Skip to main content
What is User authentication?
How to set up User authentication
How long is the token valid?
Without 2-factor authentication
With 2-factor authentication
Revoking a token
Restricting a client's privileges
All CollectionsUser ManualIntegrationsAPI
Bubble API: Authentication - As a User
Bubble API: Authentication - As a User

This article covers how to authenticate an API client as a user logged in to your application, protecting your data with Privacy Rules.

Jeff Thill avatar
Written by Jeff Thill
Updated over 3 weeks ago

What is User authentication?

User authentication means that the client making the request is authenticating as a User, which means that we can determine what they are authorized to access using Privacy Rules, just like our regular app Users.

This is the method that offers the highest level of security and flexibility since it allows you to provide different Privacy Rules based on who the client is.

How to set up User authentication

In principle, logging a client in as a User happens in the same way that you log in a regular User in your app, except that the action needs to happens in an API Workflow. When you log in a User, Bubble can return a token that can be used to authenticate in subsequent calls.

  1. Create an API Workflow with a fitting name such as generate-api-token.

  2. Use the Log the User in action or Sign the user up action to log in or create a new User. For the Log the User in action you will need to provide an email and a password.

  3. If successful, Bubble will automatically respond with a token that can be used as a Bearer token in subsequent call.

If you log a user in with an action in an API Workflow, Bubble will respond with a token that can be used to authenticate the client in subsequent requests. In the example above we are accepting the email and password as parameters in the API Workflow.

How long is the token valid?

The token has to different validities depending on your settings.

Without 2-factor authentication

  • If you set Keep the user logged in to "yes", the token has a validity of 12 months.

  • If you set Keep the user logged in to "no", the token has a validity of 24 hours.

With 2-factor authentication

  • If you set Keep the user logged in to "yes", the token has a validity of 1 month.

  • If you set Keep the user logged in to "no", the token has a validity of 24 hours.

Revoking a token

There are two ways to revoke a token after it has been generated:

  • You can call a Log the User out action from the client that uses the relevant token.

  • You can use the Log out other user's sessions to sign a User out from every session except for the one they are running the workflow from.

Restricting a client's privileges

There are two ways to restrict the access level and privileges of a client that's using a user token:

  • Privacy Rules: your main level of protection is setting up privacy rules that match the User that is signed in and control their access to find, read, create, edit and delete data through the API.

  • Conditions: on API Workflows you can set up Conditions that restrict the triggering of the workflow based on fields saved on the User. This will apply to clients who are sending a request with a user authentication token.

Related Articles
Bubble API: Authentication
Bubble API: Authentication - How to authenticate
Bubble API: Authentication - As an Admin
Bubble API: Data API - Privacy Rules
The Data API: Authentication
Did this answer your question?