Forum Academy Marketplace Showcase Pricing Features

Data api (gateway)

Hi,
I have a customer portal and my idea is to give the customers the possibility to use an API to get their own data out ouf the portal.

My current plan is to create an api-table.
api key (random key), customer

the key can only be generated one time -if the user wants to create a new one all keys will be deleted.

This is also working fine.
But now I’m struggeling with the api handling as I have to (as far as I know from docs) create a master-key in the app settings.

But how can I add a configuration/setup so that its only possible with the api-key from my customer table to request data via api AND only for his own data?

any idea?

Hey @fok_ste :wave:

Thanks for the post and great question!

It’s actually possible to do this with some of Bubble’s built in API features. For instance, the user can authenticate with the api using their own login credentials and from there, should be able to interact with the data api and will be handled within the privacy rules that apply to their user account.

One important thing to note here is that defining a master key instead of authenticating using the user’s credentials would actually give them admin level access to your app’s data including data that is beyond what privacy rules allow for their user account.

For more information about our Data api, authentication and how privacy rules fit in, I’d recommend checking out our manual.

Feel free to reach out to us directly at [email protected] with any additional questions. And, best of luck with the rest of this build.

Hej @AndrewV ,
many thanks - I know that its possible to use the user login - but I’m using Microsoft Azure AD for authentification and its not possible with the other tool to use this :frowning:
So I thougt it might be possible to create a key for the user and to use the key and the email or username for authentification. But I didnt find a solution for this :confused:

If you create a backend workflow with a login action, and hit it externally, upon a successful login, it’ll respond with an api token that’s specific to the user. Potentially you could do this, store the token and then make any additional calls using the typical Authentication: Bearer XXX method.

Unfortunately, outside of api calls with basic auth (username / password) or using the backend method listed above, there’s no way to create an API key that would be limited to just that user’s privacy rules. You could certainly use an API key in conjunction with parameters to limit a user’s calls to just their records, but the risk is that they could remove those parameters and have access to all your data.

One third option would be to utilize backend workflows and the ‘return data’ action to build your own api service where you could validate the calls yourself and use only when statements to validate keys you manually create before returning certain data for certain users. It’s a little more involved but might be worth looking into.

OK that sounds like a plan. How can I store the key in bubble and use it for further authentifications?

Thanks for your reply!

Based on your previous post, I might recommend storing the key in your 3rd party software so you can use it whenever you need to make a call on the user’s behalf. If you store it in Bubble, it won’t be available when you go to make the calls.

ah okay - and where can I configure the TTL for the token? And how can I configure the data access for it?

@AndrewV Also I’m not able to choose login via social network (MS) in the settings for the backend api workflow
image

This topic was automatically closed after 70 days. New replies are no longer allowed.