Data API Privacy Rules
This section covers the Privacy Rules settings for the Data API
This article is part of a significant update to the Bubble manual and your feedback is critical to our efforts to continuously enhance our written documentation. We would greatly appreciate if you could take a moment to let us know your thoughts on the quality of it. Thank you for your support! Give feedback on this article
Access to a specific data type through the Data API is controlled by the Privacy Rules applied to that type, except if the client is using a Bubble API token to authenticate (in which case the client will be granted full admin access and Privacy Rules are disregarded).
Privacy Rules serve as a secure filter to stop unauthorized access to your app's database.
The different checkboxes in a given Privacy Rule affect the Data API in the following way:
If this box is checked, the client will be able to retrieve all the fields on all the things of a given data type. If you uncheck this box you can check which fields are returned one-by-one.
If this box is checked, the client will be able to retrieve a list of things of a given data type, optionally using search constraints. If it’s left unchecked, the client will be unable to search for the data type.
If this box is checked, the client will be able to retrieve files saved to a given data type.
This setting does not affect clients who access the database via the Data API.
Activating the Data API for a specific Thing activates three new settings in the Privacy Rules of that Thing.
Whenever the Data API is enabled for a database Thing, three new options are available in that Thing’s Privacy Rule:
- Create via API
- Modify via API
- Delete via API
All three are unchecked by default to avoid accidentally giving editing access.
If these boxes are left unchecked, an API client matching this Privacy Rule will not be able to create, make changes to or delete any data on that data type through the Data API.
The Data API-specific Privacy Rules only apply to clients that access the database via the Data API. They do not affect your application's regular users or your API Workflows.