Can I use the Airtable API securely from the browser?

I was hoping to use Airtable as a lightweight, convenient prototyping backing store for my web application, with the nice bonus that it’s usable by non-technical admins as a sort of admin UI. However, it seems like there’s no secure way to make that work if I want my app to be able to upload user-created content through the API.

I want app users to be able to create a new record in my base. I can do this using a custom form and the airtable API (through the javascript client) – however, I need to keep the API_KEY in the client-side javascript. That might be OK except that AFAIK there’s no write-only permission available; the Editor permission also comes with delete and list permissions. That means anybody with my API key can easily delete all my records.

Obviously, that’s a non-starter. Am I missing something, or is Airtable simply not intended for this use case?

(I realize I can use an embedded form to submit to the table, but unfortunately that’s not an option for me as I need to do custom styling and validation on the form.)

Indeed, this is a true statement, so you should never publish your API key into public-facing pages on the interwebs.

One approach (and there are many) is to embed the API key into a server-side resource that is protected from direct and open Internet access. But in a manner that it is also readable by the client-side app. This is non-trivial to configure and host, but it is the only way for web clients to engage directly in conversations with the Airtable API. Google Apps Script and Firebase hosting services support this relatively easily but requires some server-side development and javascript skills.

Another approach is to push all Airtable interchanges down into the server and have the client app remain focused only on the rendering of the Airtable data. This is also typically more performant because server-to-server communications are generally faster and can take advantage of caching that is not so easily available in clients per-se. Since the API is utilized in the safe and secure climate of the server, there’s no risk of exposing it to the open internet.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.