Security Question with Streaming

adrien.charles75 · May 23, 2025, 9:22pm

Hi Team.

I love the streaming capabilities being now native with Bubble. I think it was important to add this capability.
I have an app that is streaming data from Open Router (does not matter could be any provider).

However I have a security question as I am not a security expert and want to avoid to show my API Keys in the front end to end users.

Will using the streaming functionality in the front end like the below/above, will show my API key to end users? Sorry for the simplicity of the question, but I always put every API call in the backend workflows, and I am scared of this functionality. I could not find an explanation in the documentation.

Jici · May 23, 2025, 9:34pm

I don’t think stream call are differents. Normally, the API call will be processed server side so there’s no security problem there. However, why did you select Shared header instead of Authentication: Private key in header?

georgecollier · May 23, 2025, 9:42pm

Meh, much the same.

@adrien.charles75 yeah your API key is protected when in a shared header or when ‘private’ is checked.

Keep in mind your system prompt will be client side.

adrien.charles75 · May 23, 2025, 9:42pm

Thank you Jici for the quick reply! Appreciate your help.

Oh ok, so even if I make any direct API call in my front end, with an API Key in the header, it will be processed by ‘in the backend’ by Bubble and will be not visible to end users? And the streaming functionality should behave the same.

Even if looking for the API call with developers tools in my browser, I won’t be able to find the Header of the request and the API key?

If that is the case, then Bubble is security is even better than I thought!

georgecollier · May 23, 2025, 9:47pm

Anything in the API Connector marked ‘private’ or in a shared header is server side.

Everything (everything) else in the API Connector or workflow tab in a frontend page/reusable is public.

If you want to see what is client side, go to the browser console and type ‘app’ and press enter.

adrien.charles75 · May 23, 2025, 9:48pm

Thank you everyone, this is clear. Hopefully will help someone else one day. Love this community and platform.

Jici · May 23, 2025, 9:49pm

For any API call that contain headers or parameters, they are processed server side. If there’s no header and no parameters, Bubble will give you the option to process the API call client side, but you need to enable the checkbox for that.

As for the data itself, like @georgecollier say, a dynamic value (not set as private) is public even if the call itself is processed server side (Bubble will send your request with the “not private” value from client to server. This can be found in browser console)

Keep in mind that this doesn’t mean this is not secure. In most case the data sent from client to server belong to the current user (if you have set privacy rules correctly)

georgecollier · May 23, 2025, 9:49pm

Welcome to the forum!

randomanon · May 24, 2025, 3:27am

This is only true for this case, right? (Front end client side action)

If everything is in a backend workflow, that dynamic value (which needs to be set to public) will be 100% hidden even though it’s listed as “public” in the API connector.

Jici · May 24, 2025, 3:36am

Right.

georgecollier · May 24, 2025, 6:18am

The result of your expression is private, yes, but not the sample value that’s used as the placeholder.

randomanon · May 24, 2025, 6:45am

Yeah I always delete the placeholder

Topic		Replies	Views
My API connector calls are publicly exposed APIs	15	739	March 29, 2024
API Key in Plugin's HTML Header Plugins	2	397	November 21, 2023
How to set a variable in the header (API connector plugin) APIs	13	2143	February 7, 2023
Huge Security Issue with API Calls APIs	10	1947	February 17, 2025
Security of bubble.io and its workflows Need help	3	126	January 21, 2025

Security Question with Streaming

Related topics