I’d like to make a call to my app to retrieve data from this page using the parameters.
Basically I would like to search data in my database using the parameters and get the results to display some data in the page.
What would be the most straightforward and secured option, taking into account that the page visitor is not logged-in ? (and applying “find this in search” for everyone in privacy rules is not an option)
I figured out there’s many option to do this with pros and cons for each so I’d like to ask what would be the best practices from the community ?
What would you use as authenticated method for the API call, as the User is not logged in ?
If this is an Auth with private key (bearer token) in the Header, I guess I would have to create an API token for this.
Isn’t any issue an attackant could get the token even if in the header as the call is made on client side ?
Yes, you need to create an api token for this, but this is safely stored by bubble.
Any API request that uses a token has this issue. That’s why it’s so important to keep it safe.
So you don’t need to store this token anywhere.
What you can also do is to manually change the token from time to time, but I don’t think it’s necessary, since anyone with the URL can see the data.
But if you’re showing sensitive information, you need to add some more security like including a passcode (which you can also validate on the API call)
Thanks again
Just to be sure I understand well. With this method, if the call is made from client side, the API token isn’t visible from there, even with dev skills, right ? And as far as it is safely stored there’s very no chance an attackant could get it ?
