Skip to main content
RapidDev - Software Development Agency
bubble-integrationsBubble API Connector

CoStar

CoStar is the Bloomberg of commercial real estate data — enterprise-gated, contract-licensed, with no self-serve developer portal. Before any API call is possible, you must contact CoStar sales at api.costar.com and receive an approved enterprise license. Once approved, Bubble's API Connector holds CoStar credentials in Private headers and proxies all property search, comparables, and market analytics calls server-side. While waiting for approval, build your Bubble prototype using ATTOM Data Solutions, which has instant self-serve API access.

What you'll learn

  • How to initiate and navigate the CoStar enterprise API approval process
  • How to use ATTOM Data Solutions as a prototype stand-in while awaiting CoStar access
  • How to configure the Bubble API Connector with CoStar's Private credentials and server-side proxy
  • Why Bubble privacy rules are both a licensing requirement and a technical necessity for CoStar data
  • How to build a property search workflow with submarket, property type, and size filters
  • How to cache CoStar API responses in Bubble's database to minimize licensed-data API calls
Book a free consultation
4.9Clutch rating
600+Happy partners
17+Countries served
190+Team members
Advanced20 min read4–6 hours of Bubble configuration (plus days–weeks for CoStar enterprise approval)Real Estate & IndustryLast updated July 2026RapidDev Engineering Team
TL;DR

CoStar is the Bloomberg of commercial real estate data — enterprise-gated, contract-licensed, with no self-serve developer portal. Before any API call is possible, you must contact CoStar sales at api.costar.com and receive an approved enterprise license. Once approved, Bubble's API Connector holds CoStar credentials in Private headers and proxies all property search, comparables, and market analytics calls server-side. While waiting for approval, build your Bubble prototype using ATTOM Data Solutions, which has instant self-serve API access.

Quick facts about this guide
FactValue
ToolCoStar
CategoryReal Estate & Industry
MethodBubble API Connector
DifficultyAdvanced
Time required4–6 hours of Bubble configuration (plus days–weeks for CoStar enterprise approval)
Last updatedJuly 2026

Building a Commercial Real Estate Data App with CoStar and Bubble

CoStar is to commercial real estate what Bloomberg is to financial markets: the authoritative, enterprise-gated data source that CRE professionals pay significant subscription fees to access. CoStar's database covers commercial property listings, lease and sale comparables, vacancy rates, market absorption, tenant data, and market analytics across office, retail, industrial, and multifamily property types. Brokers, asset managers, and analysts use it daily.

The critical reality to understand before spending any time on Bubble configuration: there is no CoStar developer portal, no self-serve API key, and no trial access. Every CoStar API integration begins with a business conversation. You must contact CoStar through their API gateway at api.costar.com, demonstrate a legitimate commercial use case tied to an existing (or planned) CoStar subscription, and go through a formal enterprise approval process. This can take days to weeks depending on CoStar's review queue and the complexity of your use case. Calling CoStar API endpoints without approved credentials returns 401 or 403 — not because of configuration errors, but because the credentials do not exist yet.

Once approved, the integration itself is technically clean. CoStar provides a REST API with API key authentication. Bubble's API Connector holds the key in a Private header and proxies all calls server-side — the correct security model for licensed data. Bubble's privacy rules then ensure CoStar data stored in your Bubble database cannot be read by unauthenticated users, which satisfies both CoStar's data redistribution terms and general data security best practices.

The key strategic insight for efficient development: build your Bubble application structure, workflows, and UI using ATTOM Data Solutions (attomdata.com) as a stand-in while the CoStar approval is pending. ATTOM has instant self-serve API access, a similar REST structure, and covers comparable property data. When CoStar credentials arrive, swapping them in requires changing only the API Connector base URL and authentication header — the Bubble UI, workflows, and data model remain identical.

Integration method

Bubble API Connector

CoStar enterprise REST API with API key authentication in a Private header; all credentials server-side via Bubble's proxy; Bubble privacy rules mandatory for licensed data.

