If I am calling one of my backend WFs from Zapier based on certain conditions and I have already connected my bubble app to Zapier. Do I still have to check “Expose as a public API workflow“ on the backend WF so that it is called?
Also If i have a backend WF which is called from within the bubble editor like if it is a scheduled job, Can I uncheck “Expose as a public API workflow“ ?
Can someone tell me on what scenarios do I have to enable “Expose as a public API workflow“ and what precautions I have to take when this is enabled and on what scenarios I can disable this.
I’ve never used Zapier, perhaps because I’m cheap, but since I started on Bubble, I have not come across a real need to use Zapier, so with that said, I’m not sure about anything that has to do with Zapier.
But my understanding of Bubble, is that for a backend workflow to be available as a webhook endpoint, you do need to make it public.
Yes
Ones in which you want other apps to be able to trigger the backend workflow, so for the most part, when it acts as a webhook endpoint or another situation in which another app/program must trigger the backend workflow.
In terms of precautions, just make sure you use privacy rules on sensitive data, have api tokens so that you can confirm authorization if necessary. I’m not sure there is much else to consider, but perhaps @georgecollier has some other pointers regarding the security of a backend workflow and expose as public.
Keep in mind using an admin API token doesn’t automatically check a user is authorized to do something. This refers to authentication and an admin API token is one way of authenticating, but any logged in user can authenticate with the public backend workflow without an admin API token.
No, because just because you have access to a piece of data via privacy rules doesn’t mean you should be able to arbitrarily call a backend workflow on it (e.g if I can see a User, it doesn’t mean I should be able to run the delete-user backend workflow)
One of the ways i go about managing public APIs for my Bubble backend is a “nonce” parameter that goes with an API key.
The nonce will act as a secret for specific workflows. So all exposed API workflows will require a nonce from the client even if it gets called with an API key.
