SharePoint PnP Webcast - Calling external APIs securely from SharePoint Framework




In this PnP Webcast, we concentrate on how to secure traffic from SharePoint Framework solution towards an external API hosted in Azure. Technically similar process does work with other platforms as well, but Azure is typically used as customization platform also for solutions hosted in SharePoint Online. Webcast demo concentrates showing securely calling an Azure function from client-side web part, but you can absolutely also securely call WebAPIs using similar pattern.


More details from following blog post at



2 Replies

Love these informative and easy to follow WebCasts, I only wish there were more, not at all taking away from the astounding load of content you guys put out! Some of it is just a little bit ahead of my game :\


Could someone instruct me on the best practices for contacting an external API, for which the user would input an authentication key?


I'm using "this.context.httpClient.get()" to get a user specific list of objects from a third party web service. During runtime I'm getting hit by some CORS errors (I believe) the error I get is:

                   "Response to preflight request doesn't pass access control check: No

                 'Access-Control-Allow-Origin' header is present on the requested resource."

Is there some SP specific way of handling this or just any solution in general, I am new to this and didn't realize this could be a problem before I got hit with the error :\



I just got a response from the serivce and they do not support client side calls, would the best course be utilizing azure functions or no? Again any and all input appreciated :)


Thanks in advance,



Great Info.  I got it working all the way up to my external API getting an "Authorization" header.  But the header is always empty?


   [Authorization] =>  
   [Host] => 
   [Connection] => keep-alive 
   [Content-Length] => 0 
   [Pragma] => no-cache 
   [Cache-Control] => no-cache 
   [Accept] => application/json;odata=verbose 
   [Origin] => 
   [User-Agent] => Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 
   [Content-Type] => application/json;odata=verbose;charset=utf-8 
   [Referer] => 
   [Accept-Encoding] => gzip, deflate, br 
   [Accept-Language] => en,fr;q=0.9,en-US;q=0.8,en-GB;q=0.7 
   [X-Forwarded-Proto] => https 
   [X-Ssl-Cipher] => TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD 
   [X-Forwarded-For] => X.X.X.X