Is it safe to "Expose as public API workflow" for internal BWFs?


My issue is this:
All of my BWFs are set in this way (the default way):

My concern is about potential vulnerabilities of exposing publicly APIs that are only needed to be triggered from inside bubble’s editor

Is there any reason to expose these APIs publicly? For me, these are set to be exposed only because that was the defauly option (and I did not understand that well when I started building)

If I understand correctly, without the enabling to run this workflow without authentication no one will be able to call these APIs any way, so I wonder is its still needed to stop exposing all the APIs

So my question is this: whould I go throgh all of my BWFs and turn OFF the “expose as public”?

What potential vulunrabilites am I exposed to if I leave it as it is now?


Hey there,

Great question. Expose as public API workflow means that anyone who knows the URL can make a request to it via a HTTP request like GET or POST (using postman, for example). You are correct in assuming this is a security risk if you expose this as a public API workflow and check This workflow can be run without authentication.

When you select This workflow can be run without authentication, you are eliminating the requirement of sending over an Authorization header with the value “Bearer some-authentication-token”. For more information on this topic, I really recommend you read this article from the Bubble manual.

Risks from removing authentication as a requirement

  1. Returning sensitive data (obviously a big no-no) to someone who should not have access to it.
  2. Risk of someone running up your apps WU cost
  3. Risk of someone significantly slowing down your server, as a result of a DDOS attack

I’m not an expert on how DDOS attacks work, but I know that attackers can simulate a large amount of traffic to your site / any endpoints your site has and use up significant amounts of your CPU usage and slow down your site to the point of being unusable. This would also cost you a lot of money in WU, although Bubble would probably refund you if this ever happened (although this is of course never guaranteed, no matter what Bubble says on this topic).

Off topic:

If you want, I’m offering free 30 minute coaching on Bubble this month. Book a free call on if anyone is interested.


1 Like

Thanks for the detailed reply!

You’ve mentioned some risks if I remove the authentication from the endpoints - are those risks still relevant If I leave my endpoints as they are set up in the picture above (= exposed publicy & require authentication)?

What I acutally ask is:
Are there any secutiry differences between this API setup:

And this API setup:


@omerbialer1 , if the endpoint isn’t being used by anyone or yourself through calling the api url, just disable the public tick box.

This won’t affect any actions you’ve made in the bubble editor with ‘schedule an API workflow’

Perhaps this shouldn’t be enabled by default.

Hope that helps

1 Like