Prerequisites

  • An approved CoStar enterprise API agreement (contact api.costar.com to initiate — this is the mandatory first step)
  • CoStar API credentials (exact format provided by CoStar technical onboarding team post-approval)
  • For prototype development while awaiting CoStar approval: an ATTOM Data API key from attomdata.com (self-serve, instant access)
  • Bubble app on a paid plan for production use (Backend Workflows needed for scheduled data refresh require Starter plan or above)
  • API Connector plugin installed in your Bubble app (Plugins → Add plugins → search 'API Connector' by Bubble)

Step-by-step guide

1

Contact CoStar Sales and Initiate API Access (This Is Mandatory First)

Before touching Bubble's API Connector, your first action is contacting CoStar's API team at api.costar.com. There is no alternative path — no developer portal, no trial key, no self-serve registration. CoStar's data is licensed commercial data, and API access is only granted to organizations that have (or are establishing) a CoStar data subscription. When you reach out, be prepared to provide: - Your intended use case (custom brokerage tool, client-facing analytics portal, internal deal pipeline, etc.) - The CoStar products you are licensed for or planning to license (CoStar Suite, CoStar COMPS, LoopNet, etc.) - Your organization's name and existing CoStar account reference (if applicable) - How you plan to display and store CoStar data (describe your Bubble application architecture at a high level) CoStar's sales and technical teams will review your use case against their data redistribution terms. Two frequent approval blockers to be aware of: (1) applications that would show CoStar data to unauthenticated or non-licensed users are typically declined, and (2) use cases that involve re-selling or redistributing CoStar data through your platform require a separate data redistribution agreement at higher cost. While waiting for approval (which can take from a few business days to several weeks), proceed immediately to Step 2 to build your Bubble prototype. The waiting period is not idle time — you can build, test, and validate your entire Bubble application structure using ATTOM Data as a stand-in.

Pro tip: Prepare a one-page use case summary to send with your initial CoStar API inquiry. Describe: (a) who the authenticated users are (licensed brokers, internal analysts, etc.), (b) how data will be displayed (within a logged-in Bubble portal), and (c) what you will not do (no public display, no redistribution). This level of specificity typically speeds up the approval process.

Expected result: You have received a response from CoStar's API team acknowledging your inquiry. You are in the approval pipeline. In the meantime, you have started Step 2 to build the Bubble prototype.

2

Build the Bubble Prototype Using ATTOM Data (While Awaiting CoStar)

ATTOM Data Solutions (attomdata.com) provides property data — ownership, valuations, sales history, AVM estimates — via a self-serve REST API with instant developer portal access. It is not CoStar (no commercial lease data or submarket analytics), but it covers enough residential and commercial property data to validate your Bubble application's structure before CoStar credentials arrive. Go to attomdata.com, create a developer account, and generate an API key. The key is passed as an X-APIKey header on every request — exactly the same pattern you will use for CoStar. In Bubble, go to Plugins → API Connector → Add another API. Name it 'Property Data' (use a generic name, not 'ATTOM', so you do not need to rename it when CoStar credentials arrive). Configure: - Base URL: https://api.gateway.attomdata.com/propertyapi/v1.0.0 - Shared header Key: X-APIKey, Value: [your ATTOM key], mark as Private - Shared header Key: Accept, Value: application/json (static) Add a call named 'Property Search'. Method: GET. URL path: /property/address. Add query parameters: address1 (dynamic), address2 (dynamic — city/state), postalcode (dynamic). Click Initialize call with a real US address to detect the response fields. Build your entire Bubble UI — property search form, results Repeating Group, detail popup, comparables panel — using ATTOM's response structure. ATTOM's field names will differ from CoStar's, but the workflow logic and UI layout transfer directly. When CoStar credentials arrive, you will update the base URL, authentication header, and API call endpoints — the Bubble data model and UI remain. Create the Bubble data types you will need: Property (address, property_type, building_sf, year_built, last_sale_price, cache_expires_at), Comparable (property_id, transaction_date, price_per_sf, lease_rate, transaction_type), SubmarketStat (submarket, property_type, vacancy_rate, avg_asking_rent, report_date).

