Using data service through hosted script

I was excited to see in the new 2.0 release of Backendless there is node.js support with hosted scripts. I would like to use hosted scripts to perform CRUD operations on tables through the data service. Is there documentation or examples on how to do this. I looked at the doc here but this is for Java not javascript.



This link describes work of server code feature (currently only java).
You can use node.js in Hosting Scripts service. More information you can found in this video:


Hi, Greg,

Hosting Scripts service is a bit different from Server Code. In short, it allows you to create a Node.js script in File Service and then just be able to call it using the file’s public URL - and that’s it. That’s not an event, that’s just like an API route. And sure you can user Backendless JS client library inside your script.

If you need more information about the service, the video given above by Kate explains pretty much everything you need to know in order to start creating hosted scripts.


Hi Sergey, thanks for the response. If I can call the Backendless JS library inside a hosted scripts that should meet my needs. I have one concern though about security. Let me explain what I am trying to do and maybe you can provide feedback.

My app is a quiz based app where users submit their answers to a data table that stores the answers. After the time for the quiz expires I need to update the answers data table with the score for each answer based on its accuracy. So I would like to use hosted scripts to create a “score_quiz” script where I pass the correct answer set as a parameter to the script and each row in the answers table for the quiz is updated with the score. I think I should be able to do all this using the Backendless JS client library from inside the hosted script. The concern I have is that the script is executed through a public URL. Since this script will perform an important admin function for my app it is critical that only the right people are allowed to execute the script. I see the script URL has the app id in it. So my questions are:

  1. Is the app id exposed to users? Could they discover this ID and reverse engineer the URL to be able to execute the script?

  2. Is there any way to set permissions on the execution of a hosted script (i.e. restrict to certain users)?


As to the first question, your application ID and secret key are not really supposed to be secret (in fact, they’re totally visible in javascript code you use on your website, for example). So sure your users can see them and can try to execute request towards your backend - not only the hosted scripts, but also any Backendless service.

This is where we come to your second question: you should always set up the permissions for your backend. With hosted scripts you can do that with File Service permissions.

So in your case I would recommend you to allow read and write operations only for admin user, and deny for everybody else.