Skip to main content
All CollectionsSecurity & ComplianceFlusk
How do I fix the Unprotected API Workflow issue flagged by Flusk?
How do I fix the Unprotected API Workflow issue flagged by Flusk?
Updated this week

Authentication in API Workflows

If a back-end workflow is publicly exposed, you have to define whether the asker needs authentication in order to run this workflow or not. Most of the time you will want to have authentication required on your workflows to avoid them being triggered by entities that are not supposed to (hackers most of the time). So uncheck this box as often as possible, except if it is necessary for your business logic.

Adding Authentication to Webhooks

If you disabled this checkbox, it might be because this endpoint will be triggered by a 3rd-party service when a specific event happens.

But this is not a reason not to add authentication!

Let's suppose you're using Stripe and you want Stripe to send you a webhook whenever a User cancels its subscription (it will work with any 3rd-party service, but I'll take Stripe as an example). Inside your Stripe dashboard, you'll configure a webhook with the following destination address:

https://yourappid.bubbleapps.io/version-live/api/1.1/wf/your-endpoint

Below, we explain how to add authentication even if Stripe doesn't give you the possibility to add custom headers to webhooks.

Create a Bubble API Token

First step is going to your Bubble app editor and navigate to "Settings > API". You will see a button called "Create a new API Token".

Click it, and name it with the name of the according 3rd-party service you want to give authentication to.

Once this is done, copy your private key and create your new webhook URL which will be the following:

https://yourappid.bubbleapps.io/version-live/api/1.1/wf/your-endpoint?api_token=XXX

With 'XXX' being equal to the API Key you just generated.

All good, you can now uncheck the "This workflow can be run without authentication" checkbox!

Solution

To fix this issue, uncheck this box if it is not necessary for your business logic. If it is, you can simply ignore this issue.

Did this answer your question?