property_data_connector.json
1// ATTOM Data API Connector (prototype configuration)
2{
3 "method": "GET",
4 "url": "https://api.gateway.attomdata.com/propertyapi/v1.0.0/property/address",
5 "headers": {
6 "X-APIKey": "<your_attom_key_private>",
7 "Accept": "application/json"
8 },
9 "params": {
10 "address1": "<dynamic_street_address>",
11 "address2": "<dynamic_city_state>",
12 "postalcode": "<dynamic_zip>"
13 }
14}
15
16// When CoStar credentials arrive, update to:
17// Base URL: https://api.costar.com (verify with CoStar onboarding)
18// Header: [CoStar-specified auth header name]: [CoStar API key]

Pro tip: Name your Bubble data types and workflows generically ('Property', 'Comparable', 'SubmarketStat') rather than 'ATTOMProperty' or 'CoStarComparable'. Generic names mean zero renaming work when you switch from ATTOM to CoStar in the API Connector.

Expected result: A working Bubble prototype with property search, results display, and comparable/analytics views — all populated with ATTOM data. The UI is fully functional and testable. CoStar credential swap-in will require changing only the API Connector configuration, not the Bubble UI or data model.

3

Configure the API Connector with CoStar Credentials

Once CoStar's technical onboarding team provides your credentials and endpoint documentation, configure the production API Connector. The exact authentication mechanism varies by CoStar product — verify all of the following with your CoStar technical contact before configuration: - The API base URL (typically https://api.costar.com, but may include a version path or regional endpoint) - The authentication header name (may be 'X-Api-Key', 'Authorization', or a CoStar-specific header name) - Whether authentication uses a static API key, a short-lived token requiring exchange, or OAuth - Rate limits for your contracted tier - Which endpoints are available under your specific license (property search, comparables, market analytics, and/or tenant data each require separate licensed access) In Bubble's API Connector, update (or create) the 'Property Data' API: - Update the base URL to CoStar's production endpoint - Replace the X-APIKey ATTOM header with CoStar's authentication header (marked Private — this is non-negotiable for licensed CRE data) - Update each API call's URL path to CoStar's endpoint paths (provided in CoStar's onboarding documentation) - Update the query parameter names and body field names to match CoStar's API specification Before going live, re-initialize each API Connector call with CoStar credentials to let Bubble detect the new response field structure. CoStar responses may be structured differently from ATTOM's — update your Bubble data types and field mappings to match. Pay particular attention to pagination parameters: CoStar's property search results are typically paginated, and calling without page/size parameters may return unexpected result counts. Your CoStar technical contact will document the pagination scheme.

costar_connector_config.json
1// CoStar API Connector configuration (structure — verify exact values with CoStar)
2{
3 "method": "GET",
4 "url": "https://api.costar.com/<endpoint_path_per_costar_docs>",
5 "headers": {
6 "<CoStar_auth_header_name>": "<your_costar_credential_private>",
7 "Accept": "application/json"
8 },
9 "params": {
10 "submarket": "<dynamic_submarket_filter>",
11 "propertyType": "<dynamic_property_type>",
12 "buildingSizeMin": "<dynamic_min_sf>",
13 "buildingSizeMax": "<dynamic_max_sf>",
14 "pageNumber": "<dynamic_page>",
15 "pageSize": "25"
16 }
17}

Pro tip: If a CoStar API call returns 403 (Forbidden) after correct authentication, the issue is likely scope: the endpoint you are calling is outside your contracted license. Verify with your CoStar technical contact which endpoints are specifically included in your agreement — 403 from CoStar means 'not licensed', not 'wrong key'.

Expected result: The API Connector's Initialize calls succeed with CoStar credentials. Response fields are detected and mapped. Your existing Bubble workflows and data types are updated to use CoStar's field names.

