My name is Zoe, an engineer on our Editor team. We’ll be releasing a new Bubble version later today to address Admin API tokens.
In previous versions, privacy rules would not be ignored when using an API token. The only way for users with an API token to bypass the privacy rules when calling a backend workflow would be to enable “Ignore privacy rules” for the workflow. This could mean potentially exposing this data to other users without an API token as well.
Bubble version 30 makes it easier for admins with API tokens to test and use backend workflows. Now, users no longer need to enable “Ignore privacy rules” to bypass privacy rules when making an API call to a backend workflow. Using an API token gives an end-user full administrator access to your app’s database. This means that privacy rules are ignored and the client gets the same access level that an admin gets in the Bubble editor.
You can upgrade to the latest version in Settings > Versions.
As always, we welcome your feedback. Thanks for building on Bubble.
Sounds great and all, but it looks like today’s Bubble BW performance is degraded on the Main cluster, with API wf action failing to trigger and work properly with db changes.
Would be great to hear an update on the matter before upgrading and trying things out.
Thanks
Thanks @zoe1 . Relatedly, can we please have better scoping of API tokens? It shouldn’t be “full administrator editor access” or “nothing.” See Sendgrid’s API for how to scope out specific features. We don’t need that level of granularity but ideally we should be able to apply privacy rules to API tokens and at least control read/write access.
Hey @zoe1 was just looking at this and am… confused. I thought the behavior in Version 30 is always how Admin API Tokens worked.
I went back through the relevant manual article and even checked the Second Revision Ultimate Guide to Bubble Security (page 211) and they both described Admin API Tokens as working the way they do after version 30 (despite at least the Ultimate Guide being from 2023) - i.e. that Privacy Rules were ignored regardless of backend workflow checkboxes, and that they behave like a user in the editor’s permissions (“god mode”)
So what actually changed here? Or is this some sort of Bug Fix to how API Tokens functioned in reality vs. intention?
You are correct, there is no actual announcement here. Backend workflows ran via an API call with Admin token Always ignored Privacy Rules by default. This was explicit in the manual, and when testing could be verified as the behavior.
I too am confused about the announcement as it seems like nothing changed at all. @georgecollier@lindsay_knowcode@randomanon what is the change here? I know this was discussed just a couple months ago that the behavior has been api tokens in BWF triggered by api call ignore privacy rules by default.
It used to be a thing, then it wasn’t, and this release fixes that, but is released as a separate version as it could cause existing workflows to ignore privacy rules when you might not want it to.
So it used to be normal functionality that an api token when used in api call for backend workflow that privacy rules were ignored
Then that functionality was broken with a new version release
Then this new version release fixes the issue and restores to normal expected functionality of an api token used in api call for backend workflow and backend workflow ignores privacy rules by default
