What is the recommended authentication method for server-side applications?

For server-side applications, scripts, and internal tools, Personal Access Tokens (PATs) are the recommended authentication method due to their granular permissions and direct access.

Are API Keys still supported by Airtable?

Airtable API Keys are deprecated. While they may still function for existing integrations, it is strongly recommended to migrate to Personal Access Tokens or OAuth 2.0 for improved security and control.

How do I get a Personal Access Token for Airtable?

You can generate a Personal Access Token by logging into your Airtable account, navigating to the developer hub or account settings, and creating a new token with specific scopes and base access permissions.

When should I use OAuth 2.0 for Airtable API authentication?

OAuth 2.0 should be used for third-party applications, public web applications, or mobile apps that need to access a user's Airtable data on their behalf without ever handling their direct credentials.

Can I restrict a Personal Access Token to a specific base or table?

Yes, Personal Access Tokens offer granular control. When creating a PAT, you can specify exactly which bases it can access and define permissions down to individual tables and record operations (read, write, schema).

What are scopes in Airtable API authentication?

Scopes define the specific permissions an application requests, whether using Personal Access Tokens or OAuth 2.0. They ensure that an application only has access to the data and actions it explicitly needs, adhering to the principle of least privilege.

How should I securely store my Airtable API credentials?

Airtable API credentials (PATs, OAuth Client Secrets) should be stored in secure, encrypted environments, such as environment variables, secret management services, or secure configuration files. Never hardcode them in public code repositories.

Airtable API Authentication: Methods and Best Practices (2026)

Airtable API authentication secures access to your bases and tables, ensuring data integrity and user authorization. It primarily supports personal access tokens for programmatic integrations and OAuth 2.0 for third-party applications requiring user consent. Understanding these methods is crucial for developers building on the Airtable platform.

Authentication overview

Airtable API authentication provides the mechanism to secure access to an Airtable base's data, schema, and related functionalities. It ensures that only authorized applications and users can interact with your Airtable data programmatically. The API utilizes standard authentication methods to manage access control, facilitating integrations while maintaining data security and privacy. All API requests to Airtable must be made over HTTPS to prevent interception of sensitive data and credentials, aligning with modern web security practices described by the World Wide Web Consortium on web security.

Proper authentication is fundamental for any application interacting with the Airtable platform, whether it's a server-side script, a client-side application, or a third-party integration. The choice of authentication method depends on the application's nature, its access requirements, and the level of user interaction involved. Airtable outlines detailed guidance on how to get started with the Airtable API, including authentication specifics.

Supported authentication methods

The Airtable API supports two primary authentication methods: Personal Access Tokens (PATs) and OAuth 2.0. Each method is designed for different use cases, offering varying levels of security and control.

Personal Access Tokens (PATs)

Personal Access Tokens are long-lived, alphanumeric strings that grant access to your Airtable account's resources. They are the recommended method for server-side applications, scripts, or integrations that do not require user interaction to grant access. PATs replace the older API Keys, which were deprecated due to their broader scope and reduced fine-grained control.

PATs offer granular permissions, allowing you to specify exactly which bases, tables, and types of actions (read, write, schema read, schema write) an application can perform. This principle of least privilege is crucial for limiting the potential impact of a compromised token.

OAuth 2.0

OAuth 2.0 is an authorization framework that allows third-party applications to obtain limited access to a user's Airtable account without exposing their credentials. It is the standard method for applications that integrate with Airtable on behalf of users, such as public web applications or mobile apps. OAuth 2.0 involves a multi-step flow where the user grants permission to the application, and the application receives an access token in return.

Airtable's OAuth implementation supports various grant types, typically focusing on the authorization code grant flow for web server applications. It also leverages scopes, which define the specific permissions an application requests, such as data.records:read or schema.bases:write. This ensures users have transparency and control over what data third-party applications can access and modify.

Deprecated API Keys

Historically, Airtable used API Keys for authentication. However, these keys were associated with an entire user account and could grant broad access, making them less secure for many modern integration scenarios. Airtable has deprecated the use of API Keys in favor of Personal Access Tokens and OAuth 2.0, which provide enhanced security and granular control. Existing integrations using API Keys should migrate to PATs or OAuth 2.0 as recommended by Airtable's API documentation.

Here's a comparison of the supported authentication methods:

Method	When to Use	Security Level	Credential Management
Personal Access Tokens (PATs)	Server-side scripts, internal tools, long-running integrations, automation.	High (with granular scopes)	Generated once, stored securely by the developer.
OAuth 2.0	Public web applications, mobile apps, third-party integrations requiring user consent.	Very High (user-delegated, short-lived tokens, refresh tokens)	Managed through a user authorization flow, access/refresh tokens.
API Key (Deprecated)	Legacy integrations (migration recommended).	Lower (broad access, tied to user account)	Generated once, stored by the developer.

Getting your credentials

The process for obtaining authentication credentials differs based on the chosen method.

For Personal Access Tokens (PATs)

Log In to Airtable: Access your Airtable account.
Navigate to Developer Hub: Go to the Airtable developer hub or your account settings.
Create a New Token: Locate the section for Personal Access Tokens and click to create a new token.
Define Scopes and Access: Specify the exact permissions (scopes) and the bases to which the token should have access. This is a critical step for security, adhering to the principle of least privilege.
Generate Token: Once configured, generate the token. Airtable will display it once. Copy it immediately and store it securely, as it cannot be retrieved again.

For OAuth 2.0

Register Your Application: Navigate to the Airtable developer console and register your application. You will typically need to provide an application name, description, and redirect URIs. This step will provide you with a Client ID and Client Secret.
Implement the Authorization Flow: Your application initiates the OAuth flow by directing the user to Airtable's authorization endpoint with the Client ID, requested scopes, and your redirect URI.
User Grants Permission: The user logs into Airtable (if not already logged in) and reviews the requested permissions. If they approve, Airtable redirects them back to your specified redirect URI with an authorization code.
Exchange Code for Tokens: Your application exchanges this authorization code for an access token and a refresh token by making a server-side request to Airtable's token endpoint, including your Client ID and Client Secret.
Store Tokens Securely: Store the access token (short-lived) and refresh token (long-lived) securely. Use the access token for API requests and the refresh token to obtain new access tokens when the current one expires.

Authenticated request example

Once you have obtained your Personal Access Token, you can include it in the Authorization header of your API requests. For OAuth 2.0, the process is similar, using the obtained access token.

Here's an example using cURL to list records from a specific table, authenticating with a Personal Access Token:

curl -v \
  https://api.airtable.com/v0/appXXXXXXXXXXXXXX/Table%201 \
  -H "Authorization: Bearer YOUR_PERSONAL_ACCESS_TOKEN"

Replace appXXXXXXXXXXXXXX with your actual Base ID and YOUR_PERSONAL_ACCESS_TOKEN with your generated Personal Access Token. The Base ID can be found in the Airtable API documentation for your specific base or within the URL when viewing your base.

For Python, using the requests library:

import requests

BASE_ID = "appXXXXXXXXXXXXXX"
TABLE_NAME = "Table 1"
PERSONAL_ACCESS_TOKEN = "YOUR_PERSONAL_ACCESS_TOKEN"

headers = {
    "Authorization": f"Bearer {PERSONAL_ACCESS_TOKEN}"
}

response = requests.get(f"https://api.airtable.com/v0/{BASE_ID}/{TABLE_NAME}", headers=headers)

if response.status_code == 200:
    print("Records:")
    for record in response.json().get("records", []):
        print(record.get("fields"))
else:
    print(f"Error: {response.status_code} - {response.text}")

Security best practices

Adhering to security best practices is essential when integrating with the Airtable API to protect your data and applications.

Never Expose Credentials: Personal Access Tokens and OAuth Client Secrets should never be hardcoded directly into client-side code (e.g., JavaScript in a browser) or committed to public version control systems. They should be stored as environment variables or in secure configuration management systems.
Use HTTPS Always: All API requests to Airtable are enforced to use HTTPS. Ensure your application's communication is also encrypted end-to-end to prevent man-in-the-middle attacks.
Principle of Least Privilege: Grant only the minimum necessary permissions to your PATs or OAuth applications. If an application only needs to read data from a specific table, do not grant it write access or access to other bases. Regularly review and adjust permissions as needed.
Rotate Credentials: Periodically rotate your Personal Access Tokens. For OAuth, ensure your refresh token rotation policy is robust. This limits the window of opportunity for an attacker if a credential is compromised.
Secure Storage: Store Personal Access Tokens and OAuth Client Secrets in secure, encrypted storage. Avoid storing them in plain text on disks or in easily accessible logs. Server-side applications should use secure environment variables or secret management services.
Error Handling and Logging: Implement robust error handling and logging for authentication failures. This can help detect unauthorized access attempts or misconfigurations. Be careful not to log sensitive credential information in error messages.
IP Whitelisting (if available/applicable): If your infrastructure allows, restrict API access to a specific set of IP addresses. While Airtable's API primarily relies on token-based authentication, adding network-level restrictions can provide an additional layer of security for internal systems.
Regular Audits: Periodically audit your Airtable integrations and the permissions granted to your tokens and applications. Remove any unused tokens or applications.

Airtable API Authentication: Methods and Best Practices (2026)

Authentication overview

Supported authentication methods

Personal Access Tokens (PATs)

OAuth 2.0

Deprecated API Keys

Getting your credentials

For Personal Access Tokens (PATs)

For OAuth 2.0

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by