4

Configure Bubble Privacy Rules — A CoStar Licensing Requirement

This step is not optional — it is a condition of CoStar's data licensing terms. CoStar's license agreement prohibits displaying or storing licensed data in ways accessible to unauthenticated users. In Bubble, this is enforced through privacy rules on every data type that stores CoStar property records. Go to Data tab in your Bubble editor. Click on each data type that stores CoStar data (Property, Comparable, SubmarketStat, or whatever you named them). Click the Privacy tab at the top of the data type editor. Create a privacy rule: - Rule name: 'Authenticated Users Only' - Condition: Current User is logged in - Permissions: check 'View all fields' This ensures that Bubble's Data API (which external callers can query) returns no CoStar data for unauthenticated requests. Without this rule, anyone who knows your Bubble Data API endpoint can fetch CoStar-populated records — violating your licensing agreement and exposing commercially sensitive property data. If your Bubble app has role-based access (e.g., only licensed broker users should see CoStar data, not all registered users), refine the privacy rule condition: - Condition: Current User is logged in AND Current User's role = 'Broker' (or however you define the licensed-user role) After adding privacy rules, test them: log out of your Bubble app, attempt to load a page that shows CoStar property data, and confirm it shows no data (or a login prompt). Log back in and confirm the data appears. Both states should behave as expected. For data types that store submarket analytics (which may be shared across multiple users), consider a separate rule: any logged-in user can view SubmarketStat records (since the stat is not property-specific PII), but Property and Comparable records require the licensed-user role.

costar_privacy_rules.txt
1// Bubble Privacy Rules for CoStar data types
2// Configure in Data tab → [DataType] → Privacy
3
4// Rule 1 (for Property, Comparable data types):
5// Condition: Current User is logged in
6// AND Current User's role = "Licensed User"
7// Permissions: View all fields = checked
8
9// Rule 2 (for SubmarketStat data type - aggregated, less sensitive):
10// Condition: Current User is logged in
11// Permissions: View all fields = checked
12
13// NO rule = public access = CoStar license violation

Pro tip: After configuring privacy rules, open an incognito browser window, navigate to your Bubble app, and try to access a URL that would load CoStar property data. If you see data without logging in, the privacy rules are not configured correctly. Fix them before deploying to production.

Expected result: All Bubble data types storing CoStar records have privacy rules that restrict reads to authenticated (and, where applicable, role-verified) users. Unauthenticated access to the Data API returns empty results for CoStar-populated tables.

5

Build the Property Search Workflow and Comparables Panel

With credentials configured and privacy rules in place, build the core search and analytics workflows that your users will interact with daily. For property search: add a form to your Bubble page with inputs for Submarket (dropdown populated from a Bubble option set of submarkets), Property Type (dropdown: Office, Retail, Industrial, Multifamily), Minimum Building Size (number input), Maximum Building Size (number input), and Availability Status (dropdown). Add a 'Search' button. In the button's workflow: 1. Call the CoStar property search API Connector call with the form values as dynamic parameters. 2. For each property in the response, use 'Create a new thing' in the Property data type (or 'Make changes to' if a record with the same CoStar property ID already exists). Set cache_expires_at to Current date/time + 1 hour. 3. Navigate to (or show) the results Repeating Group. For the results Repeating Group: set data source to 'Search for Property where result_source = CoStar AND cache_expires_at > Current date/time'. This shows only fresh cached results. Add columns for property name, address, building SF, property type, and availability. For the comparables panel: add a workflow triggered by clicking a property row. Call the CoStar comparables endpoint with the selected property's CoStar property ID. Store results in the Comparable data type. Display in a secondary Repeating Group inside a popup, sorted by transaction_date descending. For the market analytics view: create a separate page or tab with SubmarketStat display. A Backend Workflow scheduled to run nightly fetches CoStar market analytics and populates the SubmarketStat data type. Users see the cached analytics, not live API calls — CoStar's market analytics data updates at most daily, so live calls would return the same data at extra WU cost. RapidDev's team has built CRE data platforms on Bubble integrating CoStar and ATTOM — if you want a free review of your data architecture before going live, book a scoping call at rapidevelopers.com/contact.

