In security dashboard, Auth2CustomToken field says the token is exposed in client side . Is that true? I checked some network requests and always shows as doapicallservers but only parameters I sent to that request.
This depend on how you set things.
Dynamic parameters are sent to the backend WF with the doapicallservers and are available client side before this. If you have set private for your parameters, they are not sent client side. If thereās private data sent in dynamic parameters, this should be protected by privacy rules to only allow access to this data to the owner of this data.
A good example where this is important is when you dynamically set the auth token like āCurrent userās tokenā. This is available client side. BUT, if you have set privacy rules correctly, this should only be available to the owner of this token. So thereās no security issue.
If you need to use āon behalfā user token to access API data (user A need to access data from user B api) and you are dynamically setting this token, you should use a backend WF to keep this secure at this moment.
If you use custom token oauth2, this will be added by Bubble automatically and you donāt need to set anything. This will be done on server side only and nothing on client side for this kind of auth
Also, in addition to @Jici , here are some things we should always check when using Keys. Someone can correct me if Iām wrong. @Jici might have already said this too. 
-
Check that the API call is not a GET, I think it gets exposed this way.
-
Also, in the API Connector, if itās not private, make sure to remove it from their to āsanitizeā it so itās not exposed.
-
Sometimes there is an issue with the wrong API key in the wrong place.
Also, i donāt normally set up calls with OAuth2 Custom Token. I handle them via ānone or self-handledā then check the privacy myself.
When you say is handled automatically you mean, all parameters are set as private by default?
The request is a login using POST. Iām not using the calls, but the collection.
it doesnāt hange anything if this is a GET or a POST
Agree
Itās more than that, the call to get the token is done on server side first and added to API call as authorization header also on server side. So everything is done on server side and this way, they are private.
Maybe not in this situation, but for some reason there were warnings in the Security Dashboard when I had some API calls as a GET instead of a POST. 
You are probably right though @Jici.
Yes, security Dashboard often mention some possible security issue, and more often I think with GET but in most case, they are not true. But everything from security dashboard should be checked to validate thereās no issue.
If something is being flagged wrong, you can let Bubble support know so they can improve the security dashboard.
I forget that one case linked to āDATAā settings with none or oauth2 user agent flow can have an issue by bypassing privacy rules (but itās not related to GET, but to DATA type). In most case, this is not an issue but if you are calling an API with your own API key and not using header but parameters this could be an issue.
That makes sense. Thatās probably what it was.
The Auth2CustomToken being flagged in the security dashboard usually just means the token is accessible client-side via Bubbleās state/data exposure ā not necessarily that itās visible in network requests. Since youāre seeing doApiCallServer in the network tab, the actual API call is server-side, which is good.
The flag is more about whether the token value could be read from the page state or returned data. A few things worth checking:
- Is the token stored in a field on a data type thatās exposed to the client (e.g., in the current userās record)?
- Are you returning the token value anywhere in a response that gets displayed or stored client-side?
If the token only lives server-side and youāre never surfacing it in the UI or a client-accessible field, youāre likely fine despite the warning. What data type/field is Auth2CustomToken stored on?
-
No token, the token is protected in the API call.
-
Tokens do not return to the frontend as I can see.
A different quest: about the parameters, I can change then if are sent using the Get External Data API? Like intercepting it and changing a parameter like ācompany_productā? I tried doing that, but doing this only returned the values using the parameter set before for that, from the user.
I thought frontend parameters could be change in any kind of call but I always receive the same payload