Joomla 4.0+ ships a built-in REST API at /api/index.php/v1/ — no plugin required. Connect Bubble to Joomla using the API Connector with an X-Joomla-Token header (marked Private) to read and write articles, users, and categories. The result: Joomla manages your editorial content, Bubble renders a custom front-end or admin dashboard. Joomla 3.x users must upgrade to 4.0+ first.
| Fact | Value |
|---|---|
| Tool | Joomla |
| Category | DevOps & Tools |
| Method | Bubble API Connector |
| Difficulty | Intermediate |
| Time required | 45–60 minutes |
| Last updated | July 2026 |
Use Joomla as a headless CMS with Bubble as your custom front-end
The most compelling use-case for connecting Bubble to Joomla is the headless CMS pattern: Joomla handles what it's excellent at — editorial content management, multi-author workflows, category hierarchies, multilingual content — while Bubble provides a completely custom front-end or admin interface with the visual logic and user experience that Joomla's default templates can't match.
For example: a news organization might use Joomla as the content management backend (editors create and schedule articles in Joomla's familiar admin panel) while Bubble renders a custom branded reading app or a subscriber dashboard with payment walls and personalized feeds.
Since Joomla 4.0, this is possible without any plugin installation — the REST API is built in. The Bubble API Connector calls Joomla server-to-server, so there are no CORS problems and your API token never touches the user's browser. The main things to handle: enabling the API plugin in Joomla Admin, generating a user token, and being careful about Joomla's HTML-heavy article fields.
Integration method
Bubble's API Connector calls the Joomla 4.0+ REST API server-side at your Joomla site's /api/index.php/v1/ path, with the X-Joomla-Token header marked Private so your credentials stay on Bubble's servers.
Prerequisites
- A Joomla 4.0+ installation (check Joomla version at your site's /administrator → System → Joomla Version — must be 4.0 or higher)
- Administrator access to your Joomla backend (/administrator) to enable plugins and manage users
- HTTPS enabled on your Joomla site (Bubble requires HTTPS for all API Connector calls)
- A Bubble account — any plan works for outbound API Connector calls; a paid Bubble plan is required for inbound webhooks (Backend Workflows)
Step-by-step guide
Confirm Joomla 4.0+ and enable the API Authentication plugin
Before configuring anything in Bubble, verify you're running Joomla 4.0 or higher — the REST API does not exist in Joomla 3.x. Log in to your Joomla administrator backend (typically at your-site.com/administrator). In the top navigation, click System → Information → Joomla Version. Confirm the version is 4.0.0 or higher. If you're on Joomla 3.x, this tutorial does not apply until you upgrade. Joomla 4.x is the current supported major version. Next, enable the API Authentication plugin: 1. In the Joomla admin, click System in the top navigation 2. Click Plugins under the 'Manage' section 3. In the plugin search bar, type 'Authentication' 4. Find the plugin named 'Authentication - Joomla API Token' 5. Click on it to open it, then change Status from Disabled to Enabled 6. Click Save & Close This plugin allows Joomla's REST API to accept token-based authentication. Without it enabled, all API calls will return 401 Unauthorized regardless of the token you provide. Also confirm your Joomla site is accessible via HTTPS (https://your-site.com, not http://). Bubble's API Connector requires HTTPS for all external API calls.
Pro tip: If you don't see 'Authentication - Joomla API Token' in the plugin list, your Joomla installation may be incomplete or you may be on Joomla 3.x. Verify your version and reinstall/upgrade if necessary.
Expected result: Your Joomla admin shows version 4.0+, the 'Authentication - Joomla API Token' plugin is enabled and saved, and your site is accessible via HTTPS.
