How can I provably confirm that a call hitting my backend was sent by Bubble’s API Connector?

teamkod3 · June 27, 2025, 2:08pm

Hi Bubblers

The backend on my currently company, only trusts requests solely based on the trusted origin specified in the URL, but when the call originates from Bubble, adding my site’s domain to the whitelist isn’t enough because the request is actually dispatched by Bubble’s own servers and arrives with a hidden origin header. I need to determine that real, consistent origin—whether it’s a specific IP range, domain, or other identifier used by Bubble’s servers—so the backend can validate and accept only legitimate API Connector requests while blocking any replay attempts from tools like Postman.

ihsanzainal84 · June 29, 2025, 3:55am

Why not just use tokens passed with the payload through the API Connector? Store it in Bubble’s backend. Grab it when passing the token and payload as a server side action.

Verify that the token matches as part of your Bubble endpoint workflow.

Topic		Replies	Views
Bubble API Connector API Calls : all from the server? APIs	0	270	January 2, 2021
What server does bubble use to send api connector initialization requests? Need help	7	76	November 6, 2024
Help? Need to See What Bubble Actually Sends APIs	3	261	June 6, 2024
Are requests in API Connector HTTPS-encrypted? APIs	5	325	June 14, 2023
API Connector - Disabling SSL Verification? Bugs	1	520	August 26, 2018

How can I provably confirm that a call hitting my backend was sent by Bubble’s API Connector?

Related topics