API connector schema and security

gaem400 · December 15, 2025, 5:35pm

What is the secure way to initialize and clear an API connector call?

Bubble docs say:

First part:
What I understand is: everything included in the call during initialization is publicly visible, so initialization should be done with “dummy data”. Does this include parameters marked as private during initialization? What does the API schema include specifically? How can I see it?

Second part:
I came across the term “initialization clearing” which I believe means erasing the parameters values after intialization. If the API schema already contains the parameters values that were set during intialization, what is the use of this clearing? Is it just to not have any value included by default in the calls but not a security measure?

Thanks!

Zeroic · December 15, 2025, 5:51pm

We have been doing app audits over the last few months and can confirm on this.

Firstly, Bubble now automatically obfuscates returned values during API initialisation.

Secondly, the parameters that you set in the API connector while initialising are visible to the client only if they are not marked as private. This means that all those values will be visible including your endpoint too

georgecollier · December 15, 2025, 6:07pm

It’s basically anything that’s not private is public.

This guide will help you:

gaem400 · December 15, 2025, 7:52pm

Thanks both for the help!

@georgecollier, your tips published in the forum are really valuable, thanks so much for sharing all that knowledge!

Topic		Replies	Views
Why your API connector calls are public Tips	30	715	December 15, 2025
API Connector to secure your app Questions	2	53	October 28, 2024
Bubble exposing all API Connector details on page load? Questions	1	85	October 1, 2024
My API connector calls are publicly exposed APIs	15	707	March 29, 2024
Parameters in Bubble API Connector Plugins	3	40	June 19, 2025

API connector schema and security

Related topics