Generate a Joomla API Token for a user
Joomla API tokens are tied to individual user accounts. Each user account can have one API token, and the token grants the same permissions as that user's Joomla access level. In your Joomla admin (your-site.com/administrator), go to Users → Manage. Click on the username you want to generate a token for. It's a best practice to create a dedicated API user specifically for Bubble integration (e.g., username: 'bubble-api-user') rather than using an admin account's token. Assign this API user to an appropriate User Group — for a read-only Bubble front-end, the 'Registered' or 'Author' group is sufficient; for an admin dashboard that creates articles, use 'Editor' or 'Manager'. In the user edit screen, click the 'Joomla API Token' tab in the user details area. You'll see a field showing the current API token (or a button to generate one if none exists). Click 'Generate Token' or copy the existing token. Copy the full token string — it's a long alphanumeric value. You'll paste it into Bubble's API Connector in the next step. Security note: avoid using a Super Administrator account's token for your Bubble integration. If the token is ever exposed, an attacker would have full Joomla admin access. Use a lower-permission user account with only the access levels your Bubble app needs.
Pro tip: The Joomla API Token tab only appears in the user editor after the 'Authentication - Joomla API Token' plugin is enabled. If you don't see the tab, go back to Step 1 and confirm the plugin is enabled.
Expected result: You have a Joomla API token for a dedicated, appropriately-permissioned user account. The token is copied and ready to paste into Bubble.
Configure the Bubble API Connector with your Joomla endpoint and Private token
Open your Bubble app editor in the browser. Click the Plugins tab in the left sidebar (the puzzle piece icon). If the API Connector is not in your installed plugins, click Add plugins, search for 'API Connector' (by Bubble), and install it. Return to Plugins → API Connector. Click Add another API to create a new API group. Set the name to 'Joomla CMS'. In the Shared headers section, click Add a shared header: - Key: `X-Joomla-Token` - Value: paste your Joomla API token here - Check the 'Private' checkbox on this header — this is critical; the token must never be sent client-side You can also optionally add: - Key: `Content-Type` - Value: `application/json` - (Leave Content-Type as non-private) The base URL for all Joomla API calls follows the pattern: `https://your-site.com/api/index.php/v1` Replace `your-site.com` with your actual Joomla site domain. Note the path: it starts with `/api/index.php/v1` — not `/api/v1` or any other variation. This is Joomla's specific API path and must be exact. Because Bubble's API Connector makes calls from Bubble's servers to your Joomla site's servers, Joomla's CORS configuration (which defaults to restricting cross-origin requests) is completely irrelevant. CORS only applies when a browser makes requests directly — Bubble handles this server-side.
1{2 "API Name": "Joomla CMS",3 "Shared Headers": {4 "X-Joomla-Token": "<private>",5 "Content-Type": "application/json"6 },7 "Base URL": "https://your-site.com/api/index.php/v1"8}Pro tip: The header name must be exactly 'X-Joomla-Token' (with the 'X-' prefix and hyphen). Using 'Joomla-Token' or 'Authorization' will result in 401 errors on all calls.
Expected result: The Joomla CMS API group is configured in the API Connector with the X-Joomla-Token Private header. No calls added yet.
Add calls for articles and categories, then initialize
With the Joomla API group set up, add GET calls for the content you want to display in Bubble. Call 1 — Get Articles: - Click Add another call - Name: 'Get Articles' - Method: GET - URL: `https://your-site.com/api/index.php/v1/content/articles` - Add query parameters: - `page[limit]`: `20` (limits results to 20 articles per page, avoiding large payloads) - `filter[published]`: `1` (returns only published articles) - Set 'Use as': Data - Click Initialize call. Bubble makes a live GET request to your Joomla site. A successful response will look like a JSON object with a `data` array. Bubble auto-detects fields including `id`, `title`, `introtext` (HTML), `fulltext` (HTML), `catid`, `created`, and `state`. Call 2 — Get Categories: - Add another call - Name: 'Get Categories' - Method: GET - URL: `https://your-site.com/api/index.php/v1/categories` - Set 'Use as': Data - Initialize call Call 3 — Create Article (for admin dashboards): - Add another call - Name: 'Create Article' - Method: POST - URL: `https://your-site.com/api/index.php/v1/content/articles` - Set body type to JSON and add dynamic fields: `title`, `articletext`, `catid`, `state` - Set 'Use as': Action Critical HTML handling: Joomla article fields `introtext` and `fulltext` contain raw HTML markup (e.g., `<p>Article body with <strong>bold text</strong></p>`). Do NOT display these in a standard Bubble Text element — the HTML tags will appear literally. Use a Bubble HTML element to render HTML content, or use a workflow to strip HTML tags before storing in a Bubble data field.
