How to require authentication for Data API?

I know how to set up authentication for an API workflow, but I couldn’t figure out how to require authentication with a private key for a general data endpoint like this:

Is this possible? If not, is there another easy way to get json from a data type thru an API workflow?


Hi @iamhiding24, you’ll need to generate a key in Settings > API > Public API Endpoints

This key will allow the authorized user to access as an admin user, so you’ll want to make sure you have privacy rules set up in Data > Privacy.

Here’s some info about using the key in an API call to your data endpoints: Introduction - Bubble Docs

Gaby at Coaching No Code Apps (formerly Coaching Bubble)

Courses & Products, Tutorials, Private Coaching, and High-level Development

Start Learning Today :mortar_board:


@romanmg Thanks for the help. In the link you sent me (Introduction - Bubble Docs) I noticed it said: “You can also add your API Token directly in the URL for both the Workflow and the Data API as a querystring parameter api_token. This approach is not recommended as it is less secure.”

This is exactly what I needed, except it isn’t working. My url looks something like this:


I have tried it with “Listing2” being unchecked and also with “This app exposes Data Api” unchecked, and I get responses like this:

and this respectively:

Can you notice anything I’m doing wrong? Thanks in advance!

Check the box that says “This app exposes a Data API”

You do have the data types enabled, which is good, but you need to enable Data API overall.

But, if I enable “This app exposes a Data API”, anyone with the URL would be able to access the data. I only want the data to be accessible if the URL has the proper api_token.

Do I have to edit something in the privacy tab for my data types?

Actually I think I got it! I haven’t played around with roles yet so I didn’t know what they did.

1 Like

Yes, that’s exactly why I mentioned the Privacy tab earlier. If you expose for a key, you expose for everyone by default, so you need to create rules so that your data is locked down when accessed without the token. A good place to start would be creating rules for logged out users and users that aren’t related to the data types in question.

The API key bypasses these rules, so the rules are for “everyone else.”

1 Like

Thanks for your help!

I’m looking for a way to authenticate non-admin users so they could use Supermetrics to pull THEIR data only.

Any idea welcome :woozy_face:


Hi @philippe1 , did you find a way to do this?

Do you know how this would work for users that are using “Login with Social” + the Google plugin?
I’m trying to figure this out for some hours now and I’m stuck.