From Roll20 Wiki
The Roll20 API functions by running a special server-side virtual machine for each campaign. This provides a sandbox where your custom scripts can run without any danger of them affecting other user's campaigns. In addition, this provides a layer of security which prevents a malicious GM from writing scripts which could do bad things like access a player's computer or stall their computer with an infinite loop.
How it Works
If you're curious in the technical details of how the API functions, here's a brief diagram:
User-written scripts ===> API Server ===> Campaign Sandbox <===> Real-Time Sync Server
The Roll20 API Server listens for activity on your campaign. When it detects that people are using your campaign, it spins up a sandbox for your campaign and loads any API scripts that you have written into the sandbox. The sandbox can receive and send data directly to the real-time sync server, which allows it to respond to events and make changes to the game.
- You cannot make HTTP Requests (AJAX).
- You cannot load external scripts or libraries (e.g. jQuery).