Exposing my Data as a Rest API

Hi There. I have a list of dates and the ID for each date in my Bubble app. I would like to expose this as an endpoint where the app will accept the ID as a parameter and return the date. How do I do this in Bubble? Thank you for your help.

Hi @cameron.price,

I think what you’re looking for is under Settings > API

Check “This app exposes a GET/Data API” and/or “This app exposes a POST/Workflow API” depending on your specific needs. If checking GET, you can specify which data types to expose.

The reference details what your endpoint structure is: https://bubble.io/reference#API.introduction

Hi, Hope this video helps…!!!

I have used POSTman with token as an authentication and made endpoints secure.

7 Likes

Hi, many thanks @panks.35 Pankaj, your video helped a guy like me how API works in details, plus Postman to play with them, that’s awesome!
But there is one part I don’t get, Bubble provides an error because you left an empty field, how to set it?

The “when” field can’t remain empty. I tried to set it in different ways, but there is always a drawback.
I still want anyone to be able to look for items in my database using my bubble app, I just want to restrict the access to the API.
How to do that? Because if I restrict it, it’s restricted for everyone, even visitors on my website :frowning:
Thanks if you take the time!

Hi, I left it empty in my attempt and it worked fine. As long as you are sending the auth token it seems to work regardless of these rules. I haven’t gotten to the bottom of it but these rules seem to mostly be focused about session users or the object in question. The security of the API seems mostly just to be triggered by generating a token.

EDIT- I see what you mean, there is an error flag in Bubble. Like I said in the text though, I would set the condition to be “current user is logged in” or something mostly secure by default. It doesn’t seem to affect the API stuff, certainly not for listing data. I haven’t experimented with update/create yet.

further to this, if you are securing via API I don’t think you even need to define something here (although always best to allow rather than deny).

from the docs.
“Use an API Token generated in the API section in the Settings Tab. This API Token is secret and should not be shared with anyone. To authenticate with such a mechanism, add Authorization: Bearer API_TOKEN to the header. When you authenticate with such an API Token, the call is run in the context of an admin user of the app, who has access to all data.”

So if you wanted it to work differently (i.e. non Admin level) you could define a login workflow to return a token to your API (as mentioned in the docs also) that you then set in the Bearer header and therefore would act like a “logged in user”.