I am currently using the Data API to pull information from my data base using the URL: https://myappname.bubbleapps.io/version-test/api/1.1/obj/my_data_type
I am trying to set up a way so that the JSON data returned by the URL can only be viewed by someone with my API key.
This is how I am setting up the privacy settings:
This allows my Data API URL to return data only if I am passing my api_token as an argument in the URL.
However, doing this prevents normal users from viewing the data on my website’s front-end pages. Any text boxes that get dynamic data from my bubble database are empty.
If I check the “View all fields” box under “everyone else” (shown below), then any user can access my data via the URL without needing my api key.
I have tried setting up conditions in the “when” box, but any time they are met, the current user can open another tab and view my Data API without needing the API key (I think this might have something to do with cookies)
So the question is: How can I keep my Data API URLs secure with an api key, while at the same time allowing users to view the data on my webpages front-end?
This is a big data security concern of mine and I’d really appreciate any help
I don’t think you can do exactly what you are describing (if I’m interpreting you correctly,) which is to provide a group of users access to data through the application, but NOT allow those same users access via the data api.
As you’ve found out, the View all fields permission grants the ability to see data fields. If you grant that permission to “Everyone else” or a specific role, those entities will be able to see the selected data fields BOTH through the API as well as through your application.
This makes sense because the Privacy settings are there to protect data at the database level, not the application, so in granting this permission you are granting access to the database regardless of the access type.
If you want to provide api access only to those with a token, you can take a look at turning off the data api and building your own api endpoints that search and return data as you see fit. For example:
Create an endpoint
With an action that returns data
Call it externally with a token
And get results
Call it externally without a token and get nothing
Looking to accelerate your app development?
Let me turn
Development through Coaching at https://uniqueideas.com or schedule a free intro session
Thanks for the response. I have a few questions regarding that method of getting data.
I am trying to get my endpoint to return a certain amount of items of a data type. Here is what I have:
Lets say count = 3
I am able to get the 3rd item in the “Name” field and the “Segments” field from my “Listings” data type. How can I get the endpoint to return the first 3 items from my “Headquarters” field?
Also is there an easier way to return all fields in a data type up until a certain number? So instead of getting the first 3 items for “Name” then the first 3 items for “Segments” etc, is there an easier way to get the first 3 items for ALL the fields in my “Listings” data type?
Appreciate your help!
If you want to return multiple values of the same thing, then you tick the List box for that key. This might be helpful in your second question as well. Here’s an example of returning all fields for the first three things in my data type called random.
Keep in mind here though, that empty fields are not included.
Awesome! That works. Is there a limit to how big I can make the list to return?
Looks like you are limited to 50 in a workflow API so you’d have to setup your own pagination stuff.
From the reference:
List of parameters
These are the keys and data types of the parameters that are returned. When the name and type of data are set, define the data you want to return. In the case of the Workflow API, we limit the size of lists to 50 entries. For a full list of data, please use the Data API that handles pagination.