[{"data":1,"prerenderedAt":483},["ShallowReactive",2],{"blog-is-safe/airtable":3},{"id":4,"title":5,"body":6,"category":451,"date":452,"dateModified":452,"description":453,"draft":454,"extension":455,"faq":456,"featured":454,"headerVariant":467,"image":468,"keywords":469,"meta":470,"navigation":471,"ogDescription":472,"ogTitle":468,"path":473,"readTime":474,"schemaOrg":475,"schemaType":476,"seo":477,"sitemap":478,"stem":479,"tags":480,"twitterCard":481,"__hash__":482},"blog/blog/is-safe/airtable.md","Is Airtable Safe? Security Review for Builders and Teams (2026)",{"type":7,"value":8,"toc":442},"minimark",[9,13,16,22,29,34,37,41,92,96,99,107,110,116,120,123,126,129,148,193,223,229,233,236,322,325,328,332,335,338,350,353,357,360,363,374,377,411,430,438],[10,11,12],"p",{},"Airtable processed a data exposure in December 2022 when a third-party analytics vendor leaked customer email addresses. Airtable itself was not breached, but the incident highlighted what many teams building on Airtable miss: the platform's security is solid at the infrastructure level, but the access model has sharp edges that require active configuration.",[10,14,15],{},"This review covers what Airtable does well, where it falls short, and the specific settings you need to check before storing anything beyond spreadsheet-equivalent data.",[17,18,19],"tldr",{},[10,20,21],{},"Airtable is safe for non-sensitive data on any plan. For PII, financial records, or health data: HIPAA requires Enterprise Scale with a signed BAA; PATs must be scoped and stored server-side; share links to sensitive views must stay private. The biggest real-world risks are leaked API tokens in code repos and overly permissive share links sent in Slack.",[23,24,26],"verdict-badge",{"verdict":25},"caution",[10,27,28],{},"Airtable is production-ready for most use cases, but requires explicit access control configuration. Default settings prioritize sharing ease over data restriction.",[30,31,33],"h2",{"id":32},"what-is-airtable","What Is Airtable?",[10,35,36],{},"Airtable is a cloud database platform used by teams to manage records, workflows, and data pipelines. Builders increasingly use it as a backend for internal tools and Softr apps, via its REST API. It is SOC 2 Type II certified and runs on AWS with encryption at rest (AES-256) and in transit (TLS 1.2+).",[30,38,40],{"id":39},"our-verdict","Our Verdict",[42,43,44,49,71,75],"pros-cons",{},[45,46,48],"h4",{"id":47},"what-airtable-gets-right","What Airtable Gets Right",[50,51,52,56,59,62,65,68],"ul",{},[53,54,55],"li",{},"SOC 2 Type II certified",[53,57,58],{},"AES-256 encryption at rest, TLS in transit",[53,60,61],{},"Personal Access Tokens with granular scope controls",[53,63,64],{},"SSO and SCIM on Business and Enterprise plans",[53,66,67],{},"Audit logs on Enterprise plans",[53,69,70],{},"Two-factor authentication available on all plans",[45,72,74],{"id":73},"where-things-go-wrong","Where Things Go Wrong",[50,76,77,80,83,86,89],{},[53,78,79],{},"Share links are public with no password protection below Enterprise",[53,81,82],{},"Legacy API keys (now deprecated) were base-wide and non-revokable per-base",[53,84,85],{},"HIPAA compliance locked to Enterprise Scale only",[53,87,88],{},"No row-level access control inside a base (you can't say \"user A sees rows 1-10, user B sees rows 11-20\")",[53,90,91],{},"Automation scripts run with the permissions of the creator, not the invoking user",[30,93,95],{"id":94},"the-share-link-problem","The Share Link Problem",[10,97,98],{},"Airtable's most common security failure has nothing to do with infrastructure. It's the share link sent in a Slack message.",[10,100,101,102,106],{},"When you share a View, Airtable generates a URL like ",[103,104,105],"code",{},"https://airtable.com/shrXXXXXXXXXXXXXX",". Anyone with that URL can see every record in that view. There is no login prompt, no expiry, and no revocation notification if the link gets forwarded. The only way to stop access is to delete the link.",[10,108,109],{},"If your view contains customer names, emails, phone numbers, or financial data, that share link is a data breach waiting to happen.",[111,112,113],"danger-box",{},[10,114,115],{},"Never send share links to views or bases containing PII, financial data, or anything you would not want publicly indexed. Google has indexed Airtable share links in the past when they were embedded in public pages.",[30,117,119],{"id":118},"api-key-exposure-airtables-most-common-real-world-incident","API Key Exposure: Airtable's Most Common Real-World Incident",[10,121,122],{},"Airtable deprecated legacy API keys in February 2024 and migrated users to Personal Access Tokens (PATs). The reason: legacy keys were base-wide credentials with no scope controls. A leaked key gave full read-write access to every base the workspace owner could see.",[10,124,125],{},"PATs are a meaningful improvement. You choose which bases the token can access and what permission level it has (commenter, editor, creator). A leaked read-only PAT scoped to one base limits the blast radius significantly.",[10,127,128],{},"But PATs are still commonly mishandled:",[50,130,131,134,137],{},[53,132,133],{},"Hardcoded in frontend JavaScript (visible in browser DevTools)",[53,135,136],{},"Committed to public GitHub repos (GitHub's secret scanning catches this, but only after the push)",[53,138,139,140,143,144,147],{},"Stored as plain text in ",[103,141,142],{},".env"," files that get committed when ",[103,145,146],{},".gitignore"," is misconfigured",[149,150,152],"code-block",{"label":151},"The wrong way (visible to anyone reading your JS bundle)",[153,154,159],"pre",{"className":155,"code":156,"language":157,"meta":158,"style":158},"language-javascript shiki shiki-themes github-light github-dark","// DO NOT DO THIS\nconst AIRTABLE_PAT = 'patXXXXXXXXXXXXXX.XXXXXXX';\nconst response = await fetch(`https://api.airtable.com/v0/${BASE_ID}/${TABLE}`, {\n  headers: { Authorization: `Bearer ${AIRTABLE_PAT}` }\n});\n","javascript","",[103,160,161,169,175,181,187],{"__ignoreMap":158},[162,163,166],"span",{"class":164,"line":165},"line",1,[162,167,168],{},"// DO NOT DO THIS\n",[162,170,172],{"class":164,"line":171},2,[162,173,174],{},"const AIRTABLE_PAT = 'patXXXXXXXXXXXXXX.XXXXXXX';\n",[162,176,178],{"class":164,"line":177},3,[162,179,180],{},"const response = await fetch(`https://api.airtable.com/v0/${BASE_ID}/${TABLE}`, {\n",[162,182,184],{"class":164,"line":183},4,[162,185,186],{},"  headers: { Authorization: `Bearer ${AIRTABLE_PAT}` }\n",[162,188,190],{"class":164,"line":189},5,[162,191,192],{},"});\n",[149,194,196],{"label":195},"The right way (PAT stays on the server)",[153,197,199],{"className":155,"code":198,"language":157,"meta":158,"style":158},"// server-side only (e.g., Vercel serverless function, Node.js backend)\nconst AIRTABLE_PAT = process.env.AIRTABLE_PAT; // set in your hosting env vars\nconst response = await fetch(`https://api.airtable.com/v0/${BASE_ID}/${TABLE}`, {\n  headers: { Authorization: `Bearer ${AIRTABLE_PAT}` }\n});\n",[103,200,201,206,211,215,219],{"__ignoreMap":158},[162,202,203],{"class":164,"line":165},[162,204,205],{},"// server-side only (e.g., Vercel serverless function, Node.js backend)\n",[162,207,208],{"class":164,"line":171},[162,209,210],{},"const AIRTABLE_PAT = process.env.AIRTABLE_PAT; // set in your hosting env vars\n",[162,212,213],{"class":164,"line":177},[162,214,180],{},[162,216,217],{"class":164,"line":183},[162,218,186],{},[162,220,221],{"class":164,"line":189},[162,222,192],{},[224,225,226],"tip-box",{},[10,227,228],{},"Create one PAT per integration, scoped to the minimum bases and permission level it needs. If a PAT leaks, you revoke just that token without touching other integrations.",[30,230,232],{"id":231},"hipaa-and-compliance-limits","HIPAA and Compliance Limits",[10,234,235],{},"Airtable's compliance coverage by plan:",[237,238,239,262],"table",{},[240,241,242],"thead",{},[243,244,245,249,253,256,259],"tr",{},[246,247,248],"th",{},"Plan",[246,250,252],{"align":251},"center","SOC 2 Type II",[246,254,255],{"align":251},"HIPAA BAA",[246,257,258],{"align":251},"SSO/SCIM",[246,260,261],{"align":251},"Audit Logs",[263,264,265,281,294,308],"tbody",{},[243,266,267,271,274,277,279],{},[268,269,270],"td",{},"Free",[268,272,273],{"align":251},"Yes",[268,275,276],{"align":251},"No",[268,278,276],{"align":251},[268,280,276],{"align":251},[243,282,283,286,288,290,292],{},[268,284,285],{},"Plus / Pro",[268,287,273],{"align":251},[268,289,276],{"align":251},[268,291,276],{"align":251},[268,293,276],{"align":251},[243,295,296,299,301,303,305],{},[268,297,298],{},"Business",[268,300,273],{"align":251},[268,302,276],{"align":251},[268,304,273],{"align":251},[268,306,307],{"align":251},"Limited",[243,309,310,313,315,317,319],{},[268,311,312],{},"Enterprise Scale",[268,314,273],{"align":251},[268,316,273],{"align":251},[268,318,273],{"align":251},[268,320,321],{"align":251},"Full",[10,323,324],{},"HIPAA requires a signed Business Associate Agreement (BAA). Airtable only signs BAAs with Enterprise Scale customers. If you are building for healthcare, do not store Protected Health Information (PHI) in Airtable unless you are on Enterprise Scale with a signed BAA.",[10,326,327],{},"The same applies to financial data subject to PCI DSS: Airtable is not a PCI-compliant datastore and should not be used to store raw card numbers or sensitive cardholder data on any plan.",[30,329,331],{"id":330},"no-row-level-access-control","No Row-Level Access Control",[10,333,334],{},"This is the structural limitation that surprises most builders: Airtable has no native row-level access control inside a base.",[10,336,337],{},"If you give User A \"Editor\" access to a base, User A can see and edit every record in every table. You cannot configure policies like \"user sees only records where email = their email.\" The only workaround is:",[339,340,341,344,347],"ol",{},[53,342,343],{},"Separate bases per user or per data segment (operationally painful)",[53,345,346],{},"Build your own API proxy that filters records before returning them (requires backend development)",[53,348,349],{},"Use a platform like Softr that adds a user-context layer on top of Airtable (but Softr's security depends on correct configuration there)",[10,351,352],{},"If your use case requires per-user data isolation, Airtable's native sharing model is not the right tool. Consider Supabase (which has Row Level Security) or a traditional database.",[30,354,356],{"id":355},"airtable-automations-and-script-security","Airtable Automations and Script Security",[10,358,359],{},"Airtable automations can run custom JavaScript via the \"Run a script\" action. These scripts execute on Airtable's infrastructure and can access base records, call external APIs, and send HTTP requests.",[10,361,362],{},"Key security considerations:",[50,364,365,368,371],{},[53,366,367],{},"Scripts run with the permissions of the user who created the automation, not the user who triggered it",[53,369,370],{},"External API calls from scripts can embed secrets in the script code itself (visible to any base collaborator with creator access)",[53,372,373],{},"There is no secrets manager built into Airtable automations; secrets in script code are stored as plain text in the automation config",[10,375,376],{},"If your automations call external services, avoid embedding API keys directly. Use a serverless function or proxy as the intermediary, and pass only non-sensitive identifiers from the automation.",[378,379,380,387,393,399,405],"faq-section",{},[381,382,384],"faq-item",{"question":383},"Is Airtable safe for sensitive data?",[10,385,386],{},"It depends on the data type and your plan. Airtable is SOC 2 Type II certified and encrypts data at rest and in transit. HIPAA compliance is only available on Enterprise Scale plans with a signed BAA. For PII or financial data on lower plans, Airtable is usable but requires strict access controls, scoped PATs, and no public share links on sensitive bases.",[381,388,390],{"question":389},"Is Airtable HIPAA compliant?",[10,391,392],{},"Only on the Enterprise Scale plan with a signed BAA. Free, Plus, Pro, and Business plans are not HIPAA compliant. Do not store PHI in Airtable unless you are on Enterprise Scale with a signed BAA in place.",[381,394,396],{"question":395},"What is an Airtable Personal Access Token and is it safe?",[10,397,398],{},"A Personal Access Token (PAT) replaced legacy API keys in February 2024. PATs are safer because you can scope them to specific bases and permission levels (commenter, editor, creator). A leaked PAT only exposes what it was scoped to. Store PATs in server-side environment variables, never in client-side code or public repos.",[381,400,402],{"question":401},"Can anyone access my Airtable data through a share link?",[10,403,404],{},"If you share a View link, anyone with the link can see all data in that view with no login required. Airtable does not offer password protection on share links below Enterprise. Never share links to views or bases containing sensitive data.",[381,406,408],{"question":407},"Was Airtable ever hacked?",[10,409,410],{},"In December 2022, Airtable disclosed that some customer account data (primarily email addresses) was exposed through a third-party analytics vendor. Airtable itself was not breached directly. The company notified affected users and rotated credentials. No base record data was reported as exposed in that incident.",[412,413,414,420,425],"related-articles",{},[415,416],"related-card",{"description":417,"href":418,"title":419},"How to secure Softr apps that use Airtable as their backend database","/blog/guides/softr","Softr Security Guide",[415,421],{"description":422,"href":423,"title":424},"No-code security guide for Bubble.io apps with privacy rules and API protection","/blog/guides/bubble","Bubble Security Guide",[415,426],{"description":427,"href":428,"title":429},"Multi-tenant security checklist covering access control, secrets management, and compliance","/blog/checklists/saas-security-checklist","SaaS Security Checklist",[431,432,435],"cta-box",{"href":433,"label":434},"/","Start Free Scan",[10,436,437],{},"Building on Airtable? Scan your connected backend for exposed API keys, misconfigured CORS, and other vulnerabilities.",[439,440,441],"style",{},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":158,"searchDepth":171,"depth":171,"links":443},[444,445,446,447,448,449,450],{"id":32,"depth":171,"text":33},{"id":39,"depth":171,"text":40},{"id":94,"depth":171,"text":95},{"id":118,"depth":171,"text":119},{"id":231,"depth":171,"text":232},{"id":330,"depth":171,"text":331},{"id":355,"depth":171,"text":356},"is-safe","2026-05-12","Honest Airtable security review. API key exposure, share link risks, HIPAA limits, and what you need to lock down before storing real user data in Airtable.",false,"md",[457,459,461,463,465],{"question":383,"answer":458},"It depends on the data type and your plan. Airtable is SOC 2 Type II certified and encrypts data at rest and in transit. HIPAA compliance is only available on Enterprise Scale plans. For PII or financial data on lower plans, Airtable is usable but requires strict access controls, scoped PATs, and no public share links on sensitive bases.",{"question":389,"answer":460},"Only on the Enterprise Scale plan with a signed BAA (Business Associate Agreement). Free, Plus, Pro, and Business plans are not HIPAA compliant. Do not store PHI on Airtable unless you are on Enterprise Scale with a signed BAA.",{"question":395,"answer":462},"A Personal Access Token (PAT) replaced legacy API keys in February 2024. PATs are safer because you can scope them to specific bases and permission levels (read-only, create, edit, delete). A leaked PAT only exposes what it was scoped to. Store PATs in environment variables, never in client-side code or public repos.",{"question":401,"answer":464},"If you share a View link, anyone with the link can see all data in that view with no login required. If you share a Base link with Editor access, they can edit records. Airtable does not offer password protection on share links below Enterprise. Never share links to bases or views containing sensitive data.",{"question":407,"answer":466},"In December 2022, Airtable disclosed that some customer account data (primarily email addresses) was exposed through a third-party data analytics vendor. Airtable itself was not breached directly. The company notified affected users and rotated credentials. No base record data was reported as exposed in that incident.","amber",null,"is airtable safe, airtable security, airtable api key exposure, airtable hipaa, airtable personal access token, airtable share link security",{},true,"Airtable security review. API key exposure, overly permissive share links, HIPAA limits, and what to fix before storing real user data.","/blog/is-safe/airtable","8 min read","[object Object]","Article",{"title":5,"description":453},{"loc":473},"blog/is-safe/airtable",[],"summary_large_image","BmT1cahM8_XWWM6kiz72ZuSIgBgmaOrd1hwJEmK0GTc",1778630672254]