I have spent the last three days trying to save my pride and find any explanation as to how I can authenticate users to create database items via api, from an external app, without giving them the key that gives them admin privileges. As I have read the entire manual and I feel like at least 50% of the forum, I still have no idea how to do it. Is it really rare that people would want to do this, or is it actively being hidden from me? Even the smallest clue would earn my eternal gratitude.
1 Like
Create a field on user called “key” use calculate random string.
On the api call authenticate by checking to ensure the current users key is the same as the key sent from the other platform. “Only when key is = user key”
Or to use the more standard bubble route (will be to manually create keys in settings -> api) create a key for your other platform.
POST Https://(your domain)/api/1.1/wf/getToken
Content-Type application/JSON
Authorization Bearer (key from settings)
Body Params:
email: user email
Password: user pass
To authenticate
Then on bubble side
Post Https://(your domain)/api/1.1/wf/checkToken
Content type application/json
Authorization: Bearer USER_ID of the person attempting to authenticate.
If token is valid it’ll let you through
If invalid you will terminate your workflow.
Chris thank you that is a great start. I should have posted this originally. My problem could just be the way I am thinking about it, but my app will have many users who all will perform an action. I don’t really care which one of them it is. I just need to know which one of them it is so I can log the action, and validate that they have permission to do it.
If I create the “only when” condition, what is Bubble using using to determine who “current user” is? My mind is probably coming at this from the perspective of a password type login and that might not be right.
I don’t think the second option will work for me, because the volume of keys I would have to manually create would be unmanageable.
Thank you again!
You can use the one key on your platform as a private key they don’t see and just use it as a SSO style method to authenticate. Where when they login on external platform it runs the get token call with the API key private, after they successfully log in have it get a token. Save the token in that DB. Then when authenticating you will “checkToken” call with the token saved in the external platform DB.
When coming from your other platform I would link their user ID from that platform to a data field in this bubble built platform.
I think I can make that work! I’ll comment back if I get it, and I’ll owe you forever.
Thank you again
1 Like