Pro tip: Build a 'check cache first' conditional in every search workflow: before calling CoStar's API, search Bubble's Property data type for records matching the search criteria with cache_expires_at > Current date/time. If results exist and are fresh, skip the API call and show cached data. This reduces CoStar API call volume and Bubble WU consumption simultaneously.

Expected result: The property search form filters by submarket, property type, and size range. Results display in a Repeating Group from Bubble's cached Property data type. Clicking a property row opens a comparables popup populated from the Comparable data type. Market analytics show on a dashboard screen from nightly-cached SubmarketStat records.

6

Cache CoStar Data and Monitor for License Compliance

CoStar API calls consume both Bubble Workload Units and CoStar API call quota (which is contract-defined). Caching is therefore both a performance optimization and a cost management requirement. Every API call to CoStar should follow this pattern in your Bubble workflows: 1. Search Bubble DB for existing records matching the query criteria with cache_expires_at > Current date/time. 2. If fresh cached records exist: skip the API call, use cached data. 3. If no fresh records: call CoStar API, store results with cache_expires_at = Current date/time + appropriate TTL (1 hour for property details, 24 hours for market analytics). For market analytics (vacancy rates, asking rents): these update at most daily in CoStar's systems. A nightly Backend Workflow that refreshes SubmarketStat records is the right pattern — not on-demand API calls per page load. The Backend Workflow fetches all submarkets in your contracted scope and upserts the data. This requires a paid Bubble plan. For API call monitoring: go to Bubble Logs tab → API Logs. This shows every CoStar API call with timestamp, status code, and response size. Review this log weekly during the first month to identify any unexpected call patterns (e.g., a workflow firing more times than expected due to a triggering condition error). For license compliance monitoring: track your CoStar API call count in Bubble by incrementing a counter in a CoStarApiUsage data type on each call. Compare this against your contracted monthly quota and alert your admin team when usage approaches 80% of the limit via a Backend Workflow email action. Note: if a CoStar API call returns 403 (not 401), the issue is contract scope — not authentication. 401 means credentials are wrong. 403 means credentials are valid but the endpoint is outside your licensed scope. Contact your CoStar account manager for 403 errors, not your technical onboarding team.

costar_cache_strategy.txt
1// Cache check conditional in Bubble workflow
2// Step 1: Do a search for Property
3// - CoStar_property_id = [current search criteria]
4// - cache_expires_at > Current date/time
5// - :count > 0
6// If yes: use cached data (no API call)
7// If no: proceed to CoStar API call
8
9// Cache TTL recommendations
10// Property details: 1 hour (cache_expires_at = Current date/time + 1 hour)
11// Comparables: 6 hours (transaction history changes slowly)
12// Market analytics (vacancy, rent): 24 hours (daily refresh via Backend Workflow)

Pro tip: Log every CoStar API call in a dedicated Bubble data type with timestamp and endpoint name. This creates an audit trail you can show to CoStar's compliance team if questions arise about data usage, and helps you identify runaway workflows before they exhaust your monthly API call quota.

Expected result: Property search workflows check Bubble's cache before calling CoStar. Market analytics data is refreshed nightly by a Backend Workflow rather than on demand. Bubble's Logs tab shows healthy CoStar API call volume without unexpected spikes.

Common use cases

CRE Broker Deal Pipeline Dashboard

Build a custom deal pipeline dashboard where commercial real estate brokers track active listings, pull CoStar comparables for property valuation, and see submarket vacancy rates — replacing manual CoStar portal navigation with a Bubble app that integrates deal stages, contact notes, and market data in one interface.

Bubble Prompt

Copy this prompt to try it in Bubble

Market Analytics Report Builder

Create a client-facing report builder that lets CRE analysts select a submarket, property type, and date range, then pulls CoStar market analytics (vacancy rate, asking rent, absorption) into a formatted report visible in Bubble — with results cached in the Bubble database to avoid redundant licensed-data API calls.

Bubble Prompt

Copy this prompt to try it in Bubble

Property Comparables Lookup Tool

Build a comparables search tool where brokers enter a target property address, Bubble queries CoStar's comparables endpoint for recent sale or lease transactions within a specified radius, and the results display as a sortable table with key metrics (price per SF, lease rate, transaction date) — all behind Bubble authentication so only licensed users see the data.

