Allow 'OAuth 2.0 Auth code grant' for Bubble's Data and Workflow API

To improve security on Bubble’s APIs (Data API and Workflow API) authentication, I prefer to have the option to create my own OAuth 2.0 Authorization Code grant or Implicit grant flow. The current option is similar to a Password grant flow, which is not recommended in terms of security.

As I quote IETF:

“The resource owner password credentials grant MUST NOT be used. This
grant type insecurely exposes the credentials of the resource owner
to the client. Even if the client is benign, this results in an
increased attack surface (credentials can leak in more places than
just the AS) and users are trained to enter their credentials in
places other than the AS.”

Official resource:

+1 for a OAuth 2.0 flow for an access & refresh token combo into Bubble. This would be great.

Do you not see Bubble’s current facility to issue tokens as a response from a Login workflow as an implicit grant flow?

Having a token that lasts 1 year (as these do) isn’t great from a security perspective… it’s also a little inelegant needing users to re-authenticate within a year mint another token.

But I think those are general issues with implicit grants rather than Bubble.

True that. It’s similar to the password grant flow.

I just found out that when you set the value of Stay logged in to no, the token is valid for one day (86400 seconds):


I have managed to use the Auth code grant with the API.

Use the Bubble SSO feature and add a 3rd party app in the settings of your app.

The auth code grant flow is described in the docs here:

I’ve tested the flow and I was able to use the access_token with the Workflow API and Data API.

Hi Thomas. Was this used to authenticate from another website INTO a bubble app? If so, could you do a quick tutorial please?