Skip to main content
Docs/Custom Handlers
DocsCustom Handlers
Free

Custom Handlers

Lightweight per-app backend routes the AI co-locates with your generated app. Great for webhooks, form submissions, or any small server-side action you do not want in client code.

How They Work

When your prompt implies server-side behavior ("send a Slack message when someone submits the form", "receive a webhook from Stripe"), the generator can emit a custom handler alongside your frontend code. The handler is exposed at a stable URL the moment your app is saved; no separate deploy step.

Handlers are great for the common case. When you need more control over the runtime, the source layout, or want to reuse the same backend logic across apps, reach for a Function instead.

Routes

Each handler is reachable at:

POST   /api/custom/{appId}/{handlerName}
GET    /api/custom/{appId}/{handlerName}
PUT    /api/custom/{appId}/{handlerName}
DELETE /api/custom/{appId}/{handlerName}

The handler declares which methods it accepts (usually one). Calling an unsupported method returns 405.

Handler names are validated server-side; only alphanumeric / underscore / hyphen are allowed. The frontend pattern is to call /api/custom/{appId}/{name} from the generated app using a relative URL, which the deploy-service proxy routes correctly in production.

Auth

Two layers guard a handler:

  • Platform check: the caller must have viewer-level access to the app. This blocks random external probes.
  • Handler-level check: the handler can also enforce its own rules: signed-in user via window.genmb.auth, role check via RBAC, signing secret on a webhook, etc.

When to Reach for One

Use a custom handler when:

  • A third-party needs to POST to a stable URL (webhooks).
  • You need to keep a secret out of client code (signing a payload, calling a paid API).
  • You want simple form submission processing without standing up a Function.

For larger logic, a piece of code you want to test in isolation, or anything you want to edit explicitly file-by-file, prefer a Function.

Limits

  • Handler name: alphanumeric with _ or -, capped per app.
  • Per-request timeout matches the function host (30 seconds).
  • Global API rate limit (200 req / min / IP) applies to handler calls.
  • Available on all plans, including Free.

FAQs

How are custom handlers different from Functions?
Functions are standalone files in your app tree that you can edit explicitly. Custom handlers are co-located backend routes the AI generates inline when your prompt implies one (e.g. "add a webhook receiver"). Both are good for adding server-side logic; handlers are lighter-weight and require zero setup, Functions give you more control.
What HTTP methods are supported?
POST, GET, PUT, and DELETE. The handler declares which methods it accepts; calls to unsupported methods return 405.
How does access control work?
The platform requires viewer-level access to the parent app before any handler can be invoked. Inside the handler, you can layer your own auth (check a session cookie, validate a JWT, gate on user role). The viewer check guarantees random strangers cannot probe your endpoints.
Can a custom handler read my app data?
Yes. The runtime injects the GenMB data SDKs so a handler can query the app's database, look up users, or call other services the app has access to.

Ready to build?

Create your first app for free, no credit card required.

FunctionsWebhooks