🛡️ How to Secure a Public API Workflow (Ignore Authentication) to Prevent Spam?

Need help APIs
1

:shield: How to Secure a Public API Workflow (Ignore Authentication) to Prevent Spam?
Hi everyone,

I’m currently building an API workflow on Bubble that allows users to submit problem reports from a Flutter Flow frontend.

To support users who are not logged in, the endpoint is currently set with “Ignore authentication” enabled. This works functionally — but I’m concerned about potential abuse or spam, since anyone can call this endpoint freely.

:backhand_index_pointing_right: I’m looking for advice or best practices on how to secure this public API without requiring login.

Specifically:

Is it safe to use a custom header (like x-app-token) and check it in workflow conditions?

Are there better approaches to authenticate lightweight client apps without full Bubble login?

Can we apply any rate limiting, CAPTCHA, or basic spam protection on such endpoints inside Bubble?

Is a middleware API (e.g. proxy server that holds a secret key) the best way to keep the actual Bubble logic safe?

If you’ve faced a similar situation or have a go-to strategy for securing “unauthenticated” API workflows, I’d love to hear your thoughts.

Thanks in advance :folded_hands:

2

I guess the solution goes through requiring authentication for all calls coming from FF.

You shouldn’t use an app-level API token though, as this bypasses all Privacy Rules.

I think the best approach is authenticating the whole FF app with a user-level API token. This goes through creating a new User just for the FF app, so that you can define specific permissions for that user.

You should define an extra API workflow, public, with ignore authentication option checked, receiving the credentials and returning the user-level API token resulting from a Log the user in action.

Then you set your target API Workflow so that it requires authentication. All FF calls should now go with that user-level API token to be accepted.

Just as a reminder, unchecking the ignore authentication option doesn’t protect the endpoint completely because an attacker could just create a user in your Bubble app and use the user-level API token to access the endpoint. All you can do is protecting data with Privacy Rules so that only certain users with permissions (whose granting is properly managed in the app) can access certain data.