1GET https://your-site.com/api/index.php/v1/content/articles2Headers:3 X-Joomla-Token: <private>4 Content-Type: application/json5Query Params:6 page[limit]: 207 filter[published]: 189Example response:10{11 "data": [12 {13 "id": "42",14 "title": "Getting Started with Joomla",15 "alias": "getting-started-with-joomla",16 "introtext": "<p>Welcome to <strong>Joomla</strong>...</p>",17 "catid": "8",18 "state": 1,19 "created": "2026-06-01 10:00:00"20 }21 ],22 "links": { "self": "...", "next": "..." },23 "meta": { "total-pages": 5 }24}Pro tip: If the Initialize call returns 'There was an issue setting up your call', confirm the API Authentication plugin is enabled in Joomla, check that your Joomla site URL uses HTTPS, and verify there is at least one published article to return non-empty data.
Expected result: All three calls are initialized successfully. Bubble shows detected fields from the Joomla API responses. The 'Get Articles' call shows article data including title and introtext. Ready to use as data sources in Bubble.
Build a Bubble page displaying Joomla articles with Privacy Rules for stored data
Connect the Joomla API calls to a visible Bubble page layout. Go to the Design tab in your Bubble editor. On your page, add a Repeating Group for the article list: - Type of content: 'Joomla CMS Get Articles' - Data source: 'Get data from an external API' → Joomla CMS - Get Articles - Inside the first cell, add: - A Text element → bind to 'Current cell's Joomla CMS Get Articles's title' - A Text element → bind to 'Current cell's → created' (formatted as a date) - An HTML element (from Bubble's Visual Elements in the Add panel) → bind its HTML attribute to 'Current cell's → introtext'. The HTML element renders HTML markup correctly. For category filtering, add a Dropdown element above the Repeating Group: - Data source: 'Get data from an external API' → Joomla CMS - Get Categories - Option display: category name field - When a category is selected, update the Repeating Group's data source to pass the selected category ID as a `filter[category_id]` parameter For creating new articles (admin dashboard flow): - Add a form area with Input elements for title and body text - Add a Submit Button with a Workflow: action 'Plugins → Joomla CMS - Create Article', fill in title, articletext, catid, and state (1 = published, 0 = draft) Privacy and database rules: if your Bubble app stores any Joomla-derived data in the database (article cache, user interaction data, approval records), go to Data tab → Privacy and set rules. Without Privacy Rules, all data types in Bubble are accessible to any user — a significant security gap. Add a rule: 'When: Current User is logged in → Allow: Find this data, View all fields.' RapidDev's team has built headless CMS dashboards on Bubble with backends including Joomla, WordPress, and custom REST APIs — if you need help architecting the data flow, book a free scoping call at rapidevelopers.com/contact.
Pro tip: Joomla returns article `introtext` as HTML. Use a Bubble HTML element (not a Text element) to display it correctly. For plain-text summaries in a Repeating Group list, consider either stripping HTML in a Joomla custom API filter or creating a plain-text summary field in your Joomla content type.
Expected result: A Bubble page displays Joomla articles from the live API, with HTML content rendered correctly in HTML elements. Category filtering works. Privacy Rules are configured for any stored data. The form for creating new articles successfully POSTs to Joomla.
Common use cases
Headless Joomla: custom front-end built in Bubble
Editors manage articles in Joomla's admin panel while a Bubble-built site or app renders the public-facing content with custom UI, subscription gates, user interactions, and real-time features that standard Joomla templates can't provide.
