How to set up a personal access token experience for Data API

Need help
1

I have a use case to create API keys to let users access the data programmatically through the Data API. I am having trouble figuring out the best way to achieve this given the limitations of the Login User in action.

On other platforms, this is usually called a “personal access token” and the flow is pretty standard: 1) you click add a new token/key/etc, 2) platform says we can only show you this token once, 3) you copy and paste it into whatever 2nd platform you will use or api call as appropriate. Sometimes the tokens have an expiration date, almost always there’s a button for revoking the token. You can always see the keys that you’ve created (but not the actual token value). This for me is the standard “personal access token” experience that I am trying to replicate on bubble.

According to the bubble documentation, you need to schedule an API workflow that logs the user in and returns a token. However, the following limitations apply:

  • Different max duration depending on whether or not the app has 2FA (1mo vs 12 mo)
  • Unused tokens automatically expire after 30 days, or they are extended for another 30 day period. From the manual: “To prevent the token from expiring, you can send a simple no-op workflow request to the API to keep it active.”
  • Revoking a token is done by logging a user out of either the client using the token or all their sessions.

The issues that I have with this (if I am understanding this all correctly) is that I want:

  • Revoking a token to be isolated and independent from the User’s session status or the client.
  • Not to have to schedule workflows to prevent the tokens from auto expiring once every thirty days.

If you have set up a personal access token experience in an app, how did you get around these limitations? Do you essentially have to build the system out by hand and JWT it yourself?

Thanks in advance!

Here are the forum topics I read as background research:

https://forum.bubble.io/t/getting-log-in-user-token/240773/2

https://forum.bubble.io/t/how-to-get-the-current-logged-in-users-token/82019

https://forum.bubble.io/t/does-bubble-support-sharing-access-tokens-for-logged-in-users/319724/2

https://forum.bubble.io/t/allow-logged-out-user-access-with-a-token/351618

https://manual.bubble.io/help-guides/integrations/api/the-bubble-api/authentication/as-a-user

https://forum.bubble.io/t/return-data-from-api-workflow/130114/4

Screenshot 2026-03-17 at 11.19.40
Screenshot 2026-03-17 at 11.19.401642×1166 115 KB

Screenshot 2026-03-17 at 11.22.19
Screenshot 2026-03-17 at 11.22.191642×424 45.9 KB

2

Why don’t you create a “token” yourself?

Create a data type for storing keys (use a library/plugin to hash values before saving)

Then create endpoints which would be backend workflows that allows users to retrieve data. For each request you can check the keys and return data accordingly

3

So that’s what I am considering doing, but it just feels to me like a waste of the built in Data API + Privacy Rules if effectively you can only use it either Publicly or Admin API Token because you have to create custom backend workflows for the Authenticate as User as use case.

The documentation says there is a deliberate way to Authenticate as User for the Data API, but these limitations make it prohibitive in practice for personal access tokens experience.

So I’m looking to confirm that there’s nothing I am missing here, and that in fact everyone just create’s their own system by hand.

Thanks for the reply!