Skip to content
Astonish
Docs
Web & HTTP Tools

Web & HTTP Tools

Fetch web pages and make API calls

The Web & HTTP category includes 2 tools for fetching web content and making API requests with full control over authentication.

web_fetch

Section titled “web_fetch”

Fetch a URL and extract content as markdown, text, or HTML. This is the preferred tool for reading web content — it is fast, free, and requires no API key.

For JavaScript-heavy pages that return empty content, use the browser tools instead.

ParameterTypeRequiredDescription
urlstringYesHTTP or HTTPS URL to fetch
modestringNoExtraction mode: markdown (default), readable, or raw
max_charsintNoMax characters to return (default: 50000)

http_request

Section titled “http_request”

Make HTTP requests with full control over method, headers, body, and authentication. Set credential to a stored credential name for automatic auth header injection.

ParameterTypeRequiredDescription
urlstringYesURL to send the request to
methodstringNoHTTP method (default: GET)
headersobjectNoAdditional HTTP headers
bodystringNoRequest body
credentialstringNoStored credential name for auth
timeoutintNoTimeout in seconds (default: 30, max: 120)
max_bytesintNoMax response size (default: 2MB)

When to use which

Section titled “When to use which”
Use caseTool
Read an article, docs page, or blog postweb_fetch
Download and parse a web pageweb_fetch
Call a REST APIhttp_request
Send data with POST/PUT/PATCHhttp_request
Make an authenticated requesthttp_request with credential
Interact with a JavaScript-heavy SPABrowser tools

Credential integration

Section titled “Credential integration”

The credential parameter on http_request connects to the credential store, allowing authenticated requests without exposing secrets in tool calls.

To use it, pass the name of a stored credential:

{
  "url": "https://api.example.com/data",
  "method": "GET",
  "credential": "my-api-key"
}

The appropriate authorization header is injected automatically based on the credential type:

Credential typeHeader format
API keyAuthorization: ApiKey <key> or custom header
Bearer tokenAuthorization: Bearer <token>
Basic authAuthorization: Basic <base64(user:pass)>
OAuthAuthorization: Bearer <access_token>

For OAuth credentials, token refresh is handled automatically when the access token expires.

Security

Section titled “Security”

http_request restricts outbound requests to private IP ranges by default to prevent server-side request forgery (SSRF):

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16
  • 127.0.0.0/8 (localhost)

This restriction means http_request can be used to access internal services running on your local network or machine. Requests to public internet addresses are allowed without restriction.

Home

Getting Started

Introduction Installation Quick Setup Running as a Service Choose Your Interface

Chat & Sessions

Chat Overview Sessions Memory & Knowledge Skills Sub-agents & Delegation

Built-in Tools

Tools Overview File & Search Shell & Process Web & HTTP Browser Automation Email Tools Credential Management Scheduler & Agent

Studio

Overview Studio Chat Flow Editor Running & Debugging Settings Keyboard Shortcuts

CLI Reference

Overview chat & sessions flows daemon & scheduler channels & fleet Utility Commands

Communication Channels

Overview Telegram Email Channel

Fleet — Multi-Agent Teams

Overview Templates Plans Sessions & Threads Fleet in Studio

Flows & Automation

Overview YAML Reference Flow Distillation Nodes, Edges & State

Configuration

AI Providers MCP Servers Taps & Flow Store Config File Reference Authentication

Reference

Glossary Troubleshooting