How to pull data via API if one of the headers has privacy rules

Hey guys.
Can anyone help me with this issue?

I have a field in my user’s table that refers to his api key, but I unchecked this field in the privacy rules so that when the workflows are executed there is no risk of leaking this information.
It’s working correctly.

However, when I want to fetch some data via “Get data from an external API” with the same token, it doesn’t work. Is this really what was supposed to happen? Fields with privacy rules work in the backend, but isn’t it possible to extract some information without taking an action?

For context, I want to fetch the user’s current account balance, but I didn’t want to create an action to do this every time, I wanted to simply pull this balance through the API’s GET, but without leaving aside the privacy rules (when I ignore privacy , works properly).

If anyone knows anything, I’m glad to hear it.

Thanks,
Imad

The problem is your privacy rules settings. Is the user logged in? What is the privacy rules? If this work in backend, is it because you have check ignore privacy rules in backend wf?

1 Like

Regardless of the rule, no one should be able to see this token for the API call and this is working fine. The problem is that it only works on the backend, I want to know if there is a way to pull the data without being during an action, as in the photo below:

image

The “access_token” field is what contains the privacy rule, and in this case it is as if this call used an empty header (unlike what happens during the workflow, where Bubble can understand that this field is not empty, but does not show the sensitive information).

The rules applied according to what you have set. So if the access token is not available with CurrentUser Commercial apiKey, this is because
A) It’s empty
B) Privacy rules are applied

Like I told you, if this work in backend WF this can be
A) The WF run on behalf of user, and privacy rules applied correctly. If this s the case, it should also work on frontend
B) The WF is set to ignore privacy rules
C) You run the WF from external request using Bubble API Key, that is an admin key
D) There’s no privacy rules that applied.

Maybe you can share screenshot of your settings in the Backend WF (not just the action, but the WF itself) and also the pivacy rules settings you have on the comercialAccount’s DB and User DB

1 Like

Sorry, I explained myself badly. I want to run an API action in Workflow not backend but one of the fields is private.

The action works in the workflow as long as there are no conditions that reference the same table as the private data. On the frontend, the request via API for some data with a header whose value is private in the database does not work.

In short, I would like to know if there is any way to make API calls with private data without using the backend.

In this example, the call gives an error because the apiKey contains privacy rules:

Now, in this example, the same api call, but in action form, works:

And to make matters even worse, if I put some condition in that same flow, it gives an error:


I hope I made it more clear.

Thank you for your help.

Hugs,
Imad

You need to manage the privacy rules to get access to the apikey field in API Connector when you use it in frontend

That would be one way to fix it, but what if I can’t expose that key? Is there no way to access the API on the frontend?

The question is not to acces the API in frontend, the question is to access the data behind the privacy rules. The backend work because you probably have activated the ignore privacy rules. It doesn’t make sense to do this in frontend.
Let’s say current user enter their API key, and you save it in user DB so you can use this key to call the API. If this user is logged in, and you set your privacy rule to make this field available if the current user is this user, it will work and there’s no problem because the current user is the owner of the api key. Now if you want to access this key while another user is logged in, you need to change the privacy rules to make it available to other users too!

1 Like

I understand, in theory there is no problem in allowing the user himself to view his API key, it is that in this case he has no contact with it, as it is generated automatically. And thinking about someone improperly accessing that user’s account, someone could change their bank details. If I choose to allow the user to see their own API key, I will possibly have to find some 2FA solution. But anyway, thanks again for trying to help. :slight_smile:

1 Like