Build a Bubble page that lists the latest 10 published Joomla articles from my site in a repeating group with title, date, and category filter
Copy this prompt to try it in Bubble
Custom Joomla content administration dashboard in Bubble
Replace Joomla's complex admin interface with a simplified Bubble dashboard tailored for non-technical content editors — showing only the fields they need, with simpler workflows for creating, editing, and publishing articles.
Create a Bubble form that lets an editor fill in a title and body text, then POST a new draft article to my Joomla site via the API
Copy this prompt to try it in Bubble
Joomla user directory or member portal in Bubble
Use the Joomla Users API to display registered members in a Bubble-built member portal, with the ability to search by name, view profiles, and (for admins) update user group assignments — all without logging into Joomla's admin.
Fetch registered users from my Joomla site and display them in a searchable Bubble table with their email and registration date
Copy this prompt to try it in Bubble
Troubleshooting
API call returns 401 Unauthorized even with a valid token
Cause: The 'Authentication - Joomla API Token' plugin is not enabled, or the header name is wrong. Joomla returns 401 when the plugin is missing or the token header doesn't match what the plugin expects.
Solution: In Joomla admin, go to System → Plugins → search 'API Token' → confirm 'Authentication - Joomla API Token' is enabled (Status = green). Also verify the header name in Bubble is exactly 'X-Joomla-Token' — not 'Authorization' or 'Joomla-Token'. Save the plugin settings and re-test.
Initialize call returns 'There was an issue setting up your call' or connection refused
Cause: The Joomla site URL uses HTTP (not HTTPS), the URL path is wrong, or the site is not reachable from Bubble's servers. Bubble requires HTTPS for all API calls.
Solution: Confirm your Joomla site URL in the browser starts with 'https://' — if it only has 'http://', install an SSL certificate (Let's Encrypt is free via most web hosts). Verify the API path is exactly '/api/index.php/v1' — not '/api/v1' or '/index.php/api/v1'. Test the URL by visiting https://your-site.com/api/index.php/v1/content/articles in your browser while logged into Joomla — you should see JSON output.
Joomla article content (introtext) shows raw HTML tags in a Bubble Text element
Cause: Joomla's introtext field contains HTML markup. Bubble's Text element displays text literally — it does not render HTML.
Solution: Use a Bubble HTML element (found in the Add panel under 'Visual Elements') instead of a Text element for displaying Joomla article content. Set the HTML element's 'HTML' property to the introtext field value. For Repeating Group previews where rich HTML is unnecessary, consider showing only the article title and creation date, and link to a detail page that uses the HTML element.
The Workflow API option is missing in Bubble Settings, so Joomla cannot send webhooks to Bubble
Cause: Backend Workflows (which expose a public webhook endpoint for receiving events from Joomla) are a paid Bubble plan feature. The Free plan does not include this functionality.
Solution: For inbound Joomla events (e.g., new user registered → trigger Bubble workflow), upgrade to a Bubble paid plan to access Backend Workflows. Alternatively, use a third-party middleware like Make (Integromat) or Zapier to bridge Joomla events to Bubble — these services can receive a Joomla webhook and call Bubble's Data API to create or update records.
Joomla 3.x site returns 404 for /api/index.php/v1/ requests
Cause: Joomla 3.x does not include a built-in REST API. The /api/ endpoint only exists in Joomla 4.0 and later.
Solution: Check your Joomla version at your-site.com/administrator → System → Information → Joomla Version. If it shows 3.x, you must upgrade to Joomla 4.x to use the built-in REST API. Alternatively, install a third-party Joomla REST API plugin for Joomla 3.x (such as JRA — Joomla REST API), which adds a REST endpoint, but this is not covered in this tutorial.
Best practices
- Always mark the X-Joomla-Token header as Private in the Bubble API Connector — a non-Private token is sent client-side in every browser request and exposes your Joomla credentials.
