I’ve been wanting to write and share content, detailed articles about complex features, and, most importantly, help you truly understand all these concepts and how what we implement really works for some time now.
I’ve written a first article about webhooks, explaining what they are, how to create a webhook on Make and trigger it from Bubble, how to create one on Bubble and send data to it, with the example of Stripe. I’ve also covered how to code a webhook : Unlock the power of webhooks
Feel free to provide feedback (both positive and negative).You can subscribe to my newsletter, where I share my documentation, research, and insights.
Hi, I have had a question regarding webhooks. With what user credentials do they run? Do they run as admin? Can they access all data? How do I restrict the data that a webhook can access?
@mghatiya
This is dependent on the Webhook itself. Many times web hooks need to be left open to create/edit regardless of privacy rules & auth due to the fact you can’t setup auth tokens via most 3rd party web hooks. Sometimes people use their admin API key from bubble editor.
This being said knowing what you’re allowing to be edited in these webhook flows and understanding the impact is very important. Considering security is left pretty much open the best way to keep the system secure is to verify the source of the service hitting the webhook endpoint. By verifying the source you can ensure the call is safe to make changes to your data.
Each 3rd party service has its own style of verification and multiple ways of handling it. Some common ones are:
source IP
Preforming a GET call to check against event ID’s in the DB to ensure they match (ex if someone tries a relay attack by passing a fake event ID when you check it against the source it’ll come up empty, so you wouldn’t continue the flow)
Manually verifying signatures
Few examples of how it’s handled.
Each 3rd party service has a slightly different way of handling them and it’s imperative you implement these.
What if I don’t implement security
You can see your endpoints of a bubble app at
{{domain}}/version-test/api/1.1/meta
Viewing them you’ll see If auth is required or not. Here’s an example:
If a bad actor can find out the params required to hit this endpoint (typically provided by the endpoint source) & it’s not secured you can actually execute the call and modify the database. For example a successful payment call to force an upgrade.
Hi, I am a beginner here. Will I be able to test webhooks with a free account? I am able to activate backend workflows, but am somehow not able to get the Bubble.io to detect my POST to the endpoint.
Really stupid question but if I view the endpoint using the meta URL and it shows the following:
“auth_unecessary”: false,
Is this secured or not secured? I’m not sure if it’s “unnecessary” spelled incorrectly or it means something else?
For what it’s worth, these webhooks in Bubble.io are exposed as Public API’s (POST), cannot be run without authorization and do not ignore privacy rules. They’re also called from Make.com (acting as an intermediary from the true source of the API call) which uses the Bubble.io API connector bearer Authorization in the header.
If the above means they’re not secured, how would I go about securing them as I feel like I’ve already done what is needed? Thanks!
