API security

This section covers security related to incoming and outgoing API calls

This article covers API security specifically. If you want to learn more about Bubble's API capabilities in general, check out our article series below:

Article series: API

Setting up connections with other applications and services is one of Bubble's core strengths, and gives you a lot of freedom in making outbound requests as well as accepting incoming ones.

Generally, Bubble's API tools (being among the more complex parts of Bubble development) are set up to handle security automatically and default to strict settings to reduce the risk of accidentally setting up vulnerabilities.

In this article series, we'll have a look at what you can do as a developer to make sure both your inbound and outbound connections are secure.

The principle of least privilege

In the section Planning app security, we introduced the principle of least privilege. This is also an important guideline when setting up API connections.

The principle of least privilege is all about ensuring that each individual or system gets just the right amount of access needed to perform its specific task, and not an inch more. When diving into the Bubble API Connector and Bubble API, think of this as a guiding principle.

For instance, if an API call is designed to simply fetch or read data, it shouldn't have the power to change or delete that data. By sticking to this "just-enough" approach, you're making sure that you're not unintentionally opening up potential security risks. It’s a straightforward but crucial step in maintaining the integrity and safety of your app and its data.

API Connector security

The API Connector is used to send outbound API requests to third-party apps or systems. The article below outlines the secure way of setting it up. If you are unfamiliar with the API Connector you may also be interested in reading our general article on the subject (bottom link).

Article: API Connector security Article: Using the API Connector

Data API security

The Data API is part of the Bubble API, and gives you a way to share the data in your database securely with another app or system.

Article: Data API Security Article series: Using the Data API (links to Integrations section) Article: Data API Privacy Rules (links to Integrations section)

Workflow API security

The Workflow API is the second part of the Bubble API, and gives you way to trigger API workflows from another app or system.

Article: Workflow API security Article series: The Workflow API (links to Integrations section)

Other ways to learn

Video lessons
Articles

User manual:

Core reference:

  • Core reference: API

Last updated

#829: Flusk: more detailed Issue Descriptions

Change request updated