API permissions according to API key - possible?

I was considering using Bubble as a backend for a small project, but I don’t think it’s going to work.

I wanted to use the Data API and only allow clients access to a subset of data based on their API key.

Once I realized that the Data API calls can’t be intercepted and have workflows/conditionals applied to them, I tried using the Workflow API instead. But I see that that API doesn’t allow returning paginated results, which I’ll need, the Swagger documentation doesn’t appear formatted as I would expect, and I can’t access the request API token in the workflow anyway, so I would have to pass it in as a param, which I don’t want to do. I need for this API to look like a normal API to external developers, so the requests need to be formatted pretty cleanly. I’m willing to try to use User and Privacy for permissions, but I’m not sure if that’s possible to do for API calls.

Should I give up on Bubble for this project, or am I missing some other obvious solution?

If you want users to only have access to data that they should have access to according to Privacy Rules, see the User authentication section of the docs.

If you want more granular permissions, try creating a dummy user which has a Permissions thing attached. The Permissions can be a bunch of yes/no fields each ‘canSeeAllUsers’ or ‘canSeeBlueThings’.

Then, add privacy rules for each permission. Configure them so ‘when current user’s canSeeAllUsers is yes’ they can find all users in searches and view fields etc. Or ‘when current user’s canSeeBlueThings’ is yes and This Thing’s colour is blue’ they can find in searches and view fields.

Hope this sends you along the right path :slight_smile:

TLDR; it’s not too difficult to add User authentication to replicate this. Specifically authorizing requests with random API keys is more difficult but I guess you could do it with some creative workflows or a serverless function that checks an API key validity and then forwards the request to Bubble if acceptable.

Thanks for the response! I’ve decided to go with supabase, since Bubble doesn’t have quite the level of functionality I’m looking for when it comes to creating a multi-tenant database and API.

1 Like

This topic was automatically closed after 70 days. New replies are no longer allowed.