HTTP limitations? (DEF-3410) (SOLVED)


Ah, gotcha! Ok, we’ll have to wait for an engine fix. If there’s no side-effects of increasing that array then it’s released in a weeks time (1.2.135).

Triggered: A space schmup looter-shooter

Released in 1.2.135


Hey, got back from my vacation and tried it out.

Unfortunately I am still having issues, but this time not with the length of the URL.

After playing around I am seeing errors from the REST API endpoint that are consistent with an incorrect auth key being passed in the URL (unlike before, it was a malformed/short one). From what I can see, this indicates that Defold might be doing some encoding of its own to the URL. Is there any way you can verify this? Thanks!

EDIT: When using Postman Echo, it does appear that the auth token passed IS correct. So my hypothesis on what is causing the issue is likely incorrect.


A sample URL:

This should give a response of the data at the location, in Postman (or just in a browser) I will see:

"some sdfsdfdfdf"

In Defold I would see:

"Unable to validate signature."

The auth key will expire, so I can generate new URLs if and when you want to check this.


We do not encode the URL in any way. That is up to you as a developer to take care of. But in this case it shouldn’t be needed. Can you share the token validation code? What could potential cause it to not be able to validate it?


Hmm, when I paste the token here: it also says “Invalid Signature”. Not sure if that is relevant or not…


The token itself is fine.

If you paste this URL into a browser:

You will get a response, which is the data at the location.

If you make this call in Defold, you will get a different response - that’s the problem.

Using the following code:

local url = ""
http.request(url, "GET", function(self,id,response)

gives the following response:

  status = 401,
  response = {
  "error" : "Unable to validate signature."
  headers = {
    server = nginx,
    strict-transport-security = max-age=31556926; includeSubDomains; preload,
    content-type = application/json; charset=utf-8,
    connection = keep-alive,
    content-length = 48,
    cache-control = no-cache,
    date = Fri, 14 Sep 2018 11:18:16 GMT,
    access-control-allow-origin = *,


Yes, I’ve tested this myself and seen the same thing. Not really sure what could be wrong. I’ll try to figure it out.


Thanks, I’ll continue to experiment myself and keep this thread updated with my findings.


Also, I should have said that I think the token is fine. It could very well be part of the problem.

Using however gives me a good result with:


EDIT: Just noticed the invalid signature part you mentioned, whoops… maybe this leads somewhere.
EDIT2: Which makes sense… there’s no public key. Still stumped…


If I bundle as HTML, it works - so it would seem that something happening in the engine with the HTTP request. I still don’t have any clues for you however. If you continue to test with that URL, you would expect token expired/permission denied response - we want to avoid the ‘unable to validate…’ response.


Ok, so it works from a browser… hmm… that’s a clue at least. The http.request function has a different implementation on HTML5.


Is there anything you can share me regarding the implementation of the http requests so I might be able to figure out what’s going on?


No not really I’m afraid. I’ve been stuck working on another thing. I’ll look into this soon, most likely on Wednesday.


OK thanks.


Created a new ticket to track this issue: DEF-3494


FYI: The fix should be released with 1.2.137 on Monday.


Oh awesome. I guess you figured it out then :). Anything interesting?


Fixed in Defold 1.2.137