Configuring API call parameters in Bubble's API Connector involves understanding URL parameters, query strings, header values, and body parameters, plus knowing when to make each parameter static versus dynamic. This tutorial covers the different parameter types, how to set them up correctly, the Private and Client safe checkboxes, and best practices for organizing parameters across multiple API calls.
Overview: Configuring Parameters for API Calls in Bubble
This tutorial explains how to properly configure every type of parameter in Bubble's API Connector. You will learn the differences between URL parameters, query strings, headers, and body parameters, and when to make each one static, dynamic, private, or client safe.
Prerequisites
- A Bubble app with the API Connector plugin installed
- An external API you want to connect to
- The API documentation for your target service
- Basic understanding of HTTP request methods (GET, POST, PUT)
Step-by-step guide
Understand the four types of API parameters
Understand the four types of API parameters
The API Connector supports four parameter locations: (1) URL parameters — embedded in the URL path using brackets: /users/[user_id]/posts. The value replaces the bracketed placeholder. (2) Query string parameters — appended after ? in the URL: /search?q=[query]&limit=[limit]. (3) Header parameters — sent in HTTP headers, typically for authentication and content type. (4) Body parameters — sent in the request body for POST, PUT, and PATCH requests. Each location serves a different purpose defined by the API you are connecting to. Check the external API's documentation to know which parameters go where.
Expected result: You understand where each type of parameter is placed in an HTTP request.
Configure URL and query string parameters
Configure URL and query string parameters
In the API Connector, wrap URL path parameters in square brackets: https://api.example.com/users/[user_id]. For query strings, add them to the URL: https://api.example.com/search?q=[search_term]&page=[page_num]. Bracketed values become dynamic parameters you can fill in when using the API call in workflows. To make a parameter static (same value every time), remove the brackets and type the fixed value directly. Use dynamic parameters for values that change per request (user IDs, search terms) and static parameters for values that are always the same (API version, fixed filters).
Expected result: URL and query string parameters are configured with brackets for dynamic values and plain text for static values.
Set up header parameters for authentication
Set up header parameters for authentication
Click Add header in the API Connector call configuration. Common headers include: Authorization (for API keys or tokens), Content-Type (usually application/json for REST APIs), and Accept (what format you want back). For API key authentication, add a header: key = Authorization, value = Bearer [your_api_key]. Check the Private checkbox to keep the key server-side. For shared headers used across all calls, add them in the Shared headers section at the top of the API configuration — they automatically apply to every call.
Pro tip: Always use shared headers for authentication tokens. This way you only update the token in one place when it changes, rather than in every individual call.
Expected result: Authentication and content type headers are configured, with sensitive values marked as Private.
Configure body parameters for POST and PUT requests
Configure body parameters for POST and PUT requests
For POST, PUT, and PATCH requests, click the Body tab in the API Connector. Set Body type to JSON. Add your request body structure. Use bracketed placeholders for dynamic values: {"name": "[name]", "email": "[email]", "role": "admin"}. Dynamic parameters (in brackets) can be filled when the call is used in workflows. Static values (no brackets) are sent as-is every time. For nested objects, structure the JSON accordingly. For list parameters, use JSON arrays. Initialize the call with sample values to verify the body structure is correct.
Expected result: The request body is configured with the correct JSON structure and dynamic parameters for values that change per request.
Understand Private versus Client safe checkboxes
Understand Private versus Client safe checkboxes
Each parameter has two important checkboxes: Private and Client safe. Private means the value is NEVER sent to the user's browser — the API call routes through Bubble's server. Use Private for API keys, secrets, and any sensitive data. Client safe means the value CAN be set dynamically in the browser editor but is still transmitted to the server. NEVER use Client safe for sensitive data. For most API keys: check Private, leave Client safe unchecked. For dynamic user input (search terms, IDs): leave both unchecked. The initialization value for Private parameters becomes the default — change it in production.
Expected result: You understand when to use Private and Client safe for each parameter to maintain security.
Complete working example
1{2 "API Name": "Example API",3 "Authentication": "Private key in header",4 "Base URL": "https://api.example.com/v2",5 "Shared Headers": {6 "Authorization": "Bearer sk_live_xxx (Private, not Client safe)",7 "Content-Type": "application/json"8 },9 "Call 1 - Get User (GET)": {10 "URL": "/users/[user_id]",11 "Parameters": {12 "user_id": "dynamic (not Private, not Client safe)"13 },14 "Use as": "Data"15 },16 "Call 2 - Search (GET)": {17 "URL": "/search?q=[query]&limit=20&page=[page]",18 "Parameters": {19 "query": "dynamic",20 "limit": "static (20)",21 "page": "dynamic (default: 1)"22 },23 "Use as": "Data"24 },25 "Call 3 - Create User (POST)": {26 "URL": "/users",27 "Body": {28 "name": "[name]",29 "email": "[email]",30 "role": "member"31 },32 "Parameters": {33 "name": "dynamic",34 "email": "dynamic",35 "role": "static (member)"36 },37 "Use as": "Action"38 }39}Common mistakes when configuring the needed parameters for an API call in Bubble.io: Step-by-Ste
Why it's a problem: Not marking API keys as Private
How to avoid: Always check the Private checkbox on any parameter containing API keys, tokens, or secrets
Why it's a problem: Hardcoding dynamic values instead of using bracketed parameters
How to avoid: Wrap any value that should change per request in square brackets to make it a dynamic parameter
Why it's a problem: Using Client safe for API keys
How to avoid: Use Private (not Client safe) for all sensitive parameters. Client safe is for non-sensitive dynamic values only.
Best practices
- Use shared headers for authentication that applies to all API calls
- Mark all sensitive parameters (API keys, tokens) as Private
- Use bracketed parameters for values that change per request
- Initialize calls with representative sample data
- Organize related API calls under a single API name
- Document what each parameter represents in the call name
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I need to configure API Connector calls in Bubble.io for a REST API that requires an API key in the header, user IDs in the URL path, and JSON body parameters for POST requests. Help me set up the parameters correctly with proper security settings.
Set up an API Connector call with a URL path parameter for user ID, an Authorization header with a private API key, and a POST body with dynamic name and email fields plus a static role field. Mark the API key as Private.
Frequently asked questions
What is the difference between Private and Client safe?
Private means the value never reaches the user's browser and stays on Bubble's server. Client safe means it can be set dynamically in the browser but is still sent server-side. Use Private for secrets, avoid Client safe for sensitive data.
Can I change parameter values at runtime?
Yes. Dynamic parameters (in square brackets) can be filled with different values each time the API call is used in a workflow or data source.
Why does my API call fail after initialization?
The initialization value for Private parameters becomes the default. If you used a test value during initialization, it may not work in production. Update the Private parameter value in the API Connector.
Can I send arrays in body parameters?
Yes. Structure the JSON body with array syntax: {"items": ["[item1]", "[item2]"]}. For dynamic-length arrays, you may need to build the JSON string in a workflow and pass it as a single text parameter.
Can RapidDev help configure complex API integrations?
Yes. RapidDev can set up API Connector configurations for any REST API including authentication, parameter mapping, error handling, and response parsing in your Bubble app.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation