Hi, I'm fairly new to Xano and I'm using it as the backend for an app I'm building. I'm using Bubble as the frontend.
In Bubble, if I want to make an API input dynamic, I need to set the parameter to not "Private" so I can dynamically populate it within Bubble workflows. I am planning on storing user authTokens on the Bubble side per user to then pass back to Xano as needed, but if not "Private" it is my understanding it can be seen/accessed client-side.
My thinking is to add an additional layer of security for all apis in my workspace like an API key and that would be passed as a "Private" header by Bubble (server-to-server)... so that only Bubble can hit my APIs and it can't be seen client-side.
Does my below approach make sense? Or is there a better approach?
Set environment variable for my workspace to house an API key
Add pre-condition on every endpoint to check against that API key
Pass API key as a "Private" header from Bubble on every call
A follow-up/separate question.
I've been reading that best practice for user security is to have an access token (short-lived) and a refresh token (long-lived). Is this necessary given the above approach? If so, how can this be done in xano?