Appearance

Updating visuals

If you see any images containing outdated UI, please bear with us.

We are updating all content as quickly as possible to mirror our new UI.

Creating secure logic ​

In the Interface, you've likely used Workflows to handle button clicks, like navigating to a page or opening a modal. This is great for UI interactions.

However, when it comes to sensitive actions, like changing a password, charging a credit card, or deleting data, you cannot rely on Interface Workflows.

The Rule of Thumb ​

  • Interface Workflows — For UI only. (Navigation, showing modals, simple calculations).
  • APIs — For Data and Business Logic. (Creating records, updating users, sending emails, processing payments).

Why move logic to APIs? ​

If you put logic in the Interface, a tech-savvy user can change it.

Imagine an Interface workflow that checks If User is Admin -> Delete Project. A malicious user could modify that check in their browser to always say "True", allowing them to mimic being an admin and delete projects they shouldn't.

By moving this to an API, the logic lives on WeWeb's secure servers. The user sends a request ("Please delete project X"), and your server decides if they are allowed to do it. The user cannot touch the server's logic.

How to create secure logic ​

The process involves moving your logic from an Interface workflow to an API, and then calling that API from an Interface workflow.

1. Create an API ​

Go to the Data & API tab > APIs > Create a new API (e.g., update-profile).

2. Define Inputs ​

Does your logic need data? (e.g., the new name, the new phone number). Add these as Input Parameters.

3. Add the Logic ​

Add the steps to perform the action. For example:

  • Database | Update record (Update the user's row in the Users table).
  • Resend | Send email (Send a confirmation email).

4. Secure it with Middleware ​

This is the most important step. Add Middleware to ensure only the right people can run this.

Example: Check if input user.id = auth.id (i.e., "Is the user trying to update their own profile?").

5. Call it from the Interface ​

Go back to your Interface. Select your "Save" button.

  1. Add a Workflow.
  2. In the Add action menu, you will find your APIs in the API folder. Select your update-profile API.
  3. Map the values (e.g., bind the Name Input from your page to the Name Parameter of the API).

Example Flow: Updating a User Profile ​

Here is how a secure update flow works in practice:

1
User clicks Save
The user fills out a form in the Interface and clicks the Save button.
2
Interface calls API
The button workflow sends a request to your update-profile API.
3
Access Check runs
Before running any logic, the API checks: Is the user signed in? Is this their profile? If not, it stops and returns an error.
4
Logic executes
If allowed, the API updates the user's record and sends a success response.
5
Interface updates
The Interface receives the success response and shows a 'Profile Saved' toast notification.

CONTINUE LEARNING

Now that your logic is secure, let's look at the broader picture of securing your entire application:

Authentication & Security →