Are you writing your own custom extension? The issue of how developers should store sensitive data was discussed on the previous version of these forums when the SDK was first released. You can try to search the forum for how Airtable developers answered the issue.
Here is my take on the issue.
- Airtable record data is not appropriate for sensitive data.
- Custom extensions can interact with your own server external to the base and Airtable. Thus, you can store sensitive data on your own servers. Some developers of custom extensions and third party marketplace extensions use this technique.
- Global Config is one place to store data. Some existing custom extensions and marketplace extensions store sensitive data in global config.
- I have read mention of using session store or local store in theory. However, I do not recall anyone actually using them, and they are not good candidates for storing data, anyway, especially not sensitive data.
Note that the developer terms used to have limitations regarding storing Airtable API keys (but not other API keys). Those terms now state that extensions may not request or make use of a user's personal access token.