API connector's "access_type=offline" - what does it do?

What does the API connector’s access_type=offline do? I understand the technical concept 1, but I am trying to understand what the API Connector’s setting does. Can I use that to build API workflows with it?

Some context:

I am trying to connect to Zoho CRM’s v2 API. I am able to connect to it when I using a front-end application.

Now I’m trying to build API workflows with it. Something to the tune of:

  1. Bubble app receives an external trigger
  2. gets info from Zoho
  3. checks Bubble database
  4. updates Zoho

Is that possible? Can the “super-admin” who runs the APIs use the token I used to first authenticate the API Connector? Or would I have to build something similar to what @pierreantoine built 2, save that token somewhere, and then refresh the token with each workflow run?

1 - Thanks to @DaveA’s reply on this thread: Google Login keep asking for "Have offline access" permission ; which links to this Stackoverflow post (that I hope is correct): https://stackoverflow.com/questions/30637984/what-does-offline-access-in-oauth-mean

2 - OAuth2 User-Agent Flow token extraction

Those tokens are saving to a user’s hidden authentication field which can be used only by the user.
To use them, you need to log in as a user and run your API endpoints.
You need to create an API endpoint which will log in a user - in a response you’ll receive an authorization token. That token you need to use as an authentication in the header for the other API endpoints.

1 Like

It works, thanks!

I wonder about the security implications of this method.

Do not forget to configure privacy rules for your fields. It is very important. Also, you can encrypt that values.

Privacy rules in Bubble I’m familiar with.

What do you mean about encrypting? How could I do it?

I’m currently testing with just the username and password hardcoded like this:

The next step will be to create a Thing in the database to store that info.