Tool to manage API access with granular permissions

Hi, I’m a little lost with where to start looking for a simple tool that allows me to create a permission-based API on top of my Airtable data.

I’m looking to enable an external collaborator to request the availability of a certain set of products. For that I would like to limit the user to

1. Read only access
2. A set of records via a view or filter
3. A set of fields

This is a small scale experiment and I would prefer a quick to setup and free solution.

I have looked at nocodeapi.com, which looks great but it doesn’t appear to support the permissions I’m looking for.

Thanks for you input!

Hi @Ricardo,

You could do all of that for free with Airtable’s interfaces. It would be free if you keep the user as read-only access. You can limit them to just the records that you want them to see, and just the fields you want them to see.

If they need to edit/submit something, you could also do it for free through an Airtable form or through Fillout, both of which are free.

Otherwise, for anything more advanced, you’d have to look at external portal tools which can be pricey, such as Noloco, Softr, JetAdmin, or Glide.

I give a brief tutorial of Noloco on this episode of the BuiltOnAir podcast. And I also presented a full one-hour webinar on Noloco called Building a Client Portal on Noloco powered by Airtable.

Thanks for your detailed feedback @ScottWorld. I’m afraid I wasn’t specific enough, I’m looking for a way to do so through an API call. The idea is for the external partner to make a get call to retrieve availability as part of an automated workflow, but only for a certain set of permissions (records, rights).

Ah, I see!

The good news is that all of Airtable’s API calls are done through an Airtable user account, so you can setup a user account that is restricted to only the certain privileges that you want that user to have — such as creating records in a table, deleting records in a table, editing certain fields in a table, or adding new values to single-select and multi-select fields.

But the bad news is that Airtable doesn’t offer any permissions to limit record viewing or field viewing. Once the user has API access to a table, they can see ALL the fields and ALL the records.

One potential workaround for this might be to sync a limited number of records & fields using Airtable’s sync feature to a destination sync table in another base, and then give the user access to just that destination base. But the problem is that destination sync tables can never be edited through the API, so it would always be read-only access.

However, if you’re only doing GET calls, then that would be all you need, and that could be a good solution for you.

Beyond that, I’m not familiar with any 3rd-party apps that let you easily build your own API on top of Airtable’s API, but my guess is that if you know how to write programming code, that you could probably develop your own API. Here’s an interesting article that I found on the Postman website: How to Build an API | Postman Blog

Thanks @ScottWorld, that’s not what I thought of and in fact a much simpler and robust work-around that gets the job done.

PS: I also didn’t realize that ready-only collaborators are free and will start utilizing this in our interface, too.

You’re welcome! Glad I could help!

Bit of a plug but my app may be good for this. You could:

1. Connect to your airtable table and view you want the api caller to get the data for
2. Use the app to restrict to only certain columns
3. switch output mode to json

Then you have an api endpoint which should give all the live data you need: read-only, no pagination.

Happy to explain more if interested.

Thanks @Gavin, could you link to a doc that describes the API use case? It seems the focus in on *csv / document output.

Hey @Ricardo. I wrote this up for you. You could use CSVGetter to select a view and lock down which fields you want in the api output. Everything will be JSON and read only. This may not fit your use-case! But I add features all the time so let me know if it can be modified to solve your issues: