# Data API Privacy Rules

<details>

<summary>Help us improve this article</summary>

This article is part of a significant update to the Bubble manual and your feedback is critical to our efforts to continuously enhance our written documentation.\
\
We would greatly appreciate if you could take a moment to let us know your thoughts on the quality of it. Thank you for your support!\
\
[Give feedback on this article](https://docs.google.com/forms/d/e/1FAIpQLSfe7eaYVxkqTa_nn3QE6VObCxWB1hgh6sHUQGQ0Eit8JlAS7g/viewform?usp=pp_url\&entry.619913899=https://manual.bubble.io/help-guides/apis-connect-to-other-apps/the-bubble-api/the-data-api/data-api-privacy-rules\&entry.80834677=Data+API+Privacy+Rules)

</details>

## **The Data API and Privacy Rules**

Access to a specific data type through the Data API is controlled by the [Privacy Rules](#user-content-fn-1)[^1] applied to that type, except if the client is using a [Bubble API token](#user-content-fn-2)[^2] to authenticate[^3] (in which case the client[^4] will be granted full admin access and Privacy Rules are disregarded).

{% hint style="warning" %}
If a client is accessing the Data API [as an admin](https://manual.bubble.io/~/changes/1104/help-guides/integrations/api/the-bubble-api/authentication/as-an-admin) (authenticating with a Bubble API token) all Privacy Rules will be disregarded. If you want to use Privacy Rules to control access to the Data API, use [user authentication](https://manual.bubble.io/~/changes/1104/help-guides/integrations/api/the-bubble-api/authentication/as-a-user) instead.
{% endhint %}

<figure><img src="https://34394582-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M5sbzwG7CljeZdkntrL%2Fuploads%2FcP4RL7KdI73EqLT3Puau%2Fprivacy-rules-illustration-b.jpeg?alt=media&#x26;token=7a296176-f2df-4fd3-8fc4-5dc1d98f20f7" alt=""><figcaption><p>Privacy Rules serve as a secure filter to stop unauthorized access to your app's database.</p></figcaption></figure>

## How Privacy Rules affect the Data API

The different checkboxes in a given Privacy Rule affect the Data API in the following way:

### Regular Privacy Rules

#### View all fields

If this box is checked, the client will be able to retrieve all the fields on all the things of a given data type. If you uncheck this box you can check which fields are returned one-by-one.

#### Find this in searches

If this box is checked, the client will be able to retrieve a list of things of a given data type, optionally using search constraints. If it’s left unchecked, the client will be unable to search for the data type.

#### View attached files

If this box is checked, the client will be able to retrieve files saved to a given data type.

#### Allow auto-binding

This setting does not affect clients who access the database via the Data API.

### Data API-specific Privacy Rules

<figure><img src="https://34394582-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M5sbzwG7CljeZdkntrL%2Fuploads%2FzbyY76ifDcc3Ijkg1sGh%2Fdata-api-privacy-rules.png?alt=media&#x26;token=96a45ee7-c1ac-436c-b71d-656deaaca3f5" alt=""><figcaption><p>Activating the Data API for a specific Thing activates three new settings in the Privacy Rules of that Thing.</p></figcaption></figure>

Whenever the Data API is enabled for a database Thing, three new options are available in that Thing’s Privacy Rule:

* Create via API
* Modify via API
* Delete via API

All three are unchecked by default to avoid accidentally giving editing access.&#x20;

If these boxes are left unchecked, an API client matching this Privacy Rule will not be able to create, make changes to or delete any data on that data type through the Data API.

{% hint style="warning" %}
The Data API-specific Privacy Rules *only* apply to clients that access the database via the Data API. They do not affect your application's regular users or your API Workflows.
{% endhint %}

[^1]: Privacy Rules are the server-side settings that you apply to each Data Type in your database to control who has access to read and make changes to that data.

[^2]: A Bubble API token is a specific way to authenticate a client in order to give them full admin access to your database.\
    \
    Article: [Authenticating a client as an admin](https://manual.bubble.io/~/changes/1104/help-guides/integrations/api/the-bubble-api/authentication/as-an-admin)

[^3]: Authentication is the process of identifying **who** a client is in order to proceed with authorization, which is the process of determining what resources the client should have access to.

    Article: [Authentication](https://manual.bubble.io/~/changes/1104/help-guides/integrations/api/the-bubble-api/authentication)

[^4]: The *client* is the one to send an API request, as opposed to the *server* who is the one to receive it and respond.\
    \
    Article section: [The client/server relationship](https://manual.bubble.io/~/changes/1104/help-guides/integrations/introduction-to-apis#client-and-server)