Do I still need external monitoring if I use the Security Dashboard?

Yes — they do different jobs. The Security Dashboard audits configuration: privacy rules, exposure risks, security settings. It does not run your login as a stranger, complete a checkout, verify a Stripe webhook fired, confirm a transactional email arrived, or notice a recurring workflow stopped. Those are external, flow-level checks — by definition they have to run from outside the platform.

How do I monitor Bubble backend and recurring workflows?

Add a heartbeat: make the workflow's last action call a monitoring ping URL after each successful run. If the workflow stops — undeployed change, silently false condition, plan limit, WU exhaustion, paused scheduler — the missed ping raises the alarm the same day. Bubble's scheduler view in the Logs tab then shows you what's queued, and the server logs show why a run skipped.

The Bubble monitoring pillar

How do you monitor a Bubble app? Flows, not pages.

Q: Does Bubble have built-in monitoring?

Partly. Bubble ships server logs (searchable, with filters including Errors and Non-passed events), a scheduler view for queued backend workflows in the Logs tab, status.bubble.io for platform incidents, and the Security Dashboard for security posture. What it doesn't ship: external synthetic monitoring of your user flows, third-party watching (Stripe webhooks, email delivery), or error tracking — the dashboard's error and usage monitoring was sunset in January 2026.

Q: What happened to Flusk?

Bubble acquired Flusk on October 1, 2024, and folded it into the platform as the Security Dashboard — flusk.eu now redirects to bubble.io/security-dashboard. The monitoring side didn't survive: Bubble announced that after January 21, 2026 the dashboard's Usage tabs (Analytics, Errors & bugs, Log explorer) would no longer be available, and the Flusk Monitoring plugin stopped reporting. Bubble's recommended alternatives are its server logs and Google Analytics.

Q: What does Bubble's Security Dashboard actually cover?

Security posture, on the platform side: an Issues Explorer that runs security tests across categories and ranks findings by criticality, a Privacy Rules Checker showing which data types are publicly accessible, recurring automated tests, and alerts to collaborators by email or webhook. Basic checks come with Starter; advanced checks (database exposure risks, compromised API tokens, and more) require Growth, Team, or Enterprise.

Bubble ships server logs, a scheduler view, and the Security Dashboard (formerly Flusk) — good for security posture, but its error and usage monitoring was sunset in January 2026, and nothing platform-side watches your live flows from the outside. Real coverage pairs Bubble's built-in logs with external synthetic checks on the flows that earn revenue: login, checkout, Stripe webhooks, transactional email, and recurring backend workflows.

Start 14-day trial See the setup

what's built in

What Bubble gives you out of the box

Three things, and they're genuinely useful: server logs in the Logs tab — searchable by user, date, and keyword, with advanced filters including Errors (server-side action failures like a failed send-email or payment) and Non-passed events (workflows skipped because a condition evaluated to no); the scheduler view, listing queued backend workflows with their scheduled time and parameters — noting that live and development keep separate schedules; and status.bubble.io, the official platform status page covering the editor and hosted apps. All three are diagnostic tools: they answer "why did it break?" once you already know something broke. None of them tells you that it broke.

the honest section

What the Security Dashboard (formerly Flusk) covers — and doesn't

Bubble acquired Flusk on October 1, 2024, and its security side lives on as Bubble's Security Dashboard — flusk.eu itself now redirects to bubble.io/security-dashboard. What it does today: an Issues Explorer running security tests across categories and ranking findings by criticality, a Privacy Rules Checker that shows which data types are publicly accessible, recurring automated tests, and alerts to collaborators by email or webhook. Basic checks ship with Starter; advanced checks (database exposure risks, compromised API tokens, and more) are gated to Growth, Team, and Enterprise. If you run a Bubble app, turn it on — it's good at its job.

What it no longer does: monitoring. Bubble announced that after January 21, 2026, the dashboard's Usage tabs — Analytics, Errors & bugs, and Log explorer — would be removed, and the Flusk Monitoring plugin stopped reporting; Bubble's recommended replacements are its server logs and Google Analytics. And there are things the Flusk lineage never did: external synthetic monitoring of user flows, watching third-party services (Stripe webhooks, email delivery, cron), or human diagnosis of failures. Security posture and flow monitoring are simply different jobs.

Capability comparison: Bubble Security Dashboard, Bubble server logs, and external flow monitoring
Capability	Security Dashboard (formerly Flusk)	Bubble server logs	External flow monitoring (Nightlamp)
Security configuration audit (exposure, settings)	Yes — Issues Explorer, ranked by criticality	No	No — platform-side job, use the dashboard
Privacy-rules audit (publicly accessible data types)	Yes — Privacy Rules Checker	No	Indirectly — api_canary catches emptied searches in production
Error / usage analytics	Sunset January 2026 (Analytics, Errors & bugs, Log explorer removed)	Partial — Errors filter on server-side actions	Failures surface as failed flow checks with diagnosis
External synthetic flow checks (login, checkout)	No — never offered	No	Yes — browser_journey on the live URL
Stripe webhook watching	No	Partial — workflow runs appear after the fact	Yes — http_keyword probe + flow check
Email delivery verification	No	Partial — send failures only, not delivery	Yes — email_flow to a monitored inbox
Recurring / scheduled workflow watching	No	Partial — scheduler view, if you remember to look	Yes — heartbeat per workflow
Human diagnosis when something breaks	No	No — you read the logs	Yes — a Nightlamp engineer writes up cause and fix

the setup

Six checks that cover a real Bubble app

Login — run it as a stranger, not as you

What breaks: Privacy rules, auth changes, and deploys break login for users while the editor session works fine.

