API Endpoints vulnerable?

Hey there!
I have a question regarding the security of API Endpoints my Bubble App uses.

Users of my app can create content. This content is send to my Xano Backend via a POST. The content includes the content itself (various text data types) and the creator of the content (creator username as text data type).
The Xano Endpoint is open as seen here
grafik

Now my question is: would people be able to call that POST Endpoint so that they could create content under the name of others?
If so how can I assure that the endpoint is only called by my app and not others via postman for example?
Can I set a key which only my API Connector knows and is never exposed to users, so that only my app can call that endpoint?

Look under settings > API > Generate new API Token to see how you can create them inside Bubble.

I added to all my Xano API Calls the need for the auth-token to be included in the call.
So whilst the endpoints can be seen, without the token nothing can be done.

There are tutorials on how to generate auth tokens for Xano with Bubble apps, and then it is pretty simple to add the need for the auth token on each call.

That looks like the solution I need.
You please have one of those tutorials at hand for me so I can try myself out with your solution?
Thanks in advance for your reply!

@mc3digital
I think your solution is for when I want my APP to have an API but in my case i want to talk to another API (XANO)
@ratsoundsystems is the solution im looking for i guess. BUt I dont know how to do it yet

It has been a while since I set this up, but in Xano you need to lock each endpoint. Here is what that looks like:

Then when you make all your API calls from your Bubble App, send your user’s Auth Token with it right after where it says “Bearer” . Here is an example:

Not sure if this is what you are looking for, but this will secure all your Xano endpoints.

@ratsoundsystems thank you very much!
I think this is exactly what im looking for. The only difference for my setup is, that users dont have an auth token, since I save my users in the bubble database and do the login with bubble.
I only save content data in the Xano Databases (I know thats not the best setup).
I kind of need an authtoken/key which is global for my app and the Xano APIs will only accept requests with that token/key (which in the end indicates that my App is calling)

Maybe you could use one static auth token for your entire app? And set it to never expire? And use it for all your calls?
Xano seems to say they can be set to such a thing.