I couldn’t find this in the documentation or answered on this forum.
I was recently brought in to get a handle on our organization’s technology. They use Airtable extensively and have a few zapier automation.
Recently a high-level employee was released from the company causing a security audit (by myself).
Which accounts (what level) can generate an API key?
Is there a way for admin accounts to view and control API access for accounts that are not their own? ie: I want to see all accounts that have generated an API and/or be able to delete and view any automation occurring across all bases in a workspace.
I can’t speak for Airtable, but I think this question probably needs to get the attention of someone inside (like @EvanHahn who will probably see this).
As for the API in general, keys are granted by user account only (as far as I know) and this is why I advise clients to create specific accounts for API use even though it costs a little more for the non-human user accounts.
For every API process I create, I also log all activity, typically to ElasticSearch or a security log specified by the client. I do this because I have no knowledge of any logging services maintained by Airtable.
Thanks @Bill.French. That is my concern. I currently have an account for all API access. The problem is, if any user can create it, it becomes a challenge - both from a security point of view and in centralizing and maintaining automations.
Thanks for tagging an internal resource. I submitted a support request as well.