Get data from front end

Hi bubblers
I need help regarding the following use-ase.

I have page in my app which can be visited by users that are not logged-in / signed up.
For many reasons, the pages don’t have “page-type” set.

The page url contains parameters and look like this :

I’d like to make a call to my app to retrieve data from this page using the parameters.
Basically I would like to search data in my database using the parameters and get the results to display some data in the page.

What would be the most straightforward and secured option, taking into account that the page visitor is not logged-in ? (and applying “find this in search” for everyone in privacy rules is not an option)

I figured out there’s many option to do this with pros and cons for each so I’d like to ask what would be the best practices from the community ?

Thanks !

@louis6 in this case, aim for the “secure option”.

You can create an API call to your own app.


  1. you create an API workflow, do the search you need, then ‘return data from api’
  2. create an API connection that calls this endpoint you created above and initialize it
  3. inside the page you call this API you created on step 2

the API connector should look like this

and the API workflow like this

Hi !

What would you use as authenticated method for the API call, as the User is not logged in ?

If this is an Auth with private key (bearer token) in the Header, I guess I would have to create an API token for this.
Isn’t any issue an attackant could get the token even if in the header as the call is made on client side ?

Many thanks

Yes, you need to create an api token for this, but this is safely stored by bubble.

Any API request that uses a token has this issue. That’s why it’s so important to keep it safe.

So you don’t need to store this token anywhere.

What you can also do is to manually change the token from time to time, but I don’t think it’s necessary, since anyone with the URL can see the data.

But if you’re showing sensitive information, you need to add some more security like including a passcode (which you can also validate on the API call)

Thanks again
Just to be sure I understand well. With this method, if the call is made from client side, the API token isn’t visible from there, even with dev skills, right ? And as far as it is safely stored there’s very no chance an attackant could get it ?