Bubble Prompt

Copy this prompt to try it in Bubble

Troubleshooting

All CoStar API calls return 401 Unauthorized before I even configure Bubble

Cause: There are no valid CoStar API credentials yet. CoStar requires enterprise approval before issuing credentials — calling the API endpoint without approved credentials always returns 401.

Solution: Do not attempt to debug the Bubble configuration. The 401 means the approval process is not complete. Contact api.costar.com if you have not already initiated the approval process. If you have, follow up with your CoStar account manager for status. In the meantime, proceed with ATTOM Data as a prototype stand-in (Step 2).

CoStar API calls return 403 Forbidden even though authentication is correct

Cause: 403 from CoStar means the credentials are valid but the specific endpoint requested is outside your contracted license scope. This is different from 401 (authentication failure).

Solution: Do not debug the API key — it is correct. Contact your CoStar account manager to confirm which specific endpoints and data products are included in your contract. CoStar's API surface includes multiple licensed products (CoStar Suite, CoStar COMPS, LoopNet data) that require separate licensing. The 403 tells you the endpoint exists and authentication works — but you haven't licensed that specific data product.

'There was an issue setting up your call' when initializing CoStar API Connector calls

Cause: The Initialize call makes a live request to CoStar's API. This fails if the credentials are not yet configured correctly in the API Connector headers, or if the endpoint path requires specific required parameters that are not provided in the Initialize defaults.

Solution: Verify the authentication header name and value match exactly what CoStar's technical team provided. Ensure required query parameters (such as market ID, property type, or date range) have valid default values set for the Initialize call — CoStar endpoints often reject calls missing required parameters. Check Bubble's Logs tab → API Logs for the raw response to see CoStar's error message.

CoStar property data is visible to non-logged-in users in the Bubble app

Cause: Bubble privacy rules are not configured on the data types storing CoStar records. Without explicit privacy rules, Bubble's Data API returns data to any caller — including unauthenticated requests.

Solution: Go to Data tab → each CoStar-populated data type → Privacy → add a rule: condition 'Current User is logged in', permission 'View all fields'. Test by opening the Bubble app in an incognito window without logging in. CoStar data should not be visible. This is both a CoStar licensing requirement and critical for data security. Configure privacy rules before any production deployment.

CoStar API response contains far more fields than expected and Bubble's data type is missing many of them

Cause: CoStar API responses can be large, and the API Connector's Initialize call only detects fields present in that specific response. Fields that are null or absent in the Initialize response are not automatically detected.

Solution: Re-initialize the API Connector call using a property record that has all relevant fields populated. Alternatively, manually add additional fields to the API Connector call's response definition using the '+ Add field' button. Check CoStar's API documentation (provided in onboarding) for the complete field list and add the ones your Bubble UI requires.

Best practices

  • Start with the CoStar sales conversation before writing any Bubble configuration — there is no self-serve path, and attempting to call CoStar endpoints without approved credentials is a dead end. Use the waiting period to build the full Bubble prototype with ATTOM Data.
  • Mark every CoStar credential (API key, auth token) as Private in the Bubble API Connector without exception. Bubble's server-side proxy already keeps them browser-side safe, but Private prevents them from appearing in Bubble editor logs and reduces accidental exposure risk.
  • Configure Bubble privacy rules on every data type storing CoStar records before the first test write. This is both a CoStar licensing requirement (data must not be served to unauthenticated users) and a basic data security practice. Test the rules by accessing your app from an incognito window.
  • Cache CoStar API responses in Bubble's database with a cache_expires_at timestamp. Property details change infrequently, market analytics update daily at most — live API calls on every page load burn Bubble Workload Units and CoStar API quota without improving data freshness.
  • Use 403 vs 401 as diagnostic signals: 401 means wrong or missing credentials; 403 means the endpoint is outside your contracted license scope. Contact your CoStar account manager for 403 errors — the API key is correct, but you need to add the data product to your subscription.
  • Build your Bubble data model with generic field names (property_sf, asking_rent, vacancy_rate) rather than CoStar-specific internal field names. If CoStar updates their API response structure, you update only the API Connector field mappings — not the data type definitions that flow through your entire app.
  • Log every CoStar API call in a dedicated Bubble data type with timestamp, endpoint, and status code. This provides an audit trail for CoStar's compliance team and helps you detect runaway workflows before they exhaust your monthly API call quota.
  • Build a submarket option set in Bubble containing only the submarkets included in your CoStar license — do not let users search outside your contracted geographic or property type scope. Calls outside licensed scope return 403 and waste Workload Units.

