access

You can access incoming headers and query parameters programmatically in custom code or UI extensions using the YCPRequestContextUtil utility class.

Available methods:

Get specific header:

String authHeader = YCPRequestContextUtil.getHeader(env, "Authorization");
Get all headers:
Map<String, String> allHeaders = YCPRequestContextUtil.getAllHeaders(env);

Get specific query parameter:

String itemId = YCPRequestContextUtil.getQueryParameter(env, "itemId");
Get all query parameters:
Map<String, String> allParams = YCPRequestContextUtil.getAllQueryParameters(env);

Example usage in custom code:

import com.yantra.yfs.japi.util.YCPRequestContextUtil;

public class MyCustomService {
    public void execute(YFSEnvironment env, Document input) {
        // Get Authorization header
        String authToken = YCPRequestContextUtil.getHeader(env, "Authorization");
        
        // Get correlation ID
        String correlationId = YCPRequestContextUtil.getHeader(env, "X-Correlation-ID");
        
        // Get query parameter
        String itemId = YCPRequestContextUtil.getQueryParameter(env, "itemId");
        
        // Use these values in your custom logic
        if (authToken != null) {
            // Process with auth token
        }
    }
}
Note: Only whitelisted headers are accessible. Query parameters are always available.

Complete example

Scenario: Propagate authentication token, correlation ID, and query parameter to an external inventory API.

Incoming request:

POST /executeFlow/checkInventory?itemId=ITEM001
Authorization: Bearer abc123
X-Correlation-ID: corr-789

Service definition configuration:

Outgoing REST call automatically includes

  • Same authorization token
  • Same correlation ID
  • Same query parameter

No Java code required. No payload manipulation needed.