Skip to content

The Response Object

The plumber response object is stored as an environment, much like the request object. The response object, which is accessible as res from within plumber functions, contains the following objects:

Name Example Description
headers list(header = "abc") A list of HTTP headers to include in the response
body NULL This is set to the serialized output of the handler unless the response object is directly returned from the handler (see bypassing serialization)
status 200 The HTTP status code included in the response

The response object also contains the following methods that can be invoked:

Name Example Description
setCookie res$setCookie("foo", "bar") Sets an HTTP cookie on the client
removeCookie res$removeCookie("foo") Removes an HTTP cookie
setHeader res$setHeader("foo", "bar") Sets an HTTP header
toResponse res$toResponse() Renders the response object as a list containing status, headers, and body.

The other methods (clone, initialize, and serializer) should not be directly invoked on the response object.


In order to send a response from R to an API client, the object must be “serialized” into some format that the client can understand. JavaScript Object Notation (JSON) is one standard which is commonly used by web APIs. JSON serialization translates R objects like list(a=123, b="hi!") to JSON text resembling {a: 123, b: "hi!"}.

JSON is not appropriate for every situation, however. If you want your API to render an HTML page that might be viewed in a browser, for instance, you will need a different serializer. Likewise, if you want to return an image rendered in R, you likely want to use a standard image format like PNG or JPEG rather than JSON.

By default, Plumber serializes objects into JSON via the jsonlite R package. However, there are a variety of other serializers that are built in to the package.

You can also pass arguments to certain serializers to modify their behavior like in the example below.

#* @serializer json list(na="string")

See the Serialization article for details.

Annotation Content Type Description/References
@serializer contentType (user supplied) Send response with a particular Content-Type header
@serializer html text/html; charset=UTF-8 Passes response through without any additional serialization
@serializer json application/json Object processed with jsonlite::toJSON()
@serializer unboxedJSON application/json Object processed with jsonlite::toJSON(auto_unbox=TRUE)
@serializer rds application/rds Object processed with base::serialize()
@serializer csv text/csv Object processed with readr::format_csv()
@serializer tsv text/tab-separated-values Object processed with readr::format_tsv()
@serializer feather application/vnd.apache.arrow.file Object processed with arrow::write_feather()
@serializer parquet application/parquet Object processed with arrow::write_parquet()
@serializer yaml text/x-yaml Object processed with yaml::as_yaml()
@serializer htmlwidget text/html; charset=utf-8 htmlwidgets::saveWidget()
@serializer text text/plain Text output processed by as.character()
@serializer format text/plain Text output processed by format()
@serializer print text/plain Text output captured from print()
@serializer cat text/plain Text output captured from cat()
@serializer jpeg image/jpeg Images created with jpeg()
@serializer png image/png Images created with png()
@serializer svg image/svg Images created with svg()
@serializer bmp image/bmp Images created with bmp()
@serializer tiff image/tiff Images created with tiff()
@serializer pdf application/pdf PDF File created with pdf()

Boxed vs Unboxed JSON

You may have noticed that API responses generated from Plumber render singular values (or “scalars”) as arrays. For instance:

#> {"a":[5]}

The value of the a element, though it’s singular, is still rendered as an array. This may surprise you initially, but this is done to keep the output consistent. While JSON differentiates scalar from vector objects, R does not. This creates ambiguity when serializing an R object to JSON since it is unclear whether a particular element should be rendered as an atomic value or a JSON array.

Consider the following API which returns all the letters lexicographically “higher” than the given letter.

#* Get letters after a given letter
#* @get /boxed

#* Get letters after a given letter
#* @serializer unboxedJSON
#* @get /unboxed

This is an example of an API that, in some instance, produces a scalar, and in other instances produces a vector.

Visiting http://localhost:8000/boxed?letter=U or http://localhost:8000/unboxed?letter=U will return identical responses:

["V", "W", "X", "Y", "Z"]

However, http://localhost:8000/boxed?letter=Y will produce:


while http://localhost:8000/unboxed?letter=Y will produce:


The /boxed endpoint, as the name implies, produces “boxed” JSON output in which length-1 vectors are still rendered as an array. Conversely, the /unboxed endpoint sets auto_unbox=TRUE in its call to jsonlite::toJSON, causing length-1 R vectors to be rendered as JSON scalars.

While R doesn’t distinguish between scalars and vectors, API clients may respond very differently when encountering a JSON array versus an atomic value. You may find that your API clients will not respond gracefully when an object that they expected to be a vector becomes a scalar in one call.

