Jetty

Documentation for Jetty

Edge Functions

Edge functions let you run JavaScript at the Jetty edge server before requests reach your local app, after responses come back, or when errors occur. Use them for request transformation, auth injection, rate limiting, A/B testing, response modification, and more.

How it works

When a request arrives at your tunnel's public URL, the edge server checks for any enabled edge functions. Functions execute in priority order (lower number = runs first) inside a sandboxed JavaScript interpreter. The interpreter has no filesystem or network access, keeping your tunnel secure.

Creating a function

  1. Open the Dashboard and click on your active tunnel.
  2. Scroll to the Edge Functions section.
  3. Enter a Name (human-readable label), pick a Trigger, and write your JavaScript Code.
  4. Click Add Function.

You can also manage edge functions via the API:

# List functions
curl -H "Authorization: Bearer $TOKEN" \
  https://app.usejetty.online/api/tunnels/$TUNNEL_ID/edge-functions

# Create a function
curl -X POST -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"Add auth","trigger":"before_request","code":"request.headers[\"Authorization\"]=\"Bearer tok\";"}' \
  https://app.usejetty.online/api/tunnels/$TUNNEL_ID/edge-functions

Trigger types

Trigger When it runs
before_request Before the request is forwarded to your local app. Modify request headers, path, query, or body. Return a response early to short-circuit.
after_response After your local app responds but before the response is sent to the client. Modify response status, headers, or body.
on_error When the edge encounters an error (e.g., your local app is unreachable). Build a custom error response.

Available objects

request

Property Type Description
request.method string HTTP method (GET, POST, etc.)
request.path string Request path (e.g., /api/users)
request.query string Query string (e.g., page=1&limit=10)
request.headers object Request headers (read/write)
request.body string Request body (read/write)

response

Property Type Description
response.status number HTTP status code
response.headers object Response headers (read/write)
response.body string Response body (read/write)

To short-circuit a before_request function and return immediately without forwarding, set response.status and return response.

Examples

Auth header injection

Add an Authorization header to every request before it reaches your app:

request.headers["Authorization"] = "Bearer my-secret-token";

Path rewriting

Redirect old paths to new ones:

if (request.path.startsWith("/old")) {
    response.status = 301;
    response.headers["Location"] = "/new" + request.path.slice(4);
    return response;
}

Blocking by user agent

Return 403 for requests from bots:

if (request.headers["User-Agent"].includes("bot")) {
    response.status = 403;
    response.body = "Blocked";
    return response;
}

Add CORS headers

Inject CORS headers on every response:

response.headers["Access-Control-Allow-Origin"] = "*";
response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, DELETE, OPTIONS";
response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization";

Custom error page

Return a friendly HTML page when the upstream is down (on_error trigger):

response.status = 503;
response.headers["Content-Type"] = "text/html";
response.body = "<h1>Maintenance</h1><p>Back shortly.</p>";
return response;

Timeout and limits

  • Default timeout: 100ms per function.
  • Maximum timeout: 5,000ms (5 seconds).
  • Maximum functions per tunnel: 10.
  • Maximum code size: 50KB per function.
  • Functions that exceed their timeout are terminated and the request continues as if the function was not present.

Security

Edge functions run in a sandboxed JavaScript interpreter on the edge server. The sandbox provides:

  • No filesystem access
  • No network access (no fetch, XMLHttpRequest, etc.)
  • No access to other tunnels or system resources
  • Strict timeout enforcement

Functions can only read and modify the request and response objects passed to them.

Permissions

  • Viewing edge functions requires the Viewer role or higher.
  • Creating, updating, and deleting edge functions requires the Manager role or higher.

Send feedback

Found an issue or have a suggestion? Let us know.