I have an API call that I run in the backend that creates a token and an order on paypal. However, the only way for the user to confirm the order, is for me to grab the success url out of the order API.
To do this, I use the Bubble App Connector in the frontend, it calls the backend API, and returns only the success URL back to the frontend. But in order to use the bubble app connector, I have to expose the backend API workflow as public. Does this mean it’s running my API keys on the frontend? How can I check?
All api calls are running server side (at the moment you didn’t activate the checkbox “try to run on client” that is only available if you don’t have any headers or parameters.)
The only way to expose the api key is if you set it dynamically in a parameters on frontend. But I’m pretty sure this is not your case for this API and you set this on API Connector correctly.
