For those I haven’t met, I’m Sean, an engineer on the Airtable API team.
Today our team is excited to announce the public beta (it’s public – so no need to sign up!) of several new API authentication features to make our API more secure for all our users. Bundled with them are the (long-requested!) metadata API, comments API, and webhook API.
And one more feature (my personal favorite): a new publicly accessible API docs site to learn about all of these in more exciting detail! Airtable Web API
Additionally, we plan to announce a deprecation timeline for user API keys when these more secure authentication methods (personal access tokens and OAuth integrations) graduate from public beta to general availability. Per our deprecation guidelines, there will be a notice period of at least 12 months (from the date of that future announcement) before the deprecation is enforced.
This public beta is just the beginning! We plan on continuing to add new features and update existing ones based on your feedback.
Learn more from our updated API docs and then try it for yourself — and, if you have any questions, don’t hesitate to ask here,
Sean, on behalf of the Airtable API Team
Hi Lean, I can confirm that myself and other users are able to create tokens without code_challenge_method.
While I can’t diagnose your problem without access to your client_id (not that I’m asking you to post it publicly) a few possibilities come to mind:
Firstly, awesome work on all these changes, especially webhooks!
Some feedback on the OAuth consent screen: it’s very easy to miss the small ‘Add a base’ button. I feel like a lot of users will breeze past it and just click ‘Authorize’.
It that case, does the access token get access to all their workspaces or none of them? I’m assuming it’s none, in which case I think that button needs to be much more prominent.
Here’s the Webflow OAuth consent screen as a comparison - it’s not perfect but the list of workspaces is much clearer.
Thanks for confirming that it is not required Will, I have sent you a private message with the client id to see if you can verify if the problem is related with the bug, I can confirm that 2, 4 and 5 are not the problem and will double check 3, but the same logic is working fine with other services so it is probably not either.
Hi @Ruchika_Abbi1 thanks for your question… Old apps will continue working with api keys (no need to change in there… we will check if we can allow users to replace old keys with tokens) for the new Apps we will be using OAuth as it’s way better in many ways… We are now in evaluation step and will start implementing soon.
Agree with Andy, It’s very easy to miss. and if without it there is no access it should at least be required… or way bigger :slightly_smiling_face:
Hi! A quick question about the new PAT tokens (RAS syndrome :frowning_face: ). Do they expire after a set time? If not, what are the conditions for them to stop working and require regeneration? Are there plans in the future to implement a set expiration date?
Also, slightly unrelated, do API keys expire?
When the API key is deprected will I lose access to all my third party integrations?
Third party apps like Airtable just ask for a Web API key and don’t accept the new tokens.
(I also sent you a DM with more info) After some investigation I believe the issue is actually that our example repo had insufficient error-handling and was making requests for a token after the /authorization request had been denied.
I’ve updated the example repo and will work to improve the error handling here from our servers.
Noted! There is an update coming soon that will require users to add at least one base or workspace when it is required for the integration to work.
We don’t know yet when API keys will be depreciated, but we will have a warning of at least a year. That should give you enough time to update your third party integrations with new connections.
Although some third party apps do not allow you to change an existing token, they usually allow creating a new connection with a new token, and you can switch the integration to the new connection.
If you are concerned that a specific 3rd party service does not allow switching connections, you can contact them and let them know that they should implement that feature. They will have at least a year to do so.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.