What the HTTP action does
The HTTP action sends a request to a URL and returns the response — status code, headers, and body — as output fields the rest of your workflow can use. Like Shell and Keyboard, it runs on the computer where the Stream Deck plugin is installed, not on Conductor Deck's servers.
Choose a Method (GET, POST, PUT, PATCH, or DELETE), the target URL, optional Headers as a JSON object, and a Body for anything other than GET. When the body is a JSON object, a content-type header of application/json is added automatically if you have not set one yourself.
- Response Body, Response Headers, and HTTP Status Code are all available as output fields for later steps and Condition steps.
Blocked addresses, and why
The HTTP action is meant for public internet APIs. A request to localhost, loopback, link-local, or a private network range (10.x, 172.16 through 172.31.x, 192.168.x, and cloud metadata addresses like 169.254.169.254) is rejected before anything is sent — whether you wrote the address directly or it is what a hostname resolves to, and even if a redirect lands there partway through the request.
This is a safety boundary, not a bug: it stops a workflow — including an AI-generated one, or one someone else built and shared with you — from being used to probe your own network or a cloud provider's internal services. To reach a device on your own network, such as a smart plug or a home-automation hub, point the HTTP action at that device's address directly rather than through a proxy that would forward the request into a blocked range.
Limits and failure modes
Request and response bodies are capped at 1 MB each; a response over the cap stops downloading partway through and is reported as an error instead of filling up memory on the plugin host. A response outside the 200 to 299 range marks the step failed with an error naming the status (for example HTTP 404 Not Found), so retry and fallback error handling still trigger — the status and body of a failed request are not passed on as output fields to later steps.
Header values cannot contain line breaks and are capped at 4096 characters, both there to block header-injection attempts rather than something you are likely to hit day to day. A request that has not finished within about 10 seconds fails the step and is reported in activity — check the target service's own status page before assuming the workflow is broken.