- Create a dedicated Joomla user account for the Bubble API integration with the minimum required permissions — avoid using a Super Administrator token in production.
- Use HTTPS on your Joomla site — Bubble's API Connector will not call HTTP endpoints, and token-based auth over plain HTTP is insecure regardless.
- Use Bubble HTML elements (not Text elements) to display Joomla's introtext and fulltext fields, which contain HTML markup that Text elements will display as raw tags.
- Limit API response sizes using Joomla's pagination parameters (page[limit]=20) — loading all articles in one request on a large Joomla site can produce very slow Bubble page loads.
- Cache frequently read Joomla content (article lists, categories) in Bubble's database with a timestamp, and refresh from Joomla's API on a schedule rather than on every page load, to manage WU costs.
- Configure Privacy Rules in Bubble's Data tab for any data types that store Joomla-derived content or user interaction data — Bubble data is world-readable without explicit Privacy Rules.
- Confirm Joomla 4.0+ before starting — Joomla 3.x has no built-in REST API and will return 404 for all /api/ calls without a third-party plugin.
Alternatives
WordPress is a more popular CMS choice for Bubble headless setups. Its REST API is at /wp-json/wp/v2/ but requires a JWT Authentication plugin for secure token-based auth (unlike Joomla 4.0+ which has token auth built in). If you're starting a new project, Joomla's out-of-the-box API token support is a simpler setup for Bubble.
If you're self-hosting Joomla in Docker containers, the Bubble API Connector setup is identical — just use your container's public HTTPS URL as the Joomla API base URL. Docker itself has no API relevant to Bubble.
Before configuring the Joomla API in Bubble, use Postman to test your Joomla API calls directly. This confirms your token and URL work before adding the Bubble layer. Postman is a testing tool, not a CMS alternative.
Frequently asked questions
Does Joomla 3.x have a REST API I can connect to Bubble?
Not built-in. The REST API at /api/index.php/v1/ was introduced in Joomla 4.0. On Joomla 3.x, you would need to install a third-party REST API plugin (such as JRA or similar) to get an API endpoint. This tutorial assumes Joomla 4.0+. If you're on Joomla 3.x, upgrading to 4.x is strongly recommended — Joomla 3.x reached end-of-life in August 2023.
Is the Joomla API Connector call secure? Could someone intercept my API token?
Yes, the API Connector is secure when the X-Joomla-Token header is marked as Private in Bubble. With the Private flag, Bubble processes this header server-side only — it never appears in the user's browser network tab. The call travels over HTTPS from Bubble's servers to your Joomla server. As long as your Joomla site uses HTTPS, the token is never exposed. Without the Private flag, the token would be visible to anyone inspecting browser network requests.
Why does Bubble's API Connector bypass Joomla's CORS restrictions?
CORS (Cross-Origin Resource Sharing) is a browser security mechanism that restricts cross-origin HTTP requests made from JavaScript in a browser. Bubble's API Connector makes HTTP requests from Bubble's server infrastructure — not from the user's browser. Server-to-server calls are not subject to CORS. This is a key benefit of Bubble's server-side API Connector architecture: you never need to configure CORS on your Joomla server for API calls from Bubble.
Do I need a paid Bubble plan to connect to Joomla?
No — outbound API Connector calls to Joomla's REST API work on all Bubble plans including Free. A paid Bubble plan is only required if you want to receive inbound events from Joomla via Backend Workflows (webhook endpoints). For read and write operations from Bubble to Joomla (fetching articles, creating content), the Free plan is sufficient.
Can I use HTTP Basic Auth instead of the API token for Joomla?
Joomla 4.0+ supports HTTP Basic Auth (username:password, Base64-encoded) as an alternative to API token auth. However, HTTP Basic Auth is significantly less secure — it sends credentials with every request and provides no way to grant limited-scope access. API Token auth is the recommended approach: it allows you to revoke a token without changing the user's password, and you can assign the token to a low-privilege API-only user account. Only use Basic Auth for quick local testing, never for production.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation