Bubble Docs
  • Introduction
  • New? Start Here
  • What is Bubble?
  • The Glossary
  • User manual
    • Getting started
      • What is Bubble?
      • Building your first app
        • Planning features
        • Database structure
        • Design and UX
        • eCommerce and payments
          • Shopping cart
          • Checkout page
          • One-time payments
          • Subscriptions
          • Marketplace
      • Creating and managing apps
      • The Bubble editor
        • Tabs and sections
          • Design tab
            • The element tree
            • The property editor
          • Workflow tab
          • Data tab
          • Styles tab
          • Plugins tab
          • Settings tab
            • Application settings
              • Custom headers/body
              • Visual settings
              • Social media sharing
              • Translating your app
              • Email settings
              • Collaboration
            • Custom domain and DNS
          • Logs tab
        • Tools
          • Key features
          • The search tool
          • The Issue Checker
          • The element tree
          • The element property editor
          • The debugger
          • Notes
        • Previewing your app
      • Transitioning to Bubble from...
        • JavaScript
        • HTML and CSS
        • SQL
    • Design
      • Elements
        • The element hierarchy
          • The element tree
        • The page
        • Containers
          • Groups
          • Repeating groups
          • Table elements
          • Popups
          • Floating groups
          • Group focus
        • Visual elements
        • Input forms
          • Text and numbers
          • Dates and time
          • File uploads
          • Selection controls
        • Reusable Elements
      • Styling
        • Color variables
        • Font variables
        • Styles
        • Custom Fonts
      • Responsive design
        • Building responsive pages
        • Legacy articles
          • The Basics (Legacy)
          • Building Responsive Pages (Legacy)
          • Migrating Legacy Pages
          • Tips When Designing (Legacy)
      • Templates
      • The Component Library
      • Importing from Figma
    • Data
      • The database
        • Data types and fields
        • Creating, saving and deleting data
        • Finding data
        • Displaying data
        • Protecting data with privacy rules
        • The database editor
        • Export/import data
          • Exporting data
          • Importing data (CSV)
        • Working with location data
        • Using Algolia
        • Database structure by app type
          • Marketplace Apps
          • Directory & Listings Apps
          • Social Network Apps
          • SaaS Apps
          • Project Management Apps
          • CRM Apps
          • Professional Services Apps
          • On-demand Apps
          • Documentation/ CMS Apps
          • Applicant Tracking System (ATS) Apps
          • Portfolio Apps
          • Gallery Apps
          • Online Store / Ecommerce Apps
          • Blog Apps
          • Messaging App
          • Dashboards
          • Building Block Apps
          • Bubble as a backend
      • Files
      • Images
      • Static data
        • App texts (translations)
        • Option sets
      • Temporary data
        • Custom states
        • URL parameters
      • User accounts
        • Authentication plugins
          • Facebook plugin
          • Fitbit plugin
          • Google plugin
          • Instagram plugin
          • LinkedIn plugin
          • Pinterest plugin
          • Slack plugin
          • Wistia plugin
          • YouTube plugin
        • Cookies set by Bubble
      • Time, dates and time zones
    • Logic
      • The frontend and backend
      • Workflows
        • Events
          • Frontend events
            • Recurring workflows
            • Custom events
          • Backend events
            • Database trigger events
        • Actions
        • API Workflows
      • Dynamic expressions
      • Conditions
      • Navigation
        • Single-page applications (SPA)
        • Multi-page applications
        • Page slugs
    • Workload
      • Understanding workload
        • Activity types
        • The workload calculation
        • Client-side and server-side processing
      • Tracking workload
        • Measuring
          • Using App Metrics
        • Monitoring
          • Workload notifications
          • Infinite recursion protection
      • Optimizing workload
        • Optimization framework
        • Optimization checklist
          • Page load
          • Searches
          • Workflows and actions
          • Backend workflows
        • Agency showcases
          • Minimum Studio
          • Neam
          • Support Dept
    • Security
      • Bubble's security features
      • Planning app security
      • Client-side and server-side
      • Bubble account security
      • App security
      • Page security
      • Database security
      • API security
        • API Connector security
        • Data API security
        • Workflow API security
      • Flusk
        • Overview
        • Flusk plan features
        • Getting started with Flusk
        • Flusk security tools
          • The Issues Explorer
          • Issue details
          • Tools and settings
            • Pages rating
            • Database rating
        • Flusk FAQ
      • Cookies
      • Security checklist
    • Publishing your app
      • Web app
      • Native mobile app
        • Global native mobile settings
        • iOS App Store
        • Google Play Store
        • Publishing FAQ
    • AI
      • Generate apps with AI
        • About AI app generation
      • AI page designer
      • Connect to AI agents
    • Maintenance
      • Collaborators
      • Version control
        • Best practices: Version control
        • Transitioning from the legacy version control
        • Terminology: Version control
        • Version Control (legacy)
      • Commenting
      • Database maintenance
        • Copying the database
        • Restoring database backups
        • Bulk operations
          • Bulk operation methods compared
        • Wiping change history
      • Performance
        • Hard limits
        • Capacity Usage (legacy)
        • Notes on queries
      • SEO
        • Introduction to SEO
        • SEO: App
        • SEO: Page
      • Testing and debugging
        • Introduction to testing and debugging
        • The debugger
        • The server logs
        • Supported browsers
      • API workflow scheduler
    • Integrations
      • API
        • Introduction to APIs
          • What is a RESTful API?
        • The Bubble API
          • Bubble API terminology
          • Authentication
            • How to authenticate
            • No authentication
            • As a User
            • As an admin
          • The Data API
            • Data API Privacy Rules
            • Data API endpoints
            • Data API requests
          • The Workflow API
            • Workflow API privacy rules
            • Workflow API endpoints
            • API workflows
              • Creating API workflows
              • Scheduling API workflows
              • Recursive API workflows
              • API Workflow Scheduler
              • Case: Stripe notifications
        • The API Connector
          • Authentication
          • API Connector security
          • API guides
            • OpenAI
              • Authentication
              • Calls
                • ChatGPT
                  • Chat
            • Google Translate
              • How to setup Google API keys
          • Streaming API
        • API security
        • Plugins that connect to APIs
        • API Glossary
      • Plugins
        • What Plugins Can Do
        • Installing and using Plugins
        • Authentication plugins
        • Special Plugins
      • SQL Database Connector
      • Bubble App Connector
      • WorkOS
        • WorkOS SSO
        • WorkOS API
    • Infrastructure
      • Sub-apps
      • Bubble release tiers
      • Hosting and scaling
        • How Bubble hosting works
        • Scaling with Bubble
        • CDN (Cloudflare)
        • Bubble app names
        • Domain and DNS
      • Compliance
        • GDPR
        • SOC 2 Type II
        • HIPAA
        • Other frameworks and standards
    • Bubble for Enterprise
      • Hosting and infrastructure
        • Dedicated instance
          • The Dedicated editor experience
          • Technical specs
          • Main cluster dependencies
          • Customizable options
          • Migration process
            • Pre-migration
            • During migration
            • Post-migration
      • Security and compliance
        • Single sign-on (SSO)
        • GDPR
        • SOC 2 Type II
        • HIPAA
        • Other frameworks
        • Bubble's security features
      • Admin and collaboration
      • Priority support
      • Billing and Payment Guideline for Dedicated Instances
  • Core Reference
    • Using the core reference
    • Bubble's Interface
      • Design tab
      • Design tab (Legacy)
      • Workflow tab
      • Data tab
      • Styles tab
      • Styles tab (Legacy)
      • Plugins tab
      • Settings tab
      • Logs tab
      • Template tab
      • Toolbar
      • Top and context menu options
      • Deployment and version control
        • Deployment & Version Control Dropdown (legacy)
      • Notes
    • Elements
      • General properties
      • General properties (Legacy)
      • Styling properties
      • Styling Properties (Legacy)
      • Responsive Properties
      • Responsive Properties (Legacy)
      • Conditional formatting
      • States
      • Page Element
        • Page Element (Legacy)
      • Visual Elements
      • Containers
      • Container Layout Types
      • Containers (Legacy)
      • Input Forms
      • Reusable Elements
      • Element Templates (legacy)
    • Workflows
    • Events
      • General events
      • Element events
      • Custom events
      • Recurring event
      • Database trigger event
    • Actions
      • Account
      • Navigation
      • Data (things)
      • Email
      • Element
      • Custom
    • Data
      • Data Sources
      • Operators and comparisons
      • Search
      • Privacy
    • Styles
    • API
      • The Bubble API
        • The Data API
          • Authentication
          • Data API endpoints
          • Data API requests
        • The Workflow API
      • The API Connector
        • Authentication
        • Adding calls
    • Bubble-made Plugins
      • AddtoAny Share Buttons
      • Airtable
      • API Connector
      • Blockspring
      • Box
      • Braintree
      • Bubble App Connector
      • Chart.js
      • Circle Music Player
      • Draggable Elements
      • Dropzone
      • Facebook
      • Fitbit
      • Full Calendar
      • Google
      • Google Analytics
      • Google Optimize
      • Google Places
      • Ionic Elements
      • iTunes
      • Slidebar Menu
      • LinkedIn
      • Localize Translation
      • Mixpanel
      • Mouse & Keyboard Interactions
      • Multiselect Dropdown
      • Progress Bar
      • Rich Text Editor
      • Rich Text Editor (Legacy)
      • Screenshotlayer
      • SelectPDF
      • Slack
      • Segment
      • Slick Slideshow
      • SQL Database Connector
      • Star Rating
      • Stripe
      • Tinder-like Element
      • Twitter
      • YouTube
      • Zapier
    • Application Settings
      • App plan
      • General
      • Domain / email
      • Languages
      • SEO / metatags
      • API
      • Collaboration
      • Sub-apps
      • Versions
  • Account & Marketplace
    • Account and billing
      • Pricing and plans
        • Plans and billing
        • Billing cycle
        • FAQ: Pricing and Workload
      • Account Management
      • Building Apps for Others
      • Selling on the Marketplace
      • Plans & Billing (legacy)
    • Official Bubble Certification
      • Hiring certified developers
    • Building Plugins
      • The Plugin Editor
      • General Settings
      • Updating to Plugin API v4
      • Adding API Connections
      • Building Elements
      • Building Actions
      • Loading Data
      • Publishing and versioning
      • Github Integration
    • Building Templates
    • Application and data ownership
    • Marketplace policies
    • Bug reports
  • Vulnerability Disclosure Policy
  • Beta features
    • About the Beta features section
    • Native mobile apps 🔒
      • Introduction
        • What is a native mobile app?
        • Native mobile vs. web development
        • Differences in native and web elements
        • Native mobile app terminology
      • Building
        • Views and navigation
        • Native mobile actions
        • Components and gestures
        • Device resources
          • Location services
          • Camera/photo library
      • Previewing
      • Publishing
Powered by GitBook
On this page
  • Guiding principles in Workflow API security
  • The principle of least privilege
  • Authentication and authorization
  • Authentication
  • No one has access
  • Some clients have access to selected API workflows
  • Everyone has access
  • Authorization
  • Data (privacy rules)
  • Conditions
  • Workflow API security checklist

Was this helpful?

  1. User manual
  2. Security
  3. API security

Workflow API security

This section covers security related to the Workflow API.

Last updated 1 year ago

Was this helpful?

This article covers the security aspects of using the Bubble Workflow API specifically. If you want to learn more about the Bubble Workflow API in general, you can check out the articles below:

Article: Article series:

The Workflow API allows external apps and systems to trigger specific workflows within your Bubble app. It provides a set of endpoints to initiate predefined sequences of actions or events in your app from outside sources. Naturally, opening up for external systems to activate workflows in your app can introduce potential vulnerabilities, so it's essential to learn how to use it correctly.

In this article, we'll explore how to set up API workflows that are secure.

Guiding principles in Workflow API security

The principle of least privilege

As discussed in various sections of our Security article series, the principle of least privilege remains important when working with the Workflow API. In this segment, we'll delve into methods and strategies to ensure adherence to this principle when setting up workflows that can be reached from outside of your own app.

In a bank, not every employee has the keys to the vault. A teller can access the cash drawer but doesn't have the authority to authorize large wire transfers. Conversely, the bank manager might have that authority but doesn't necessarily need access to every single safety deposit box.

Authentication and authorization

If you are reading this article series in order, you'll remember that we've talked extensively about authentication and authorization.

With the Data API, we explored how the what is basically the database; the data types, fields and operations that a specific user can access. The Workflow API is essentially the same, except that instead of protecting data, we're protecting workflows.

We'll still use the same mindset when planning our security: every client that wants to trigger workflows in your app need to go through the two steps of determining who they are, and what they have access to.

Authentication

When an API workflow is created, Bubble automatically generates a unique to trigger it, such as:

https://my-bubble-application.bubbleapps.io/version-test/api/1.1/wf/my-workflow

If the workflow required no authentication, knowing this URL would be enough for any actor (malicious or not) to trigger the workflow as many times as they want. Let's first talk about a few different reasons why you should be careful with that approach:

  • Running an API workflow spends server resource, just like other workflows in your app

    • If an API is repeatedly triggered, it can increase your consumption

    • If left completely unchecked and continuously running, the Bubble has safeguards in place to ensure your app doesn't spend too much server resources: this can lead to your app slowing down or even stopping completely

  • Running API workflows can potentially make a lot of changes in your database – by requiring authentication, you are adding one more potential safeguard on top of privacy rules and conditions in that workflow (we'll get back to this point later in the article)

While you are free to set up your API workflows as you see fit, we generally recommend that you always require authentication to run it.

Just like with the Data API, the access level of an API workflow can be split into three categories:

  • No clients have access to any API workflows (the Workflow API is disabled or all API workflows are unexposed)

  • Some clients have access to selected API workflows (the Workflow API is enabled, but requires authentication)

  • Everyone has access (the Workflow API is enabled, and no API workflows require authentication)

No one has access

The first scenario is that no client, whatever their credentials, have access to any API workflows at all. There are two ways to do this:

Disabling the Workflow API

The first way is to disable the Workflow API altogether under Settings - API.

This ensures that you don't have any Workflow API endpoints exposed at all, and nothing can be triggered from outside of your app. However, this also means that Bubble's backend editor will be disabled altogether, meaning that you cannot set up any internal API Workflows.

Disabling individual workflows

The second option is to keep the Workflow API enabled, but set every API Workflow that you create to be non-exposed. This means that the API workflow can be triggered internally in your app, but it will not have any endpoint that can be triggered from the outside.

Using this method gives you access to the backend editor and all of its features, but requires that you are careful with the settings on each individual API workflow.

Some clients have access to selected API workflows

The second option is to require authentication and open up for selected API Workflows to be triggered from outside of your own app.

Authentication

Authenticating clients to give them access to API workflows can be done in a few different ways. We go over this in detail in the article below:

Exposing selected API workflows

Having set up the authentication, we can then proceed to set up which API workflows we want to expose.

API workflows are set to be exposed automatically when created – keep in mind that in this step you are disabling those you don't want to expose, and not the other way around.

To disable API workflows that you don't want exposed, uncheck the Expose as a public API workflow setting. This removes the endpoint of that workflow entirely, making it impossible to trigger regardless of authentication.

This way, only selected clients can run API workflows, and only selected workflows can be executed regardless of who the client is.

Everyone has access

The final option is to open up API workflows to be triggered by anyone, without having to authenticate at all. Generally, we don't recommend this, as this opens up for potential misuse.

To open up API workflows to be triggered without any authentication, check the two boxes as illustrated above. Optionally, you can check the last box (Ignore privacy rules when running the workflow) to give the broadest possible access to your data as well.

Authorization

With the Data API, authorization is generally linked to data – what a client can see and make changes to. With the Workflow API, the picture becomes slightly more complex: since we are dealing with workflows, there are two more ways you can fine-tune your authorization for each individual client:

  • (which can be protected with )

  • (which can set further restrictions on the workflow or individual action steps inside that workflow)

In the schematic illustration above, we can see the potential route a Workflow API request could take in terms of authorization.

