0

I am working on something which includes LWC with tooling API. I wrote this below method which makes a callout. but when I call this method this method from lwc at that time I'm unable to get session Id, but if I call this same method from the developer console then it works fine.

Apex Code:
@AuraEnabled 
public static string getList(String fieldName){  
    HttpRequest req = new HttpRequest();
    req.setHeader('Authorization', 'Bearer ' + UserInfo.getSessionId());
    System.debug('res------>'+UserInfo.getSessionID());
    req.setHeader('Content-Type', 'application/json');
    req.setEndpoint('callout:Tooling_Query/query/?q=Select+id,Namespaceprefix,developername,TableEnumOrId+FROM+customfield+Where+developername+LIKE\'' +fieldName+ '\'');
    req.setMethod('GET');
    Http h = new Http();
    HttpResponse res = h.send(req);
    System.debug('res------>'+res.getBody());       
    return res.getBody();
}

When I call it from lwc it returns this

[{"message":"This session is not valid for use with the REST API","errorCode":"INVALID_SESSION_ID"}]

so, how can I get session-id from lwc, I already set up a Connected App and Named Credential by the name of Tooling_Query and add URL to remote sites.

please help me here.

Improve this question

1 Answer 1

Reset to default
1

You can't. Your Apex code called in a Lightning Web Components context cannot get an API-enabled Session Id. This is documented in the Lightning Web Components Dev Guide:

By security policy, sessions created by Lightning components aren’t enabled for API access. This restriction prevents even your Apex code from making API calls to Salesforce. Using a named credential for specific API calls allows you to carefully and selectively bypass this security restriction.

The restrictions on API-enabled sessions aren’t accidental. Carefully review any code that uses a named credential to ensure you’re not creating a vulnerability.

The only supported approach is to use a Named Credential authenticated as a specific user.

There is a hack floating around that exploits a Visualforce page to obtain a Session Id from such an Apex context. I do not recommend doing this, especially if you need to access the privileged Tooling API. Use the correct solution and build a Named Credential.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Sir, I already set up a Named Credential with Authenticated as [email protected] Status. but I'm getting the same result
Did you use the Named Credential explicitly in your callout? The system won't use it automatically.
Yes, I did but the same result. I just edit my apex class code above.
@DavidReed chicken and egg here: I sometimes use the SessionId from Visualforce to call Metadata API to create (now forbidden) or modify (allowed when packaged) NamedCredential. See here: github.com/rsoesemann/app-setup/blob/master/force-app/main/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.