Expose your Bubble app as a REST API by enabling the Data API and Workflow API in Settings, defining endpoint parameters for backend workflows, documenting your endpoints for external consumers, and securing access with API tokens. This lets external services create, read, and modify data in your Bubble app.
Overview: Defining API Endpoints in Bubble
This tutorial teaches you how to expose your Bubble app as a REST API that external services can call. You will enable the Data API for CRUD operations on your data types, create backend workflows exposed as API endpoints with custom parameters, and secure everything with API tokens.
Prerequisites
- A Bubble account with an existing app
- At least one data type with records
- Basic understanding of REST API concepts
- Familiarity with Bubble backend workflows
Step-by-step guide
Enable the Data API
Enable the Data API
Go to Settings then API tab. Check Enable Data API. Below, you will see a list of your data types. Check the ones you want to expose. For each, you can enable GET (read), POST (create), PATCH (modify), and DELETE operations. Bubble automatically generates RESTful endpoints at: https://yourapp.bubbleapps.io/api/1.1/obj/[data_type_name]. Copy your API token from the top of the API settings page — external consumers need this for authentication.
Pro tip: Only expose data types that external services actually need. Every exposed type is a potential attack surface.
Expected result: The Data API is enabled for selected data types with CRUD endpoints available.
Create a backend workflow endpoint
Create a backend workflow endpoint
Go to the Workflow tab and access Backend workflows from the Pages dropdown. Create a new backend workflow and name it (e.g., process-order). Check Expose as a public API workflow. Add parameters: order_id (text), amount (number), and any other inputs the endpoint needs. Define the workflow actions that process the incoming data. The endpoint URL will be: https://yourapp.bubbleapps.io/api/1.1/wf/process-order.
Expected result: A backend workflow is exposed as an API endpoint callable via HTTP POST.
Define return values
Define return values
In your backend workflow, use the Return data from API action to send data back to the caller. Define the response fields: status (text), order_id (text), message (text), or any data the caller needs. This action ends the workflow — no subsequent actions run after it. The response is returned as JSON to the caller.
Expected result: The API endpoint returns structured JSON data to external callers.
Secure your endpoints
Secure your endpoints
All API calls require authentication. Include the API token in the Authorization header: Bearer [your_api_token]. For additional security, you can check the incoming token in your backend workflow and reject unauthorized requests. Consider creating different tokens for different external consumers so you can revoke access individually. For endpoints that modify sensitive data, add validation checks on the parameters. For enterprise API architecture, consider working with RapidDev.
Expected result: API endpoints are secured with token authentication and parameter validation.
Test and document your endpoints
Test and document your endpoints
Test your endpoints using Postman or a similar API testing tool. Send requests to the endpoint URLs with the Authorization header and required parameters. Verify the responses match your expected format. Document each endpoint: URL, method, required parameters, optional parameters, expected response format, and error codes. Share this documentation with external consumers who will integrate with your API.
Expected result: All endpoints are tested and documented for external consumers.
Complete working example
1{2 "API Configuration": {3 "Base URL": "https://yourapp.bubbleapps.io/api/1.1",4 "Authentication": "Bearer token in Authorization header",5 "Token Location": "Settings → API tab → API Token"6 },7 "Data API Endpoints": {8 "GET /obj/product": "List all products (with constraints)",9 "GET /obj/product/[id]": "Get single product by ID",10 "POST /obj/product": "Create new product",11 "PATCH /obj/product/[id]": "Update product fields",12 "DELETE /obj/product/[id]": "Delete product"13 },14 "Workflow API Endpoints": {15 "POST /wf/process-order": {16 "parameters": {17 "order_id": "text (required)",18 "amount": "number (required)",19 "customer_email": "text (optional)"20 },21 "response": {22 "status": "success or error",23 "order_id": "the processed order ID",24 "message": "description of result"25 }26 }27 },28 "Request Example": {29 "URL": "POST https://yourapp.bubbleapps.io/api/1.1/wf/process-order",30 "Headers": {31 "Authorization": "Bearer YOUR_API_TOKEN",32 "Content-Type": "application/json"33 },34 "Body": {35 "order_id": "abc123",36 "amount": 4999,37 "customer_email": "user@example.com"38 }39 }40}Common mistakes when defining an endpoint for API integrations in Bubble.io: Step-by-Step Guide
Why it's a problem: Exposing all data types via the Data API
How to avoid: Only check the data types that external services specifically need. Leave sensitive types unchecked.
Why it's a problem: Not including authentication in API test calls
How to avoid: Always include the Authorization: Bearer [token] header in API requests.
Why it's a problem: Placing actions after the Return data from API action
How to avoid: Place all processing actions before the Return data action. Use it as the final step.
Best practices
- Only expose data types and workflows that external services actually need
- Use the Bearer token authentication for all API calls
- Add parameter validation at the start of backend workflows
- Use Return data from API for structured responses
- Document all endpoints with parameters, responses, and examples
- Test endpoints with Postman before sharing with external consumers
- Consider creating separate API tokens for different consumers
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I am building a Bubble.io app and need to expose it as a REST API for external services. How do I enable the Data API and Workflow API, define endpoint parameters, and secure access with tokens?
Expose my app as an API. Enable the Data API for my Product data type. Create a backend workflow endpoint called process-order with order_id and amount parameters. Return a success status with the processed order details.
Frequently asked questions
Can external services call my Bubble API?
Yes. Any service that can make HTTP requests can call your Bubble API endpoints using the base URL and your API token.
Are API calls subject to Privacy Rules?
Data API calls respect Privacy Rules by default. Backend workflow endpoints can optionally ignore Privacy Rules with the checkbox.
Is there a rate limit on API calls?
Bubble does not publish specific rate limits, but excessive calls consume workload units and may trigger throttling. Design integrations to batch requests where possible.
Can RapidDev help with API architecture?
Yes. RapidDev specializes in Bubble development and can help design and implement API architectures including webhook handlers, versioning, and documentation.
Can I test API endpoints in development mode?
Yes. Development endpoints use a different URL path (version-test instead of version-live). Test against development first, then switch to live after deployment.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation