I highly appreciate you seeking clarity towards how things work together.
Let me decouple this for you.
- The fields in the installation page can be built using iparams.json or iparams.html; Both of them offer their own benefits.
- There are some special features(like validating api key in iparams.json) within these as these are part of the product in which app is running on. Ideally, we wouldn’t want developer to look elsewhere (REST API or the User input) for atleast to have access to the information within the product.
- Having platform features helps us give developer the ability to access information stored via the iparams page or installation page.
3.a. Using Request API in frontend helps the developer to hide sensitive information such as API keys from being exposed via Developer tools in browsers. This is when using <%= iparam.field_name %> will substitute appropriate field value when making a request. Retrieval can happen this way if non-sensitive information.
3.b. Serverless Event Handlers will receive iparams information in payload which “iparams” property in it. If you need to access secure iparams, you will need to use Request API.
Now, according 3.b. I assume
fuze_api_key is marked as secure. Try using this request using,
$request.get("https://api.fuze.com/chat/v2/webhooks/incoming/<%= iparam.fuze_api_key %>", options)
//"data" is a json string with status, headers, and response.
Hopefully, that should help.
Please don’t hesitate to share the constructive feedback. In this case, it help us understand that may be we should provide more sources or sample codes around secure iparams being used in backend to make 3rd party api calls.