For this reason, Plumber inherits the jsonlite::toJSON default of setting auto_unbox=FALSE which will result in all length-1 vectors still being rendered as JSON arrays. You can configure an endpoint to use the unboxedJSON serializer (as shown above) if you want to alter this behavior for a particular endpoint.

There are a couple of functions to be aware of around this feature set. If using boxed JSON serialization, jsonlite::unbox() can be used to force a length-1 object in R to be presented in JSON as a scalar. If using unboxed JSON serialization, I() will cause a length-1 R object to present as a JSON array.

Customizing Image Serializers

The @serializer jpeg and @serializer png annotations cause the graphical output of an endpoint to be written to a file then returned to the client using the jpeg() or png() functions, respectively. These functions both accept a variety of additional options that customize the output including width, height, and bg among others.

As of version 0.4.3 of plumber, these annotations now accept additional arguments that will be passed into these functions. This enables the creation of endpoints like:

#* Example of customizing graphical output
#* @serializer png list(width = 400, height = 500)
#* @get /

At a lower level, the arguments inside the parentheses will be used as the arguments to a list() call. Meaning that any R code that can be prefixed by list to form a valid R expression can be used. For example, #' @serializer png (width=2^10 + 1) would be a valid annotation. This code is evaluated once when your API is plumb()d.

While this approach can be used to statically define the size of an image, it will not work for dynamic sizing of an image. If you wish to dynamically size images, you will need render and capture the graphical output yourself and return the contents with the appropriate Content-Type header. See the existing image renderers as a model of how to do this.

Bypassing Serialization

In some instances it may be desirable to return a value directly from R without serialization. You can bypass serialization by returning the response object from an endpoint. For example, consider the following API.

#* Endpoint that bypasses serialization
#* @get /
  res$body <- "Literal text here!"


The response that is returned from this endpoint would contain the body Literal text here! with no Content-Type header and without any additional serialization.

Similarly, you can leverage the @serializer contentType annotation which does no serialization of the response but specifies the contentType header. You can use this annotation when you want more control over the response that you send.

#* @serializer contentType list(type="application/pdf")
#* @get /pdf
  tmp <- tempfile()
  plot(1:10, type="b")
  text(4, 8, "PDF from plumber!")
  text(6, 2, paste("The time is", Sys.time()))

  readBin(tmp, "raw",$size)

Running this API and visiting http://localhost:8000/pdf will download the PDF generated from R (or display the PDF natively, if your client supports it).

Error Handling

Plumber wraps each endpoint invocation so that it can gracefully capture errors.

#* Example of throwing an error
#* @get /simple
  stop("I'm an error!")

#* Generate a friendly error
#* @get /friendly
  msg <- "Your request did not include a required parameter."
  res$status <- 400 # Bad request

If you run this API in interactive mode and visit http://localhost:8000/simple, you’ll notice two things:

  1. An HTTP response with a status code of 500 (“internal server error”) is sent to the client. You should see an error message resembling: {"error":["500 - Internal server error"],"message":["Error in (function () : I'm an error!\n"]}
  2. A similar error is printed in the terminal where you’re running your Plumber API.

This means that it is possible for you to intentionally stop() in an endpoint or a filter as a way to communicate a problem to your user. However, it may be preferable to render errors from your API in a consistent format with more helpful error messages.

  "error": "Your request did not include a required parameter."

A custom error handler can be set using the setErrorHandler() method:

pr() %>%
  pr_get("/simple", function() stop("I'm an error!")) %>%
  pr_set_error(function(req, res, err){
    res$status <- 500
    list(error = "An error occurred. Please contact your administrator.")
  }) %>%

If you run this API and visit http://localhost:8000/simple, you’ll notice that the custom error message provided in the error handler is included in the browser. Since we didn’t do anything with the actual error message, nothing is printed to the console. If we wanted to include the error in the console, we could do the following:

pr() %>%
  pr_get("/simple", function() stop("I'm an error!")) %>%
  pr_set_error(function(req, res, err){
    res$status <- 500
    list(error = "An error occurred. Please contact your administrator.")
  }) %>%

The function passed to setErrorHandler will be invoked anytime R execution fails with an error.

Setting Cookies

As part of fulfilling a request, a Plumber API can choose to set HTTP cookies on the client. HTTP APIs don’t implicitly contain a notion of a “session.” Without some additional information, Plumber has no way of ascertaining whether or not two HTTP requests that come in are associated with the same user. Cookies offer a way to commission the client to store some state on your behalf so that selected data can outlive a single HTTP request; the full implications of using cookies to track state in your API are discussed here. The two forms of Plumber cookies – plain-text and encrypted – are discussed in the following sections.