Alternatives

Frequently asked questions

Is there any way to access CoStar data without going through the enterprise sales process?

No. CoStar has no self-serve developer portal, no free trial API key, and no sandbox environment. Every API integration requires an approved enterprise relationship. Attempting to use CoStar's internal web endpoints (discoverable via browser DevTools on costar.com) violates their Terms of Service and is likely to result in IP blocking. The only legitimate path is through api.costar.com. For residential property data with instant self-serve access, ATTOM Data (attomdata.com) is the recommended alternative while CoStar approval is pending.

Can I show CoStar data to users who don't have a CoStar subscription themselves?

This depends on your specific CoStar license agreement, which you should verify with your CoStar account manager. In most cases, CoStar licenses permit showing data to authenticated users of your licensed organization (e.g., employees of a brokerage that holds the CoStar subscription), but prohibit showing it to the general public or to users outside the licensed entity. This is why Bubble privacy rules restricting data access to authenticated users are a licensing requirement, not just a recommendation.

How long does the CoStar API approval process typically take?

Timelines vary. Straightforward use cases tied to existing CoStar subscriptions (building an internal tool for your existing CoStar-licensed brokerage) are sometimes approved within a few business days. New customers or applications involving data redistribution or external-facing portals can take several weeks. Having a clear, specific use case description and a named CoStar account manager relationship both speed up the process.

What is ATTOM Data and how similar is it to CoStar for prototype purposes?

ATTOM Data Solutions (attomdata.com) is a property data provider covering residential and some commercial properties — ownership records, valuations, sales history, AVM estimates, neighborhood analytics. It has instant self-serve developer access and per-call or subscription pricing. For prototyping a Bubble app that will eventually use CoStar, ATTOM lets you build and validate the UI, workflow logic, and data model without waiting for CoStar approval. ATTOM does not have CoStar's depth in commercial lease comparables or submarket analytics — it's a development stand-in, not a full replacement.

Why does Bubble need privacy rules for CoStar data if the API Connector already keeps credentials private?

The API Connector Private headers protect your CoStar credentials from appearing in the browser — they prevent the API key from leaking. But privacy rules protect the data that was fetched using those credentials and stored in Bubble's database. Without privacy rules, any external caller can query your Bubble Data API (a public endpoint Bubble apps expose) and retrieve all CoStar property records stored in your database — without any authentication. The two controls are complementary: Private headers protect credentials, privacy rules protect fetched data.

Can Bubble's free plan support a CoStar integration?

Basic outbound API Connector calls to CoStar work on Bubble's free plan. However, scheduled Backend Workflows (needed for automated market analytics cache refresh and any scheduled data sync) require a paid Bubble plan (Starter $32/month or above). For a production CoStar integration that keeps cached data fresh automatically, a paid Bubble plan is necessary.

RapidDev

Talk to an Expert

Our team has built 600+ apps. Get personalized help with your project.

Book a free consultation

Integrations are where projects stall

We wire Bubble integrations like this one every week — auth, webhooks, edge cases included. Fixed-price builds from $13K, delivered in 6–10 weeks.

Talk to an integration engineer

We put the rapid in RapidDev

Need a dedicated strategic tech and growth partner? Discover what RapidDev can do for your business! Book a call with our team to schedule a free, no-obligation consultation. We'll discuss your project and provide a custom quote at no cost.