Controlling or Logging API Access plus

Brilliant_Admin · ‎Sep 23, 2019

I couldn’t find this in the documentation or answered on this forum.

I was recently brought in to get a handle on our organization’s technology. They use Airtable extensively and have a few zapier automation.

Recently a high-level employee was released from the company causing a security audit (by myself).

Which accounts (what level) can generate an API key?

Is there a way for admin accounts to view and control API access for accounts that are not their own? ie: I want to see all accounts that have generated an API and/or be able to delete and view any automation occurring across all bases in a workspace.

Thank you for any assistance.

Matthew Moran

Bill_French · ‎Sep 23, 2019

Hey Matthew! Welcome to the forum.

I can’t speak for Airtable, but I think this question probably needs to get the attention of someone inside (like @EvanHahn who will probably see this).

As for the API in general, keys are granted by user account only (as far as I know) and this is why I advise clients to create specific accounts for API use even though it costs a little more for the non-human user accounts.

For every API process I create, I also log all activity, typically to ElasticSearch or a security log specified by the client. I do this because I have no knowledge of any logging services maintained by Airtable.

Brilliant_Admin · ‎Sep 23, 2019

Thanks @Bill.French. That is my concern. I currently have an account for all API access. The problem is, if any user can create it, it becomes a challenge - both from a security point of view and in centralizing and maintaining automations.

Thanks for tagging an internal resource. I submitted a support request as well.

Controlling or Logging API Access plus

Invalid permissions accessing metadata API

Restricting Base Access

Access Control - Field level

Who's accessing my bases? Is there a log?

Script Management, Version Control, and GitHub