Before you make cookies an important part of your API’s security model, be sure to understand the section on the security considerations when working with cookies.

Setting Unencrypted Cookies

Plumber can both set and receive plaint-text cookies. The API endpoint below will return a random letter, but it remembers your preferences on whether you like capitalized or lower-case letters.

#* @put /preferences
function(res, capital){
  if (missing(capital)){
    stop("You must specify a value for the 'capital' preference.")
  res$setCookie("capitalize", capital)

#* @get /letter
function(req) {
  capitalize <- req$cookies$capitalize

  # Default to lower-case unless user preference is capitalized
  alphabet <- letters

  # The capitalize cookie will initially be empty (NULL)
  if (!is.null(capitalize) && capitalize == "1"){
    alphabet <- LETTERS

    letter = sample(alphabet, 1)

Since this API is using a PUT request to test this API, we’ll use curl on the command line to test it. (There’s nothing about cookies that necessitates PUT requests; you could just as easily modify this API to use a GET request.) We can start by visiting the /letter endpoint and we’ll see that the API defaults to a lower-case alphabet. curl http://localhost:8000/letter

  "letter": ["i"]

If we send a PUT request and specify the capital parameter, a cookie will be set on the client which will allow the server to accommodate our preference in future requests. In curl, you need to specify a file in which you want to save these cookies using the -c option. This is a good reminder that clients handle cookies differently – some won’t support them at all – so be sure that the clients you intend to support with your API play nicely with cookies if you want to use them.

To send a PUT request, setting the parameter capital to 1, we could invoke: curl -c cookies.txt -X PUT --data 'capital=1' "http://localhost:8000/preferences". If you print out the cookies.txt file, you should now see that it contains a single cookie called capitalize with a value of 1.

We can make another GET request to /letter to see if it accommodates our preferences. But we’ll need to tell curl to use the cookies file we just created when sending this request using the -b switch: curl -b cookies.txt http://localhost:8000/letter. You should now see that the API is returning a random capitalized letter.

The setCookie method accepts a variety of additional options to customize how the cookie should be handled by the client. By default, cookies are set with a session lifetime, meaning that the cookie will persist in the user’s browser until the client closes the tab at which point the cookie will be deleted. You can customize this by setting the expiration parameter in setCookie using either a number of seconds in the future in which this cookie should expire. Alternatively, you can provide an object of class POSIXt, in which case that will be interpreted as the time at which the cookie should expire.

Other options that can be set on the cookie include path (the path on your domain at which the cookie should be installed on the client); http (controls whether or not the cookie should be accessible to JavaScript running on this domain – where TRUE means that the cookie is HTTP-only, and not accessible from JavaScript); and secure (if TRUE, instructs the browser to only send the cookie over HTTPS, not insecure HTTP.

If you’re using cookies to infer any security-sensitive properties (such as to identify a user, or determine what resources this client should have access to), be sure to see the Security article – in particular the section on the security implications of cookies.

Setting Encrypted Cookies

In addition to storing plain-text cookies, Plumber also supports handling cookies that are encrypted. Encrypted cookies prevent your users from seeing what is stored inside of them and also sign their contents so that users can’t modify what is stored.

To use this feature, you must explicitly add it to your router after constructing it. For example, you could run the following sequence of commands to create a router that supports encrypted session cookies.

pr("myfile.R") %>%
  pr_cookie("mySecretHere", "cookieName") %>%

You’ll notice the above example is using the session_cookie hooks that come with Plumber. By adding registering these hooks on your router, you’ll ensure that the req$session object is made available on incoming requests and is persisted to the cookie named cookieName when the response is ready to be sent to the user. In this example, the key used to encrypt the data is "mySecretHere", which is obviously a very weak secret key.

Unlike res$setHeader(), the values attached to req$session are serialized via jsonlite; so you’re free to use more complex data structures like lists in your session. Also unlike res$setHeaders(), req$session encrypts the data using the secret key you provide as the first argument to the session_cookie() function.

As an example, we’ll store an encrypted cookie that counts how many times this client has visited a particular endpoint:

#* @get /sessionCounter
  count <- 0
  if (!is.null(req$session$counter)){
    count <- as.numeric(req$session$counter)
  req$session$counter <- count + 1
  return(paste0("This is visit #", count))

Again, you would need to register the session_cookie() hooks on your router before this code would work.

If you inspect the cookie being set in your browser, you’ll find that its value is encrypted by the time it gets to the client. But by the time it arrives in Plumber, your cookie is available as a regular R list and can be read or modified.