As an admin

This section covers how to authenticate API clients making incoming requests with full administrative access using a Bubble API token.

Help us improve this article

This article is part of a significant update to the Bubble manual and your feedback is critical to our efforts to continuously enhance our written documentation. We would greatly appreciate if you could take a moment to let us know your thoughts on the quality of it. Thank you for your support! Give feedback on this article

What is token authentication?

Token authentication means that the making a request is authenticating using a token that has been generated under Settings - API using the Generate a new API token button.

This gives the client unrestricted access to the database.

Token authentication gives the client the broadest possible access to your database and API workflows. It should be used with caution.

How to set up admin authentication

To set up admin authentication, navigate to Settings - API and scroll down to the button that says Generate a new API token:

When you click the button, Bubble will generate a unique, cryptographically secure 32-character string that serves as the token for any API requests that you want to make. You can create multiple tokens if you have more than one external system connecting to your application. We recommend creating one token per system so that you can revoke them one-by-one if needed.

The token is the same in all versions of your app, but any changes made to it (including creating and deleting a token) needs to be deployed in order to update.

What privileges does admin authentication give?

In principle, it gives the same privileges as an admin would get in the Bubble editor, which means there are no limitations to what you can search for, view, create, edit and delete in the database, and you can run all API workflows.

There are a few exceptions:

  • In the Data API, only data types that you have will be accessible

  • In the Workflow API, only Workflows that have the box checked will be accessible

Labelling admin authentication

Each token you create can have its own label to be easily identifiable. We recommend giving each one a label that clearly indicates what the token is used for. The label does not affect the functioning of the token in any way and is not visible to the client or in your application's client-side code.

Revoking an admin authentication token

To revoke a token, scroll to the relevant token and click the delete icon in the upper right corner.

  • There is no warning message – the token is deleted by a single click

  • You cannot undo this action

  • The change does not apply to your Live version until you deploy

How long is the token valid?

An admin token is valid until it is revoked.

Last updated