The check: A browser_journey check signs in on the live URL with a dedicated test account on a normal user role — so a privacy-rule or auth regression that only hits real users fails the check, not your customers.

Checkout and payment — through to the webhook

What breaks: Checkout looks fine; the Stripe webhook posts to /version-test or fails auth, and fulfillment silently stops.

The check: Pair a browser_journey through checkout with an http_keyword probe on the webhook workflow URL — asserting it answers and that nothing points at version-test. Our Bubble + Stripe guide covers every variant of this failure.

The data your app serves — as a real user reads it

What breaks: A privacy-rule edit empties searches; dashboards render with no rows; no error is logged.

The check: An api_canary reads a known record through your Data API (or a workflow that searches) with real-user credentials and asserts rows come back. Empty-but-200 responses are exactly the failure this catches.

Recurring and scheduled workflows — heartbeats

What breaks: The nightly digest, billing run, or cleanup job stops; nobody notices until month-end.

The check: End each critical backend workflow with a call to a heartbeat URL. A missed ping pages you the same day, whatever the cause — condition, deploy, plan limit, WU overage, paused scheduler. The Logs tab scheduler confirms what's queued.

Transactional email — delivery, not just sending

What breaks: Workflows report success while password resets and receipts never reach inboxes.

The check: An email_flow check triggers a real email through your app and verifies it arrives at a monitored inbox. Bubble's server logs show send-email failures, but only delivery testing proves the mail actually lands.

The platform layer — URLs, certificate, status

What breaks: Custom-domain DNS or certificate problems, WU overage offline, or an actual Bubble incident.

The check: http_status checks on both bubbleapps.io and the custom domain localize an outage instantly; an ssl check watches the certificate; status.bubble.io context separates your incident from Bubble's. Our app-down decision guide walks the manual version.

copyable runbook

The Bubble monitoring starter plan

Bubble monitoring — starter plan

Platform layer
[ ] http_status on yourapp.bubbleapps.io AND the custom domain
[ ] ssl on the custom domain
[ ] Security Dashboard enabled; alerts routed to a watched inbox/webhook

Flow layer (the part nothing platform-side does)
[ ] browser_journey: login as a normal-role test user, on LIVE
[ ] browser_journey: checkout / the flow that earns money
[ ] http_keyword: Stripe webhook workflow URL answers; no "version-test"
[ ] api_canary: Data/Workflow API returns rows for a real-user token
[ ] email_flow: trigger + verify one transactional email end to end
[ ] heartbeat: every recurring/scheduled workflow pings after each run

When something fires
[ ] Logs tab -> server logs -> Errors + Non-passed events filters
[ ] Logs tab -> scheduler (live environment, pause toggle, queue)
[ ] status.bubble.io before debugging your own app

faq

Bubble monitoring FAQ

Does Bubble have built-in monitoring?

Partly: server logs with Errors and Non-passed-events filters, the scheduler view, status.bubble.io, and the Security Dashboard for security posture. No external flow checks, no third-party watching, and error/usage monitoring was sunset in January 2026.

What happened to Flusk?

Acquired by Bubble on October 1, 2024 and folded in as the Security Dashboard; flusk.eu redirects there now. The Usage tabs (Analytics, Errors & bugs, Log explorer) were removed after January 21, 2026, and the Flusk Monitoring plugin stopped reporting.

What does the Security Dashboard cover?

Security tests ranked by criticality, a Privacy Rules Checker, recurring automated tests, and email/webhook alerts. Basic checks on Starter; advanced checks need Growth, Team, or Enterprise.

Do I need external monitoring too?

Yes — different jobs. The dashboard audits configuration; it doesn't log in as a stranger, complete checkout, watch Stripe webhooks, verify email delivery, or notice a stopped recurring workflow.

How do I monitor recurring workflows?

Heartbeats: the workflow's last action pings a monitoring URL after each run. A missed ping pages you the same day, whatever silenced the workflow.

Want the flow layer handled for you?

Nightlamp runs the synthetic journeys, webhook probes, email checks, and heartbeats above — and when one fails, a real engineer reads your symptoms and sends the diagnosis. Keep the Security Dashboard for posture; we'll watch the flows.

Start 14-day trial · no card

Newsletter

One real no-code incident + the fix, monthly

A post-mortem from a real no-code outage — what broke, how it was found, and the fix — once a month. Confirming also gets you the no-code incident runbook pack.

Double opt-in. One-click unsubscribe. No spam, ever.