How to connect to AirTable via OAuth?

I'm trying to connect ReTool to AirTable using OAuth. The problem is that the ReTool documentation for how to do so is outdated. AirTable discontinued API Keys as of February 1, 2024. Instead, it requires using personal access tokens or OAuth.

I've tried working off of the Google OAuth documentation. So far, I've managed to set up a Client ID and scope while following AirTable's documentation. I've also randomly generated a state, code_challenge, and code_challenge_method as per their documentation, using Python. In ReTool, I've then set the following parameters for the AirTable resource:

  • Base URL: https://api.airtable.com/v0/
  • Headers: Authorization: Bearer OAUTH2_TOKEN, state: aj2pvF-XvoquX6OKYfiMGKMnO4eHWkFu, code_challenge: PGU5OF_2gIILRlzNKxHEqa7FdJCeYDkvUcU4eWDyVcA, code_challenge_method: S256
  • Authentication: OAuth 2.0
  • Authorization URL: Sign in - Airtable
  • Access token URL: https://airtable.com/oauth2/v1/token
  • Client ID: [created in AirTable]
  • Client Secret: [created in AirTable]
  • Scopes: data.records:write
  • Share credentials between users: checked

However, while I'm able to see an OAuth request page asking to authorize, it then gives me the error: 502 (Bad Gateway). Other times, it says both the code_challenge and code_challenge_method are required (but I'm entering it in?)

I don't see these fields in the REST API resource creation, like I do with the others. What would I put for these values, and where would I put them? (under Headers? URI Parameters?)

Bump

Update: I gave up trying to use OAuth. While I managed to successfully retrieve the code from the generic OAuth 2 flow in ReTool, there was no way for me to make the subsequent POST call to fetch the access token besides manually running a test API request. In the custom Auth flow, in particular, you can only access the code after the browser gets redirected, but I couldn't figure out how to trigger that within retool.

Thus, I switched to Personal Access Tokens, which works for now.

I'd recommend ReTool updates their OAuth functionality to support AirTable's new implementation!

Hello @Jeffrey_Yu!

Thanks for bringing the AirTable integration to our attention, I will look into their new docs and update ours to reflect their change from API keys to PATs/OAuth :smiley:

I am curious about how you resolved the 502 Error, and the code_challenge / code_challenge_method errors.

I am glad you were able to get things working with a PAT from AirTable! I am a little confused on the issues between Google's OAuth 2 not providing you with a token besides you needing to run a 'test API request'.

Custom auth is different but there shouldn't be a need for you to trigger a browser redirect after you sign-in to a popup modal.

If you could provide screenshots/Loom videos that would be very helpful for me to find the gaps between the instructions in the docs and your experience.

Also if you want to drop by our office hours we can go over how updated OAuth functionality could solve these issues! :sweat_smile:

Great, thank you Jack!

I solved the 502 error by changing the authorization link. Instead of just putting Sign in - Airtable, I needed to put all the additional authorization queries in ReTool's OAuth 2.0 Authorization URL box, like:

https://airtable.com/oauth2/v1/authorize?client_id=xxx&redirect_uri=https://oauth.retool.com/oauth/user/oauthcallback&response_type=code&scope=data.records:read%20data.records:write&state=xxxx&code_challenge=xxxx&code_challenge_method=S256

as you can see here (I've omitted the client_id for privacy purposes)

This is because there are some queries (like code and code challenge) which aren't automatically included, like with ClientID and Client Secret.

Now, this is what happens after you get past that page. It seems to work just fine at first, with confirmation pages:

After these two pages, I get redirected to this error screen. After some checking of the documentation, I've learned that the code is actually sneakily located in this URL! (which I've omitted at the top)

The problem is that I'm unable to "pass" in this code anywhere in the Auth flow for generating refresh tokens and so forth. The tokens page is read-only.

That's using ReTool's OAuth 2.0 in-built implementation.

Now, for Custom Auth, when I run a test query, it's successful, but I'm unable to get the URL with the code value that results from the redirect.

I have a feeling this is because there is no way to "redirect" in this custom flow via a browser. In the official AirTable documentation, it says:

After authorization, the user’s browser is redirected back to the redirect URI passed in the authorization request. When successful, you receive the following query parameters in the request.

Where I'm getting stuck is, I'm unable to pass on this code value to the rest of the custom auth flow.

I also tried switching it from an API Request into a Generic OAuth call via the Custom Flow. However, when I do this, it doesn't let me pass in additional query parameters via the URL:


I used the exact same credentials as I did on the other Generic OAuth page.

Also, didn't realize there were Office Hours. That's super helpful -- unfortunately, 11 am PST is 4 am in my Asia timezone :smiling_face_with_tear: :sweat_smile: so unfortunately I can't make those. I appreciate the help though!

Hey @Jeffrey_Yu!

This is very odd, it looks like you set up everything correct. Thank you for all the details and screenshots.

Unfortunate that the timezone difference prevents us from live debugging with you :smiling_face_with_tear:

Have you tried setting up the Airtable Auth using a PAT? Using their docs here you might be able to use the PAT to get access to your Airtable data follow this.

We are going to try to reproduce this bug, unfortunately 422 errors are very vague and tough to debug.

We might also be able to look at our cloud servers to see what transpired when you request came in to our servers that generated the 422 response. If you could provide your subdomain for the account and the time that you made the request we can check on our end.

Hopefully the PAT works in the short term while we figure out if the 422 error is something we can fix or better help you and other users to avoid!

Thanks for looking into this Jack! Yes, the workaround I created was setting up AirTable Auth using a PAT with a third account. That works right now while I'm developing the product, but I'd ideally like to set up OAuth once we enter production and start having our users authenticate on behalf of us. (it's more secure)

Thanks for trying to reproduce the bug! Our subdomain is elevatedschool.retool.com, and we made the latest request around April 25 at 11:30 am Taipei time.

@Jeffrey_Yu No problem!

Wish I could have been more helpful. Our team will look into setting up authentication with Airtable to update the docs and get back to you!