Both the Data API and the Workflow API can be set up to require the client to authenticate themselves in order for your app to determine what resources they are allowed to access. In simpler words, you can require all external systems that want to access your database and workflows to log in using a secret password.

The article in the link below explains how the bearer token is used to authenticate a client, regardless of the method you choose (except if you use no authentication).

The Bubble API: Authentication - How to authenticate

There are three different levels of authentication that you can set up in Bubble, each with their own pros/cons and security ramifications.

The articles below outline the three different authentication methods you can use:

The Bubble API: Authentication - No authentication

The Bubble API: Authentication - As a User

The Bubble API: Authentication - As an Admin

​
​​