Support for New API Authentication Method

[nilvon9wo]

I recently received the following email from Airtable:

You’re receiving this reminder because you are an Admin on an Enterprise organization in which users may still be using a legacy Airtable API Key. Starting August 1, users will no longer be able to create new API keys. In January we launched new API authentication methods, personal access tokens and OAuth integrations, which are replacing legacy Airtable API keys. The timeline for the Airtable API key deprecation is below: February 2023: Provided API Key deprecation notice August 1st, 2023: Users will no longer be able to create new API keys February 1st, 2024 (next year): Existing API keys cannot be used to access the Airtable API How does this impact your organization? API keys (and therefore, any integration that used them to connect with Airtable) will continue to work until February 1st 2024. However, to ensure continued access to the Airtable API, you will need to start exclusively using the new authentication methods before February 1st 2024. To support your migration, we have added an additional report in the Admin Panel under the Reports tab where you can see all users with API Keys across your organization. We have also emailed the users in your organization who have used the API in the last year with instructions about this deprecation. If you or a developer on your team has used an Airtable API key to build API integrations with Airtable, please migrate to using personal access tokens to authenticate your API requests before February 1st 2024. Your API key usage can be directly replaced with a personal access token provided as an Authorization: Bearer header. If your API Key use is with a third-party integration, we recommend using OAuth for authentication . Please note that we are working with our integration partners to migrate to OAuth. If you are unsure how to set up OAuth for a specific partner or OAuth is not currently available for that partner, we recommend you contact their team for details on when it will be available.

... So far as I can tell, this package only supports legacy Airtable API Keys.

[tobyduncombe-ic]

Pretty sure the latest version already works, you can see this issue here where the developer addresses it: https://github.com/ngocnicholas/airtable.net/issues/63

[nilvon9wo]

I read #62 and #63.... I don't find these texts entirely convincing. Yes, #62 does mention someone got the solution work with a "personal access token" and I'm not clear whether those have the 2024 February cutoff, but the new authentication method is using OAuth and if OAuth is done correctly, there should not be a long-lived token.

Instead, there should be a process where a client id and a client secret are periodically sent to a token server to get a new token which is typically very short lived.

To be honest, I'm still trying to figure out how and even if AirTable's OAuth is working. If I understand correctly, for their process even before we call their token server, we need to call an authentication server and we need to include some "code" which I'm having trouble obtaining.

Perhaps if I were able to get the OAuth JWT token, I would be able to pass it in in place of either the API key or the personal access token, but even if this works, I would consider that an incomplete solution since each developer would need to rewrite for himself/herself the process of getting the JWT. Moreover, the process of collecting the JWT token should be integrated into the process of calling AirTable so the solution will efficiently reuse the JWT or fetch a new one as necessary.

[wearysky]

Yes, https://github.com/ngocnicholas/airtable.net/issues/62 does mention someone got the solution work with a "personal access token" and I'm not clear whether those have the 2024 February cutoff

According to the API Key deprecation notice, Personal Access Tokens and Oauth are both recommended replacements for the deprecated API keys.

[nilvon9wo]

As my use case feels entirely impersonal to me and most comparable integrations, I've done have used OAuth, I would have expected OAuth to be the correct replacement for our use case.

However, I've been in touch with AirTable support and they also seem to be suggesting we should use PAT. This seems counter-intuitive and causes me to doubt AirTable's security model, but I won't pretend to be a security guru.

If it is the case that PAT is correct for us, or at least the only AirTable supported option for our use case, I guess for the moment we won't need OAuth, but I expect at some point we may need to revisit this when someone with more authority than me tells AirTable they are doing things wrong.

[ngocnicholas]

It sounds like you're describing an issue with the underlying Airtable API, not with this Airtable.net API client, so I'm closing this issue. Please reopen if I'm misunderstanding.