Contents x
Airtable API key deprecation notice
  • 07 Mar 2023
  • 5 Minutes to read
  • Print
  • Dark
    Light
Contents

Airtable API key deprecation notice

  • Updated on 07 Mar 2023
  • 5 Minutes to read
  • Print
  • Dark
    Light

This article serves as the announcement of the beginning of the deprecation period for API Keys. API keys are being deprecated in favor of the two new API Authentication methods. Both of these methods offer more granular control of resources and scopes and enable both developers and end-users to extend Airtable while ensuring the highest grade of security.

MethodUse caseDocumentation
Personal Access TokensIndividual use - Scripting, API calls
OAuth for integrationsConnecting Airtable with third-party integrations


API key deprecation details and timeline

Details

As this is a major change to the Airtable API, the API Key deprecation period will last for 12 months and end on Feb 1, 2024

  • After that date, API Keys will no longer be able to access the Airtable API. 
  • Related to this, webhooks created by API Keys in Enterprise bases will also expire at the end of that period. 
  • We recommend that all users migrate to Personal Access Tokens for individual use and OAuth for third-party integrations moving forward.

Timeline

  • January 2023: Initial community forum announcement and emails
  • Mid-February 2023: We will email API key owners with recent API key usage to directly inform them of the changes
  • August 1st, 2023: Users can no longer create new API keys
  • February 1st, 2024: Existing API keys can no longer be used to access the Airtable API


How can I find what is using my API key?

Unlike our new authentication methods, Airtable is not able to determine what is using your API key or who you may have shared your API key with in the past. This is a benefit of using OAuth for integrations - you will be easily able to view and manage your authorized OAuth integrations, and any activity coming from integrations will be attributed to the specific integration. Developers can also create multiple personal access tokens for different API integrations, rather than having one API key used by multiple integrations.

To find out what is using your API key, we recommend checking the following:

  1. Custom integrations set up by you or developers on your team
  2. Data connections and scripts that use your Airtable data (e.g. Tableau web data connector, Power BI & Power Query)
  3. Third-party integrations you have connected your Airtable account to (e.g. Zapier and Make)
    Note: We are working with third-party integrations to migrate to using OAuth for integrations. No action is required on your part until they complete the migration, after which you can stop using your API key and use OAuth to connect instead. 
  4. Third-party marketplace extensions that requested your Airtable API key (e.g. Data Fetcher)
  5. Airtable plugins for other apps (e.g. Airtable Data Sync to Hubspot)

Custom integrations & data connections should be updated to use personal access tokens, while third-party integrations, extensions and plugins require you to re-authorize using OAuth. If you are unsure how to set up OAuth for a specific partner or OAuth is not currently available for that partner, we recommend you contact their team for details on when it will be available.

Note that other Airtable functionality such as sync integrations and automations are not impacted by this change, as they do not use Airtable API keys.

If you are an Airtable Enterprise customer, you can also contact your account representative to request further support regarding this migration. 

 

FAQs

Why are we doing this?

Personal Access Tokens and OAuth provide a higher standard for security over API Keys, which were the predecessor that provided “all-or-nothing” access over everything that an Airtable user account could see or do. These new methods have more granular control of resources and scopes and allow you to extend Airtable, all while ensuring the highest grade of security.

Who is affected by this deprecation?

Anyone using API Keys will be affected by this change. This could be you as an end-user, or some other end-user for whom you have built an existing integration upon the Airtable API.

How will this change impact me if I have previously utilized API keys to connect third-party services with Airtable?

Third-party services need to migrate to using OAuth for authentication - many partners are already working on this.

It’s our recommendation that you contact the third-party services currently supporting API keys and request that they add OAuth support before our deprecation period ends. As a reminder, API keys can still be utilized until February 2024. So, until then, no direct action is needed to ensure that your existing integrations will work related to this change.

How do I start using OAuth?
  • As a user - After the third-party service has migrated to using OAuth, then you can re-connect with Airtable from the third-party website/app/etc.
  • As a developer - Please refer to this guide on how to implement OAuth with Airtable.
How will this change impact me if I have previously utilized API keys to connect or build API integrations with Airtable?

You will need to update your API integrations to use personal access tokens instead of API keys before February 2024.

How do I start using personal access tokens?

Personal access tokens can be created at https://airtable.com/create/tokens. After a PAT has been created, you can use it to authorize your API requests, replacing the way that API keys were used in the past. You can find more information in this guide.

If you are an enterprise admin, you can also create a personal access token for a service account from the Admin Panel.

Note
If you were previously passing your API key as a query parameter, you will also need to update your API requests to pass the personal access token via the HTTP authorization bearer header instead. More information is available here.
What can my personal access tokens access?

Unlike legacy API keys, which have the same access as your Airtable account, you can limit and configure the access of your personal access tokens. You can do this by selecting the scopes (what endpoints the token can use) and access/resources (which bases and workspaces the token can access) when creating or updating a token. 

Regardless of the scopes and access a user selects for their token, the token will only be able to perform actions that the user themselves is allowed to do. For example, to create a new field in a base via the API, the user must be a Creator collaborator in the base, plus the token must have the schema.bases:write scope and the base added as a resource. 

For more information about how scopes and access work, see the Authentication developer reference. For more information about configuring your token's access, refer to the personal access tokens guide.

What do I need to do?

We understand this is a big change, so we’ll be sending out more actionable details in the coming weeks to make this transition as smooth as possible. Keep a lookout for an email from team@mail.airtable.com soon (Mid-February 2023).

Was this article helpful?
What's Next