Data API Privacy Rules

This section covers the Privacy Rules settings for the Data API

Help us improve this article

This article is part of a significant update to the Bubble manual and your feedback is critical to our efforts to continuously enhance our written documentation. We would greatly appreciate if you could take a moment to let us know your thoughts on the quality of it. Thank you for your support! Give feedback on this article

The Data API and Privacy Rules

Access to a specific data type through the Data API is controlled by the applied to that type, except if the client is using a to (in which case the will be granted full admin access and Privacy Rules are disregarded).

If a client is accessing the Data API as an admin (authenticating with a Bubble API token) all Privacy Rules will be disregarded. If you want to use Privacy Rules to control access to the Data API, use user authentication instead.

Privacy Rules serve as a secure filter to stop unauthorized access to your app's database.

How Privacy Rules affect the Data API

The different checkboxes in a given Privacy Rule affect the Data API in the following way:

Regular Privacy Rules

View all fields

If this box is checked, the client will be able to retrieve all the fields on all the things of a given data type. If you uncheck this box you can check which fields are returned one-by-one.

Find this in searches

If this box is checked, the client will be able to retrieve a list of things of a given data type, optionally using search constraints. If it’s left unchecked, the client will be unable to search for the data type.

View attached files

If this box is checked, the client will be able to retrieve files saved to a given data type.

Allow auto-binding

This setting does not affect clients who access the database via the Data API.

Data API-specific Privacy Rules

Activating the Data API for a specific Thing activates three new settings in the Privacy Rules of that Thing.

Whenever the Data API is enabled for a database Thing, three new options are available in that Thing’s Privacy Rule:

  • Create via API

  • Modify via API

  • Delete via API

All three are unchecked by default to avoid accidentally giving editing access.

If these boxes are left unchecked, an API client matching this Privacy Rule will not be able to create, make changes to or delete any data on that data type through the Data API.

The Data API-specific Privacy Rules only apply to clients that access the database via the Data API. They do not affect your application's regular users or your API Workflows.

Last updated