First, Bubble determines who the client is (authentication), and then proceeds to check whether the client is allowed to run the workflow at all (Authorization 1). Then, the flow can potentially introduce two more authorization steps (illustrated as Authorization 2): a condition could stop the client from running the whole workflow or one or more of its actions, and privacy rules could limit the client's access to find data to make changes to.

Let's look at how this could look in the editor:

  1. The API workflow may require authentication/authorization to run

  2. The List of things to change may produce a limited result because privacy rules protect some or all records from being found in a search

  3. The Only when conditional expression may prohibit the client from running the workflow, even if they are authenticated.

Data (privacy rules)

If you are unfamiliar with privacy rules, we highly recommend reading the articles below to get an understanding of how they work.

After having set up the authentication method you want to use, you then need to authorize those clients to access data within the action steps in that workflow. This understanding is important to take in as you plan your security, or you may get unexpected results.

Let's look at an example to illustrate:

Adding some information to a list of users

Let's imagine that we have a Bubble app with 100 users. As we start exploring how to work with an external system through the Bubble API, we realize we need to add some data to all of those users. Essentially, we want to make a change to all of them.

We decide to set up an API Workflow to do that job, and we open up for external access so that this can be triggered from the external app.

Here's where the workflow versus data point becomes interesting. In this case, we are only authenticating once, but in principle we are going through two rounds of authorization:

  1. Is the client allowed to run this workflow?

  2. Is the client allowed to search for these users?

With this example, you can see why this could sometimes generate an unexpected result: while the client does have access to execute the workflow, they may not be able to actually search through all the users in the database.

Why is that? Because that data is protected by privacy rules, and the client does not match the needed credentials to download all of them. The unexpected result in this case might be that only a portion (or none) of the users were changed, as privacy rules stopped the client from finding them.

With the Data API, you can set specific privacy rules such as Modify via API, Create via API and so forth. Note that these settings apply to the Data API specifically; they do not affect an API workflow's ability to perform those operations.

Overriding privacy rules

If you want to give the broadest possible access level to your data, an API workflow can be set up to ignore privacy rules altogether. Again, we generally caution against using this method as it gives free access to all data in your database regardless of the privacy rules set.

Still, there are many scenarios where this is useful: just make sure you understand the implications of the setting.

Conditions

If you are unfamiliar with conditional expressions, we highly recommend reading the article below to get an understanding of how they work.

In this second step of authorization you would likely be more deliberate about its implementation: conditions.

Conditions can be added to the workflow itself or to any of its action steps and the result would be the same. Bubble will check the condition against the client trying to execute the workflow, adding another layer of authorization.

Keep in mind that privacy rules can also influence conditions. For instance, if a condition depends on a database search to validate, it may not yield the expected results if the results are constrained by privacy rules.

In the example above, we've further restricted one of the actions in the API workflow by adding a condition that checks whether the current user (the authenticated client running the API workflow) as a field called Admin set to yes. If this returns a no, the step will not run.

Workflow API security checklist

  • Decide who has access (authentication) First, decide who has access to the data API:

  • Decide what they have access to (authorization)

Article:

Article: Article:

Article: Article:

Keep the principle of least access in mind ()

No one ()

Selected clients and workflows ()

All clients ()

Enable only the API workflows you want to expose ()

Use privacy rules to control what data the workflow can find ()

Use conditions to apply more fine-grained authorization ()

The Bubble API: Authentication methods
Privacy rules
Workflow API privacy rules
Conditions
Dynamic expressions
link
link
link
link
link
link
link
The Workflow API
The Bubble API
Authentication identifies who the client is and authorization determines what they should have access to.
Using the Expose as a public API workflow setting allows you to cut an individual API workflow off from external apps and systems.
Using the Expose as a public API workflow setting allows you to cut an individual API workflow off from external apps and systems.
An API workflow can go through multiple steps of authorization as illustrated above. Click the image to enlarge.
Click the image to enlarge.
In the case of this API workflow we are in principle going through two rounds of authorization: first that the client is authorized to execute the workflow. and then which users they are able to search for.