​

Managing Loader/Action Access

​

Visibility Options

• private: Can only be invoked server-side through ctx.invoke
• public: Can be called from both server and client through:
  • Runtime invoke calls
  • Direct path access via /live/invoke/{path/to/block.ts}

​

Setting Default Visibility

// Make the loader publicly accessible
export const defaultVisibility = 'public'

// Make the loader private (server-side only)
export const defaultVisibility = 'private'

​

Overriding Visibility

import { defineConfig } from "$fresh/server.ts";
import { plugins } from "deco/plugins/deco.ts";
import manifest from "./manifest.gen.ts";

export default defineConfig({
  plugins: plugins<typeof manifest>({
    manifest,
    htmx: true,
    visibilityOverrides: {
      "site/loaders/minicart.ts": "public",
      "vtex/loaders/cart.ts": "private"
    },
  }),
});

​

Security Best Practices

​

Use private for

• Accessing private/internal APIs
• Operations involving credentials or secrets
• Processing sensitive user/business data
• Backend integrations requiring authentication

​

Use public for

• Reading public product data
• Fetching public content
• Client-side data loading
• User-facing operations that don’t expose sensitive data

​

Related Documentation

• Fetching Data
• Client-side Data Loading
• Core Concepts: Loaders