Lens

Use a Lookup From Your Site

Call your Lens Lookup from a tag, a GTM Custom HTML tag, or any client JavaScript. The endpoint is a plain HTTPS GET with no SDK and no auth header.

The URL format

Every lookup is reachable at https://lens-lookup.tagpipes.com/ with three pieces in the query string: the public key from the lookup page, one query parameter per lookup key, and an optional limit. The lookup page shows the exact URL with placeholders so you can copy and substitute values.

A real URL looks like this: 

https://lens-lookup.tagpipes.com/
  ?key=lk_IY1fgP8w5wGKZ5xvSp1qegKxnspg9ZeR
  &item_cde=10842149
  &from_uom_cde=CA
  &to_uom_cde=EA
  &limit=1

The response is JSON in a stable shape: {`{ found: true|false, rows: [ { ... } ] }`}. When found is true, rows[0] contains every column from the source table (minus any fields= projection you specified). When false, rows is empty.

Call it from plain JavaScript

Use XMLHttpRequest or fetch with a standard GET. The example below uses ES5 so it runs cleanly inside a GTM Custom HTML tag, where modern features like fetch and arrow functions sometimes behave inconsistently across older browsers. 

{`function lookup(filters, callback) {
    var ENDPOINT = 'https://lens-lookup.tagpipes.com/';
    var KEY = 'lk_IY1fgP8w5wGKZ5xvSp1qegKxnspg9ZeR';

    var parts = ['key=' + encodeURIComponent(KEY)];
    for (var k in filters) {
        if (filters.hasOwnProperty(k)) {
            parts.push(encodeURIComponent(k) + '=' + encodeURIComponent(filters[k]));
        }
    }

    var xhr = new XMLHttpRequest();
    xhr.open('GET', ENDPOINT + '?' + parts.join('&'), true);
    xhr.onreadystatechange = function () {
        if (xhr.readyState !== 4) return;
        try {
            var body = JSON.parse(xhr.responseText);
            callback(null, body);
        } catch (e) {
            callback(e, null);
        }
    };
    xhr.send();
}

// Usage:
lookup({ item_cde: '10842149', from_uom_cde: 'CA', to_uom_cde: 'EA' }, function (err, result) {
    if (err) return console.error(err);
    if (result.found) console.log(result.rows[0]);
});`}

Content Security Policy

If your site enforces a Content Security Policy, add https://*.tagpipes.com to the connect-src directive. That's the only CSP change required: XHR is the only traffic the lookup generates, no scripts or images are loaded from TagPipes. The wildcard form future-proofs the policy against any other TagPipes endpoint you might use later.

A typical header looks like this: 

Content-Security-Policy: default-src 'self'; connect-src 'self' https://*.tagpipes.com; ...

If your security team prefers explicit hosts over wildcards (some shops insist), use https://lens-lookup.tagpipes.com instead. You'd then add a second entry for any other TagPipes subdomain you adopt later.

CSP and CORS are not the same thing

CSP is enforced by the browser before the request goes out. CORS is enforced by the server after the request arrives. Both must pass. CSP controls connect-src; CORS is governed by the referrer allowlist on the lookup config page. If you allow the request in CSP but your site isn't on the allowlist, the browser will make the request but reject the response.

Confirm the referrer allowlist matches your site

Open the lookup in the TagPipes UI and check the referrer allowlist on the edit page. Your site's hostname must be on the list (no scheme, no path). The browser sends an Origin or Referer header automatically on every request; the Lambda checks one of those against the list and returns 403 if neither matches.

Optional: limit the columns returned

Add a fields= parameter to return only specific columns. Useful when the table has internal columns the caller shouldn't see. 

https://lens-lookup.tagpipes.com/?key=lk_...&item_cde=ABC&fields=name,price

Optional: return multiple rows

The default is one row. Pass limit=N (up to 10) to return more. The lookup matches by prefix of the composite key, so passing only the first key with limit=5 returns up to 5 rows that share that prefix. Useful for small variant lookups.

Troubleshooting

The browser blocks the request before it goes out

Open DevTools console and look for a CSP violation message. If you see one, the site's connect-src doesn't include the lookup domain. Fix the CSP on your site and reload.

The request goes out but the browser blocks the response

The Network tab will show the request as completed (often with a 403 status) but the response body will be unreadable. This usually means CORS rejected the response because your site's origin isn't on the lookup's allowlist. Add your origin in the TagPipes UI and try again.

found is always false

The query reached the lookup, but no row matched. Verify the values you're passing exist in the source table exactly (case-sensitive, no extra whitespace). Trigger a Sync Now in the TagPipes UI to refresh the mirror. If you recently added rows to the source table, they may not be in the lookup mirror yet until the next sync.

Related guides

Create a Lookup