If you search “Airtable API key,” you will find outdated guides pointing to a settings page that no longer exists. Airtable deprecated legacy API keys on February 1, 2024. The replacement is a Personal Access Token (PAT), which you create at airtable.com/create/tokens. PATs are more secure than the old API keys because you control exactly which bases a token can access and what it can do. This guide covers every step: creating the token, choosing the right scopes, finding your Base ID, testing with curl, and connecting your token to tools that automate Airtable workflows.
One thing that trips people up: “Airtable API key” and “Airtable Personal Access Token” are the same thing now. If a tool or tutorial asks for your “Airtable API key,” it wants a PAT. The old API keys stopped working entirely in February 2024, and there is no way to generate them anymore.
Step 1: Open the Token Creator
Go to airtable.com/create/tokens. Sign in with your Airtable account if prompted.
This takes you to the Personal Access Tokens page inside Airtable’s Developer Hub. You can also reach it by clicking your profile icon in the top right of any Airtable page, selecting Developer Hub, then clicking Personal access tokens in the left sidebar.
Click Create new token.
Step 2: Name Your Token and Select Scopes
Give the token a descriptive name. Something like “Zapier integration” or “Python read-only” works better than “test token” because you will forget what “test token” does in three months.
Next, add scopes. Scopes define what the token is allowed to do. Click Add a scope and select from the list.
Here are the scopes most developers need:
| Scope | What It Does | When You Need It |
|---|---|---|
data.records:read | Read records from tables | Any read operation: fetching rows, syncing data, reporting |
data.records:write | Create, update, delete records | Any write operation: adding rows, updating fields, deletions |
data.recordComments:read | Read comments on records | If your integration reads record comments |
data.recordComments:write | Add comments to records | If your integration posts comments |
schema.bases:read | Read base structure (tables, fields, views) | If you need to discover table names or field types programmatically |
schema.bases:write | Modify base structure | If you create or modify tables/fields via API |
webhook:manage | Create and manage webhooks | If you need real-time notifications when data changes |
user.email:read | Read your account email | Rarely needed; some OAuth flows require it |
Start with the minimum. If you only need to read data, select data.records:read and schema.bases:read. You can always edit the token later to add more scopes. Giving a token more permissions than it needs is the most common security mistake developers make with Airtable integrations.
Step 3: Choose Which Bases the Token Can Access
Under the Access section, click Add a base. You can grant access to specific bases or to an entire workspace.
For most integrations, select only the specific base you are working with. If you select an entire workspace, the token can access every base in that workspace, including ones added later. That is convenient but broad.
After selecting your base, click Create token.
Step 4: Copy Your Token Immediately
Your token appears on screen exactly once. Airtable does not store it and cannot show it again. If you close this page without copying, you have to delete the token and create a new one.
Copy the token and store it in a password manager or a .env file:
AIRTABLE_PAT="patXXXXXXXXXXXXXX.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Airtable PATs start with pat followed by a long alphanumeric string. If someone gives you a token that starts with key, that is a legacy API key and it will not work.
Step 5: Find Your Base ID
Every Airtable API call requires a Base ID. You find it in the URL of your base.
Open your base in Airtable. Look at the browser URL:
https://airtable.com/appXXXXXXXXXXXXXX/tblYYYYYYYYYYYYYY/viwZZZZZZZZZZZZZZ
The Base ID is the segment that starts with app. In this example, it is appXXXXXXXXXXXXXX. Copy that string.
You can also find Base IDs through the Airtable API documentation page. Select your base from the dropdown, and the documentation pre-fills all endpoints with your actual Base ID.
Step 6: Test Your Token With curl
Open a terminal and run this command, replacing the placeholders with your actual token and Base ID:
curl "https://api.airtable.com/v0/YOUR_BASE_ID/YOUR_TABLE_NAME?maxRecords=3" \
-H "Authorization: Bearer YOUR_TOKEN"
If the token and Base ID are correct, you get a JSON response with up to three records from the specified table.
A key difference from some other APIs: Airtable uses the Authorization: Bearer header, not a query parameter or custom header. Passing the token in the URL will not work.
If you get a 401 UNAUTHORIZED error, check three things:
- You copied the full token, not just the Token ID visible on the management page. The Token ID (a short string) is not the token itself.
- The token has the right scope. Reading records requires
data.records:read. - The token has access to the base you are querying. Tokens scoped to Base A cannot read Base B.
If you get a 404 NOT_FOUND error, the table name is likely wrong. Table names in the URL are case-sensitive and must be URL-encoded if they contain spaces (use %20 or the table ID instead).
