Data API Privacy Rules
This section covers the Privacy Rules settings for the Data API
The Data API and Privacy Rules
Access to a specific data type through the Data API is controlled by the applied to that type, except if the client is using a to (in which case the will be granted full admin access and Privacy Rules are disregarded).
If a client is accessing the Data API as an admin (authenticating with a Bubble API token) all Privacy Rules will be disregarded. If you want to use Privacy Rules to control access to the Data API, use user authentication instead.
How Privacy Rules affect the Data API
The different checkboxes in a given Privacy Rule affect the Data API in the following way:
Regular Privacy Rules
View all fields
If this box is checked, the client will be able to retrieve all the fields on all the things of a given data type. If you uncheck this box you can check which fields are returned one-by-one.
Find this in searches
If this box is checked, the client will be able to retrieve a list of things of a given data type, optionally using search constraints. If it’s left unchecked, the client will be unable to search for the data type.
View attached files
If this box is checked, the client will be able to retrieve files saved to a given data type.
Allow auto-binding
This setting does not affect clients who access the database via the Data API.
Data API-specific Privacy Rules
Whenever the Data API is enabled for a database Thing, three new options are available in that Thing’s Privacy Rule:
Create via API
Modify via API
Delete via API
All three are unchecked by default to avoid accidentally giving editing access.
If these boxes are left unchecked, an API client matching this Privacy Rule will not be able to create, make changes to or delete any data on that data type through the Data API.
The Data API-specific Privacy Rules only apply to clients that access the database via the Data API. They do not affect your application's regular users or your API Workflows.
Last updated
