Hi there,
Are backend API Workflows discoverable in any way by end users? For example, can an end user use Dev Console or other tools to discover that API endpoints (API Workflows) are available to call?
Any tips on securing them if the answer is yes?
Thank you.
https://[yourappid].bubbleapps.io/api/1.1/meta
Public backend workflows have their input parameters and return values exposed publicly. A publicly exposed backend workflow is exploitable even if it requires authentication because authentication only means being logged in.
To rectify this, if you want to restrict a backend workflow to running only with a certain API key, you can add an input parameter and check that parameter inside the workflow.
