airtable.py icon indicating copy to clipboard operation
airtable.py copied to clipboard

Published 20 hours ago verified publisher icon pcorpet

Early heads up: switching away from user API keys

Open FredZhao-at opened this issue 2 years ago • 3 comments

Hi! I’m Fred, an engineer on the Airtable API team. I’m writing here to share some plans we have to move away from user API keys, with a goal of communicating it early so you have time to triage and prioritize work needed.

First, some context. We recently published a new developer doc site, and announced two new authentication methods, as well as new endpoints and capabilities those methods support: https://airtable.com/developers/web/api/changelog#anchor-2022-11-15

Since these new authentication methods (personal access tokens and OAuth integration access tokens) are much more secure than the current user API key authentication method, we are limiting the new endpoints and capabilities to only be available to the new methods.

The medium term plan is to deprecate user API keys. We are still working on the exact details, but the deprecation period will last 1 year, and we expect it to begin at the start of next year (Jan 2023).

Based on this we recommend preparing to support the new API token format:

  • If you currently validate tokens (e.g. with a regex like /^key[a-zA-Z0-9]{14}$/), start supporting the new personal access token key format as well (/^pat[a-zA-Z0-9]{14}\.[0-9a-f]{64}$/)
    • For airtable.py: From a quick scan, I don't think this applies, so I'm mentioning this point more for completeness
  • Update documentation mentions of “API key” to the more general “API key or access token”
    • For airtable.py: Consider updating the phrasing at https://github.com/josephbestjames/airtable.py#getting-started
    • For airtable.py: Also consider updating the link to the official docs at https://github.com/josephbestjames/airtable.py#api-reference to point to our new developer site 😄! https://airtable.com/developers/web/api/introduction

FredZhao-at avatar Dec 12 '22 17:12 FredZhao-at

It'd be nice if this project maintainer could acknowledge this, at least, and maybe merge some pull requests :)

iandouglas avatar Mar 31 '23 17:03 iandouglas

It is enough to change from the API key to the access token and everything will still work code side? (given the scope of the token is correct)

robsannaa avatar Jan 06 '24 15:01 robsannaa

@robertosannazzaro yes, it does work :)

astranchet avatar Jan 10 '24 10:01 astranchet