Contact Us
PIXERA offers a powerful API that enables creative professionals to build custom workflows and integrations. Designed for artistic and media-rich environments, PIXERA gives users the flexibility to shape immersive experiences with precision and creativity by providing direct access to powerful functionality. To ensure secure operation in these contexts, we strongly recommend deploying PIXERA in an isolated network, separate from general IT infrastructure.
At the same time, we increasingly see PIXERA being used in enviroments where managing external access through network configuration alone is challenging. To give you control over the exposed API in these use cases 25.2, introduces an allowlist feature. Specific API commands can now be blocked or allowed based on fine-grained configuration in the settings. This lays the groundwork for a wide range of deployment scenarios that involve external access points, unlocking even more creative potential and integration possibilities.
When enabled, this allowlist will only permit all API commands/control actions in the Action Allowlist. This also affects the Web UI controls when used from an external Browser, the internal Control inside the PIXERA GUI will still allow the complete use.
Info
For security reasons, starting with version 25.2, all API communication is disabled by default and must be enabled by the user in order to be used. This option is stored in the PIXERA settings and is not linked to the project file.
Gui representation
If the allowlist is enabled and access to the API is restricted or blocked, this status is visually indicated by the corresponding icon in the GUI.
Right-clicking the icon opens a context menu where you can manage access settings — either to activate the allowlist globally or to include or exclude all API access points.
Left-clicking on this icon takes you directly to the settings, where this option can be found.
Settings
To deactivate this restriction, please deactivate “Restrict Web Access to Actions That Match Allowlist”
This checkbox affects all commands sent from an external web UI, as well as API commands sent to one of the API access points.
The API access points can also be activated and deactivated separately.
If the “Restrict Web Access to Actions That Match Allowlist” checkbox is unchecked, this also disables API access restriction even if “Use Control Action Allowlist To Restrict API Access” is checked.
Tip
Error response code in case it is not Authorized{"error":{"code":-32602,"message":"Access is not authorized."},"id":1,"jsonrpc":"2.0","result":null}
The behavior in the Control Web UI when commands and/or control functions are not enabled can be seen in the upper right corner.
Here, the user is informed that they are not authorized.
The web UI editor within PIXERA Control is exempt from this restriction, it always has full access rights.
Tip
For new installations, both settings are activated for security reasons. We recommend deactivating them for a simpler and faster show setup.
Allowlist Options and Syntax
To restore full access to the API, please uncheck the box “Restrict Web Access To Actions That Match Allowlist.”
The allowlist provides an editor that allows you to set commands. It also has an export and import function.
Syntax
- NewModule.test →Only allow the action “test” in “NewModule”
- NewModule.Folder.* → Allows everything in the Folder “Folder” of Module “NewModule”
- NewModule.* → Allows Everything in “NewModule”
- * → Allow all and use other commands to Deny actions (Invert Allowlist to Blocklist)
The “Deny” Button allows inverting that to only deny those commands
Action strings can use an asterisk () as a wildcard for any part of the action path. This means it matches all action paths that share the remaining parts. For example, ".act1" matches any action named "act1" in any module.
Export
The Export button allows you to export the list in JSON format.
{
"entries": [
{
"command": "NewModule.test",
"isBlack": false
},
{
"command": "NewModule.Folder.*",
"isBlack": false
},
{
"command": "NewModule.*",
"isBlack": false
}
]
}Import
The Import button allows you to import the list as JSON using the syntax described above.
Recommendation
This is a summary list of recommended commands to block.
{
"entries": [
{
"command": "pixcGetAddressDescriptions",
"isDeny": false
},
{
"command": "*.Utils.Filesystem",
"isDeny": true
},
{
"command": "*.Utils.System",
"isDeny": true
},
{
"command": "*.Utility.Filesystem",
"isDeny": true
},
{
"command": "*.Utility.System",
"isDeny": true
},
{
"command": "*.Utility.runJsScript",
"isDeny": true
},
{
"command": "*.Utility.dynamicRebuildFromJsonDescription",
"isDeny": true
},
{
"command": "*.dynamicRebuild",
"isDeny": true
},
{
"command": "*.dynamicRebuildFromDescription",
"isDeny": true
},
{
"command": "*.dynamicRebuildFromJsonDescription",
"isDeny": true
},
{
"command": "*.WebViews.setFuncBodyState",
"isDeny": true
},
{
"command": "*.WebViews.setTag",
"isDeny": true
},
{
"command": "*.WebViews.setEditorIsUsingBlocks",
"isDeny": true
},
{
"command": "*",
"isDeny": false
}
]
}PIXERA 25.2 R 3 | 14. October 2025 | J.B.