What to Do With Your Token Next
The token unlocks the Airtable API. What matters is what you connect it to.
If you are building an integration, install the official Airtable.js library:
npm install airtable
Or use Python with the pyairtable library:
pip install pyairtable
Both libraries accept your PAT as the API key parameter and handle authentication automatically.
If you want to automate Airtable workflows with an AI agent, connect your token to Openclaw. Openclaw is a personal AI agent that runs on your machine and connects through Telegram or WhatsApp. It can read and write Airtable records, trigger actions based on new entries, and manage cross-platform workflows that involve Airtable alongside other tools.
We have a dedicated guide for this: Connect Airtable to Openclaw walks through configuring your PAT in Openclaw’s environment file and setting up read/write automations.
Related API key guides if you are setting up multiple providers:
- How to Get Your OpenAI API Key
- How to Get Your Anthropic API Key
- How to Get Your Google Gemini API Key
Keeping Your Token Secure
PATs have access to your Airtable data. Treat them like database credentials.
Use environment variables, not hardcoded strings. Add your .env file to .gitignore. The most common way tokens leak is through Git commits that accidentally include credentials. Scanning tools like TruffleHog and GitGuardian flag Airtable PATs in public repositories, but by the time they catch it, the token may have already been used.
Apply minimum scope. A token that only needs data.records:read should not also have schema.bases:write. If the token leaks, narrow scopes limit the damage.
Rotate tokens periodically. Airtable lets you create multiple PATs. Create a new token, update your integration, verify it works, then delete the old one. There is no expiration setting on Airtable PATs (unlike some other providers), so rotation is a manual discipline.
Revoke tokens you no longer use. Go to airtable.com/create/tokens and delete any tokens tied to decommissioned projects. Dormant tokens are free targets.
Frequently Asked Questions
Where do I find my Airtable API key?
Go to airtable.com/create/tokens and create a Personal Access Token. The old “API key” section in Account settings was removed in February 2024. Any guide telling you to go to Account > API is outdated.
What happened to Airtable API keys?
Airtable deprecated legacy API keys starting January 2023 and fully disabled them on February 1, 2024. Legacy keys had the same permissions as your entire account, which was a security problem. Personal Access Tokens replaced them with granular scope and base-level access controls.
What scopes do I need for my Airtable token?
For most integrations, start with data.records:read and data.records:write. Add schema.bases:read if your code needs to discover table structure dynamically. Only add additional scopes when you have a specific need. The full list of scopes is visible when you create or edit a token at airtable.com/create/tokens.
How do I find my Airtable Base ID?
Open your base in Airtable and look at the URL. The Base ID is the segment starting with app, like appXXXXXXXXXXXXXX. You can also find it through the API documentation page by selecting your base from the dropdown.
Why is my Airtable token not working?
The three most common causes: you copied the Token ID instead of the full token string, the token lacks the required scope for your API call, or the token does not have access to the base you are querying. Check all three on the token management page. Also verify you are using Authorization: Bearer YOUR_TOKEN as the header format.
Can I use one Airtable token for multiple bases?
Yes. When creating the token, add multiple bases under the Access section, or grant access to an entire workspace. However, creating separate tokens per project is better practice. If one integration is compromised, you revoke that token without breaking other integrations.
Is the Airtable API free?
Airtable API access is included with all plans, including the free tier. The API is rate-limited to 5 requests per second per base. Higher-tier plans (Team, Business, Enterprise) do not increase the API rate limit, but they offer more records per base and more automation runs.
What is the difference between personal access tokens and OAuth in Airtable?
Personal Access Tokens are for individual use: your own scripts, automations, and integrations. OAuth is for third-party applications that need to access other people’s Airtable data with their permission. If you are building a tool only you will use, PATs are simpler. If you are building an app that other Airtable users will connect to, use OAuth.
Key Takeaways
- Legacy Airtable API keys stopped working in February 2024. Create a Personal Access Token at airtable.com/create/tokens instead.
- Select only the scopes you need.
data.records:readanddata.records:writecover most integrations. Addschema.bases:readif your code discovers table structure dynamically. - Your Base ID is in the URL of your base (starts with
app). You need it for every API call. - The token is shown once when created. Copy it immediately and store it in a
.envfile or password manager. - Test your token with a curl command before writing integration code. Use the
Authorization: Bearerheader format. - Connect your token to Openclaw to automate Airtable workflows with an AI agent.
SFAI Labs
