Data api - meta endpoint

developers7 · August 5, 2023, 5:52am

Hi, apparently I can’t hide (or put behind auth) the meta api i.e /api/1.1/meta
It exposes details of things and workflows.
I think this is so not secure.
Is there a way to restrict it?

antonio1 · August 7, 2023, 3:45pm

+1 here… is there anyway to restrict access to it? (with api token?)

tylerboodman · August 18, 2023, 10:21pm

An interesting question, I assumed checking the box “Hide swagger documentation” but apparently that doesn’t do it.
@sam.morgan

ihsanzainal84 · August 22, 2023, 3:02pm

Maybe I’m a dummy but what do you mean with your original question? It’s kind of vague and hence why no one responded.

tylerboodman · August 22, 2023, 3:19pm

Add /api/1.1/meta to the end of your app domain it exposes every workflow name and API endpoint, it’s different from the swagger documentation tho

tylerboodman · August 22, 2023, 11:57pm

For example here’s the Bubble.io entire data structure: https://bubble.io/api/1.1/meta

And all the juicy yes/no fields for if a User is an official Bubble employee, etc.

jared.gibb · August 23, 2023, 12:17am

Interesting

developers7 · August 29, 2023, 10:37am

@bubble please fix this asap

tauno · October 13, 2023, 1:38pm

+1 also

SJL · December 2, 2025, 11:53pm

That’s kinda crazy, but made me feel a lot more comfortable about my app data security.

At a high level, being able to get every Bubble user’s full name and profile photo feels like a bit of a privacy breach, but it’s kind of already available through the app anyway.

Topic		Replies	Views
Bits of your Bubble app you might not know are public Tips	25	6917	July 23, 2024
Bubble.io API Secuirty Tips	0	97	October 24, 2024
Why your backend workflows might be your app's biggest vulnerability Tips	74	2265	March 4, 2025
Download App data with API APIs	0	185	May 9, 2021
API in Bubble used in another application APIs	0	210	April 4, 2022

Data api - meta endpoint

Related topics