Can users upload files from outside Bubble?

Hi all,

I am making files private in the backend with the API Connector. The api returns files successfully, but I’m seeing that the url of the files could potentially reveal how the API works. I’m wondering if users would be able to upload files from outside of my app by somehow replicating the API?


If you make these calls in the frontend (meaning they have the URL, API_KEY, and parameters), YES. They can make the call themselves. It is good practice to usually make these calls in the backend so user’s don’t have access to your API_KEY (especially, if there is one single API key for your whole system).

Hey Hergin, thanks. The thing is, this API workflow doesn’t even require authentication. I tried uploading a file to one of my other apps and to my surprise it worked… I went a step further to create an entirely new bubble account with a different email, created a demo app and tried uploading files to my other app through the API connector and it worked! That is truly scary. Some outside party could just continue to upload files to my application and use up all my storage.

Do you know of any way to require some sort of authentication for files to be uploaded to my app?

You should make the calls in the backend workflow to protect your one api key. But I dont know how to do it with files. I am sure there are ways. Maybe you can upload to Bubble first and then transfer it to your apinand delete?

Hi Hergin,

Thanks, but as stated before, I am already running file uploads in the backend and the API Request doesn’t require authentication, for some reason. I WANT to secure it somehow, but I don’t know how, when the request doesn’t require any authentication itself :frowning:

Thanks again though,

There is something wrong. If you run the api in the backend, people shouldnt have access to your api key.

Of course, if you let any viewer of your app to run this workflow, they will be able to upload files. So, technically, you should protect the actual call from anonymous access. People should be logged in to call this backend workflow. But still they won’t see the api key.