Beta documentation. This is an early preview — content is still in active development. Feedback helps shape the final release. Share your thoughts or join the discussion.
Beginner 2 min read 2026-05-26

Globals Reference

These are available in every Lua script without any `require` or import. They're already there, ready to use.

On this page
Globals at a glance Request data: `req` Environment: `env` Debug functions Security helpers `csrf_token()` `loadstring(code)` App & validation `framework()` `validator(data, rules)`

Globals at a glance

These are available in every Lua script without any require or import. They're already there, ready to use.

Request data: req

req carries everything about the incoming HTTP request. It's a Lua table with these fields:

Field Type Example Description
req.method string "GET" HTTP method
req.path string "/users/42" Request path (normalized)
req.uri string "/users/42?page=1" Full path + query string
req.url string "https://yoursite.wapka.site/users/42" Complete URL
req.get table { page = "1" } Parsed query parameters
req.query table Same as req.get Alias for query params
req.post table { name = "John" } Parsed POST body (form data)
req.body string '{"name":"John"}' Raw request body
req.headers table { ["content-type"] = "..." } All headers, lowercased
req.cookie table { session = "abc" } Request cookies
req.files table Uploaded file data $_FILES equivalent
req.args string "page=1&sort=name" Raw query string
req.session table { user_id = 42 } Session data (read-only)

Environment: env

env tells you about the site and the current visitor:

Field Type Example Description
env.siteid number 18448 Your site's numeric ID
env.sitename string "mysite" Your site subdomain
env.remote_ip string "192.168.1.1" Visitor's IP address
env.is_user boolean true Is the visitor logged in?
env.is_admin boolean false Is the visitor the site admin?
env.timezone string "UTC" Server timezone

Debug functions

print("Hello")          -- write to debug buffer
dump({ a = 1, b = 2 })  -- pretty-print any value

In APP_DEBUG=true mode, these appear in the response body. In production, ignored.

Security helpers

csrf_token()

Generates a CSRF token and sets a cookie. Use it in forms:

-- In handler
return ctx:render("form", { csrf = csrf_token() })
{# In template #}
<input type="hidden" name="csrf_token" value="{{ csrf }}">

loadstring(code)

Parse a Lua string into executable code. Returns a function on success, or nil + error message.

local fn, err = loadstring("return 2 + 2")
if fn then
    print(fn())  -- 4
end

App & validation

framework()

Creates your app. Always the first call.

local app = framework()

validator(data, rules)

Input validation. See Input Validation for full reference.

local v = validator(
    { name = "John", age = 25 },
    { name = "required|string|min:2", age = "required|number|min:18" }
)
if v:passes() then
    local clean = v:valid()
end

Next: Routing — structure your app with URLs.

Previous Quickstart Next Routing