Hey Bubble devs!
I’m Mario, the creator of CodeSmash.
I finally came around and published a new Bubble plugin! In this YouTube demo, I’ll show you how to use the new CodeSmash API Connector Plugin, to connect your Bubble apps with CodeSmash APIs. Since CodeSmash APIs are hosted on your private AWS account, you will get 25GB of database space for free each month. Also, the plugin is free and incurs no Workload units, so you won’t be charged for usage.
As far as CodeSmash goes, I’d like to mention the following.
The plugin is completely free and lets you connect unlimited APIs while incurring no Workload units. APIs deployed with CodeSmash are hosted on your private AWS account, including your code. So, if you decide not to use CodeSmash at some point, your APIs are still available and working on AWS.
And just a cherry on top, CodeSmash also has a Free Plan, which lets you deploy 5 APIs completely free of charge. You can now feel more confident in replacing your monthly Xano subscription with CodeSmash. You can watch the demo on YouTube and happy building! 
Also, if you want to help and contribute to the further development of the plugin, you can find it right here CodeSmash API Connector Plugin | Bubble
1 Like
Please keep in mind that any API keys you pass to this plugin will be insecure/exposed to client, so any users will need to ensure that you’re only calling services that require no private authentication.
2 Likes
Hey George, the thing is, with CodeSmash, you can define your own validation on the backend. So if you encrypt the keys on the frontend, you can decrypt them just before you send them. Then you can authenticate on the backend easily.
But yeah, in case people don’t want to actually use the plugin, but would instead want to use the Bubble API Connector, I have a video which shows how to use it as well!
If you encrypt them on the front-end, then the keys before encryption must also necessarily be seen by the client, no?
1 Like
It may be possible to encrypt them and save to database as an encrypted value prior to launch and so a user would not see the actual value at all…at least that is my guess on how to implement that approach but not sure if @mario.stopfer would suggest another way to secure the keys
I mean, you encrypt them locally. Then set then in your bubble app and set them in your Bubble app. Then before you make the API call, you decrypt them. In any case, if you want to authenticate each specific user, its best to do it with their JWT tokens. JWT token validation is already on my roadmap, so should be done soon.
1 Like
Yes, that sounds good. But I personally wouldn’t even use any API keys at all. Why not just validate JWT for each user on the backend?
1 Like
Yeah, but then they can see the encrypted key which can still be used to authenticate whatever API they’re calling (as the API decrypts the encrypted key) - so it’s just extra steps for same result.
Maybe I’m missing something obvious to others though 
2 Likes
Well, if you’re going to call the CodeSmash API, you don’t actually need any key. Now, if there is some 3rd party API you are calling, inside CodeSmash API, then just pass the key from there.
Also, I said that you decrypt the key before you send it, so the API get’s the decrypted key. Its still stored as encrypted on the frontend.
The best way to do auth is actually with JWT and then add row level authorization. Once you authenticate the user, when he tries to add or edit a row, you need to check if he has permission to change that specific piece of data.
At this point, just use the API Connector with a private key 
If you’re sending the ‘decrypted key’ with your plugin, then it’s exposed to the client.
If you send an encrypted key, then it’s virtually identical to sending no key as an encrypted key that’s decrypted by the API is functionally the same as just sending a decrypted key.
Just wanted to make sure people potentially using the plug-in know that, as exposed API keys in plugins is one of the most common security issues I find on Bubble apps.
3 Likes
At this point, just use the API Connector with a private key
This is why I posted a video on how to use the Bubble API Conenctor as well. Whatever people want to use is fine.
If you’re sending the ‘decrypted key’ with your plugin, then it’s exposed to the client. If you send an encrypted key, then it’s virtually identical to sending no key as an encrypted key that’s decrypted by the API is functionally the same as just sending a decrypted key. Just wanted to make sure people potentially using the plug-in know that, as exposed API keys in plugins is one of the most common security issues I find on Bubble apps.
I think we’re talking past each other here. What key exactly are you talking about? Is it the key from the person who is building the app and using CodeSmash API, or are you talking about the user who is just browsing and using the app?
Hi Mario,
Just saw your new Plugin. one question, does this API Connector plugin support websockets for real time APIs? the bubble one cannot do it. If not, do you have any suggestion to solve this? I am working on a MVP which needs to connect a real time API to the app, and this needs websocket support.
1 Like
That’s one of the things I still have to add. Yes, I had other people ask me for the same feature, but I’m adding new features based on the roadmap. I suggest you go to my roadmap and request the Web Socket feature. The more people vote for it, the sooner it gets implemented. https://codesmash.featurebase.app/
Guys, I recently had a question from a person on Bubble.io Facebook groups, whether you can use CodeSmash to process data, or do you only have the ability to store it in the database.
So, in case you were wondering, yes of course you can process, modify and validate the date. Its a full-fledged No Code API Builder and you can also make HTTP requests to other APIs within CodeSmash as well.
I actually went so far, to create multiple APIs with CodeSmash which all communicate with each other, which is also called a micro-service architecture. You can watch the demo here:
