How to authenticate
This section covers what kind of authentication method the Bubble API accepts.
This article is part of a significant update to the Bubble manual and your feedback is critical to our efforts to continuously enhance our written documentation. We would greatly appreciate if you could take a moment to let us know your thoughts on the quality of it. Thank you for your support! Give feedback on this article
This section covers what kind of authentication method you can use when you are making an incoming request to to your Bubble application from an external app.
If you are looking for how to authenticate outgoing requests sent via the API Connector, check out this article.
There are many different ways to authenticate an API request. Bubble uses the method known as bearer token.
The bearer token is a string that identifies who the client is. It serves as both username and password and is included in the header of the API request. Tokens are generated by Bubble by creating an admin API key or by signing a User in through an API call.
Since every RESTful API request is made independently of any previous or later requests, the token needs to be included with every API request coming into your app that requires authentication.
The bearer token needs to be included in the Authorization header of an HTTP request, in the following format:
Authorization: Bearer <token>
In the example above, <token> represents the actual token string. Do not include "<" and ">" in the final string.
In an application like Postman, the authorization should look like this:
The top row in the request header carries the bearer token. It is greyed out because it has been added in the Authorization tab (left of the Headers tab) and Postman automatically adds it to the header.
When included like in the above illustration, Bubble will recognize the token and respond to the call according to the privileges (if any) of the User that the token represents.
Bearer tokens are considered more secure than sending a username and password in each request because they can be easily revoked, have a limited lifetime and can be connected to one of your app's Users which allows you to limit the scope of their database and workflow access by use of Privacy Rules and Conditions.
Additionally, bearer tokens can be easily revoked if the user's device is lost or stolen, whereas revoking a password would require the user to reset it on all devices. Additionally, tokens are sent in the headers, which are less prone to being intercepted than cookies or URL parameters. Tokens generated by Bubble are considered cryptographically secure, meaning they cannot be easily reconstructed and have a length of 32 bytes. Article: Revoking a User token Article: Revoking an admin token