airrecord icon indicating copy to clipboard operation
airrecord copied to clipboard

Published 20 hours ago verified publisher icon sirupsen

Early heads up: switching away from user API keys

Open FredZhao-at opened this issue 2 years ago • 8 comments

Hi! I’m Fred, an engineer on the Airtable API team. I’m writing here to share some plans we have to move away from user API keys, with a goal of communicating it early so you have time to triage and prioritize work needed.

First, some context. We recently published a new developer doc site, and announced two new authentication methods, as well as new endpoints and capabilities those methods support: https://airtable.com/developers/web/api/changelog#anchor-2022-11-15

Since these new authentication methods (personal access tokens and OAuth integration access tokens) are much more secure than the current user API key authentication method, we are limiting the new endpoints and capabilities to only be available to the new methods.

The medium term plan is to deprecate user API keys. We are still working on the exact details, but the deprecation period will last 1 year, and we expect it to begin at the start of next year (Jan 2023).

Based on this, we recommend preparing to support the new API token format:

  • If you currently validate tokens (e.g. with a regex like /^key[a-zA-Z0-9]{14}$/), start supporting the new personal access token key format as well (/^pat[a-zA-Z0-9]{14}\.[0-9a-f]{64}$/)
    • For airrecord: From a quick scan, I don't think this applies, so I'm mentioning this point more for completeness
  • Update documentation mentions of “API key” to the more general “API key or access token”
    • For airrecord: Since https://github.com/sirupsen/airrecord#authentication currently references API keys, consider updating the language here. Please also feel free to point to our developer docs on this topic too: https://airtable.com/developers/web/api/authentication

FredZhao-at avatar Dec 12 '22 16:12 FredZhao-at

@FredZhao-at I'm not actively using this gem. Can Airtable please make these updates? Thanks

sirupsen avatar Dec 12 '22 16:12 sirupsen

@sirupsen ah, thanks for the super prompt reply! As you probably saw, I also created #95. Let me mention this to the rest of my team. In the meantime, is this repo still being actively maintained?

FredZhao-at avatar Dec 12 '22 16:12 FredZhao-at

@FredZhao-at there's a friendly few people who help maintain it, mostly by reviewing/merging, but no-one is AFAIK actively working on it and going to be available to make these changes

sirupsen avatar Dec 12 '22 21:12 sirupsen

hi @sirupsen do you know if someone is working to fix what's needed for it to work to authenticate with the new method? or is there a plan to update this?

lurimendes avatar Feb 28 '23 05:02 lurimendes

hi @sirupsen do you know if someone is working to fix what's needed for it to work to authenticate with the new method? or is there a plan to update this?

It already works, you can start using a PAT or OAuth access token without any changes needed. The Authorization header format is the same. I fired some requests using a PAT and they worked.

goksan avatar Feb 28 '23 11:02 goksan

Oh ok. That's great to hear. Thanks for that, @goksan.

lurimendes avatar Mar 01 '23 01:03 lurimendes

HI I've started to create the documentation on using PAT and it's actually worked as @goksan mention before.

https://github.com/sirupsen/airrecord/pull/101 here is the PR. If something are not enough please let me know

cloudsbird avatar Mar 13 '23 06:03 cloudsbird

Hello :) Is there any plan to integrate Airtable Oauth in this gem ? I found this exemple in NodeJS : https://github.com/Airtable/oauth-example

EDIT : I found this gem that could do the job with Omniauth, will try to see if I can make it work https://github.com/kwent/omniauth-airtable

yann120 avatar Sep 15 '23 08:09 yann120