Hello,
I want users to input their own API key.
Since the authentication is made via Bearer API-KEY, I’d need to set the key in the header as a variable.
Picture here:
How do I do this?
Untick ‘Private’.
1 Like
Okay I got it thanks.
But by unticking it will the key be exposed somehow? Is it still safe like before?
A long time ago I wondered the same thing, the vocabulary is a little worrying, but what it actually means to uncheck “Private” is to allow that field to be visible from the Bubble Editor. In other words, it means you can access this field in workflows (as well as other places)
That answers your question. Allow me to add the following…
Are you asking for people’s API keys for some 3rd party service and exposing this to your Bubble app? If that’s the case, you must proceed with excess caution You should make absolutely sure that whatever workflow is taking that API key as a source should be 100% run on the client side. If that ever enters your server and stored (Even temporarily. It’s existence in server logs counts) then you’re going to run into trouble if ever you’re audited for PII compliance. Furthermore, if your app ever gets breached and even one person’s API key gets exposed, well - it would be really bad
See these links:
Note: I’m not exactly sure what law or regulation a leak of an API key would break, but it’s definitely something you want to avoid even appearing in your logs
1 Like
I understood that whatever workflow that is taking the API key as a source should be run on the client side (I believe that’s a paid feature for Bubble, right?), but can I store the API keys in the database? I can’t expect user to input the API key every time they want to use the service.
Thanks for the other resources!
1 Like
Hoke…
I would 10000% say do NOT store the api keys… in fact most api services would highly discourage such a practice
You are opening yourself to a lot of trouble (and hurt!)
1 Like
ok… then I need to find a way to use the keys without storing them. Are you able to point me out to any resource? Thanks!
The point is you should NOT store people’s api keys , in other words you should not have access to them. You should ask for it every time. From my experience, this is a bad idea
Okay, I got it, I will ask users to input it every time.
By using backend workflows will the data be 100% secure?
That’s just my experience and two cents for you. Maybe someone knows a good way to do this but I don’t, unfortunately. Personally I’d stay away from that
New question: can I at least save it as the state of some element? So that the user doesn’t have to input the key multiple times in the same session.
1 Like
Yes that is okay because it’s not coming in contact with your server 
1 Like
Nothing is 100% secure, so that’s why I believe storing something such as an unencrypted API key in your database, is a bad idea
1 Like
Nice! Thank you
1 Like