How bubble secures an exposed API for cyber attacks


I want to create a backend API endpoint on which my users can POST some data, I will authorize them via token.

But the question is what if somebody just gets the URL of my endpoint and start posting millions of spam requests. How am I supposed to handle this without incurring a million workload units?

If they dont have a token for their requests then they wouldnt go through?

they wont go through the workflow but the functionality to do this will cost 1 million WU for 1 Million spam requests.

1 Like

Are you saying a rejected api call to the backend incurs WU? thats news to me! I have never tested that, can you grab a screenshot of the WU calc here?

1 WU per rejection is also insanely high for a simple auth process, sounds very strange

“does rejected api call to the backend incurs WU?” thats what Im concerned about but there’s no info on this.

@guptamn49 Email bubble team, and also share there response with us, this would be very helpful to the community.

but i dont think there would be an WU consumption, unless the call is authenticated, only then bubble try to check the Only When is true or not this will cost WU

1 Like

I would assume not, but it’s an interesting idea to test it and see what the logs say

I have sent a request to bubble support for the same.

as this doc: What contributes to workload? - Bubble Docs

mentions inbound calls as billed activity, and not about the cases where in the authentication fails.

It do say Each inbound call to an app’s Data and Workflow API cost 0.01 , so for the sack of argument, 1 Milllion call will cost, 10,000WU

Really something to investigate, :thinking:

1 Like

And I guess the calc would normally be inbound call + workflow, so regardless of the workflow triggering then that would be charged.

Based on the docs I would assume that CloudFlare would pick up all of the bounced calls and start blocking those clients as part of anti DDoS though, so I would doubt it would get into the million call range.

I would say it’s probably not a risk, but still interested to hear a definitive.

1 Like