Developing applications in the Contentstack platform often requires integration with third-party services that depend on secret credentials. Traditionally, this has meant building and maintaining complex backend systems to manage sensitive data and execute API calls.
Advanced Settings simplifies this process by eliminating the need for a custom backend. You can securely call external APIs that require sensitive information, without exposing those credentials to the frontend, ensuring both enhanced security and flexibility across your applications.
Additional Resource: To learn more about the API call implementation, refer to the API Integration in Developer Hub Apps documentation.
Many apps need sensitive settings like API keys to function properly. Instead of building a backend to manage them, Advanced Settings lets you securely store and use these values directly in API calls, no backend required.
Use Advanced Settings in the following scenarios:
Advanced Settings includes three integrated features that work together to streamline API integrations:
To use Advanced Settings, perform the following steps:
Additional Resource: Refer to the Creating an App in Developer Hub document to know more about Standard and Machine to Machine app categories.


Each section is explained in more detail below.
Rewrites are the only way to call external API endpoints using the appSdk.api method. They let you transform request URLs, so you can use clean, simple paths that map to more complex external URLs behind the scenes.
Contentstack automatically rewrites the request URL before sending it to the external service, making your code cleaner and easier to manage.
App developers can set up rewrite rules in Advanced Settings → Rewrites. When a request matches a defined source path, it is rewritten to the destination URL before being sent out.

When to use:

With Variables, you can securely store API keys and other sensitive credentials without exposing them in the frontend. These values are encrypted, stored on Contentstack infrastructure, and kept fully secure from client-side access.
Note: Variables are app-specific, meaning all installations of the app share the same values. To store installation-specific or user-specific secret configurations, use server configuration instead.
Variable substitution is supported in the appSdk.api method, allowing you to reference secure environment variables (such as API keys) in your API requests.
Instead of hardcoding secrets, use the syntax {{var.VARIABLE_NAME}} in request headers, URLs, or bodies. At runtime, these placeholders are replaced with the actual values stored in your app’s Advanced Settings → Variables.

When to use:

Mappings allow dynamic value substitution in API requests, so app administrators can configure URLs, endpoints, or other values that change across installations or environments.
Each mapping refers to a value stored in server configuration and can be used in the appSdk.api method with the syntax {{map.MAPPING_NAME}}. At runtime, this placeholder is replaced with the installation-specific value.
Mapping paths use dot notation to navigate nested objects and arrays in the server configuration. Each dot-separated segment goes one level deeper, you can mix object keys and array positions in the same path.
For example, given this server configuration:
{
"apiKey" : "api-key",
"credentials": { "apiKey": "secret-abc" },
"regions": ["us-east-1", "eu-west-1", "ap-south-1"],
"accounts": [
{ "key": "first-acc-key" },
{ "key": "second-acc-key" }
]
}| Mapping Path | Resolved Value |
|---|---|
| apiKey | api-key |
| credentials.apiKey | secret-abc |
| regions.2 | ap-south-1 (third item, zero-indexed) |
| accounts.0.key | first-acc-key |

When to use:

Template Substitution is the mechanism that resolves {{var.NAME}} and {{map.NAME}} placeholders at runtime. When a request is made using the appSdk.api method, the Contentstack platform scans the outbound request and replaces all recognized placeholders with their resolved values before forwarding it to the external service.
Placeholders can be placed in any of the following parts of a request:
| Location | Example |
|---|---|
| URL path | /api/{{var.API_VERSION}}/users |
| Query string | /search?limit={{var.LIMIT}}&offset={{var.OFFSET}} |
| Request headers | Authorization: Bearer {{var.TOKEN}} |
| Request body (JSON) | {"userId": "{{var.USER_ID}}", "apiKey": "{{map.API_KEY}}"} |
If a placeholder references a variable or mapping that has not been configured, the original placeholder syntax is preserved unchanged in the outbound request. No error is thrown.
For example, {{var.UNDEFINED_VAR}} in a header would be sent as {{var.UNDEFINED_VAR}} to the external service.
Advanced Settings represent a significant leap forward in how developers build and deploy applications on the Contentstack platform. By eliminating backend complexity while enhancing security and flexibility, it allows you to focus on delivering exceptional user experiences instead of managing infrastructure.
The combination of the .api() method, Variables, Mappings, and Rewrites provides a powerful toolkit that scales from simple API calls to complex, enterprise-grade integrations. When combined with the new App Permissions system, you gain full transparency and control over how your applications interact with external services.