Airtable
Airtabledatabase5 credentials
Airtable User / Administrator Password
airtable / user-password
Airtable users and administrators authenticate to the Airtable web app, enterprise admin surfaces, SSO flows, and OAuth authorization flows with user-defined or federated credentials.
Location
/login, /authorize, /adminAirtable web sign-in, OAuth authorization, and enterprise administration contexts
Password managers, enterprise identity providers, break-glass admin vaults, and managed credential stores
Sign-in logs, audit events, OAuth authorization events, browser exports, and support traces
Notes
Catalogs ordinary operational credential locations; this is not a claim of a static Airtable default password.
Personal Access Token
airtable / personal-access-token
Airtable personal access tokens authorize Web API requests. Airtable.js documents using a secret API token/personal access token as apiKey and using AIRTABLE_API_KEY for 12-factor environment configuration. Gitleaks and Betterleaks detect Airtable PATs with a pat-prefixed token shape.
Looks like
examplepatAAAAAAAAAAAAAA.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaLocation
AIRTABLE_API_KEYAirtable.js and pyairtable examples use AIRTABLE_API_KEY for the secret API token / personal access token
AuthorizationBearer token used for Airtable Web API requests
/create/tokens, /developers/web/apiAirtable token creation and Web API documentation contexts
.env, .env.local, .env.production, airtable.js, airtable.config.js, config.js, config.ts, settings.py, pyproject.tomlProject-local SDK/application files where AIRTABLE_API_KEY or Airtable PATs are commonly configured
CI/CD variables, cloud secret managers, platform secret stores, password vaults, and integration vaults
Application code, automation scripts, notebooks, tests, examples, infrastructure-as-code, and committed config files
API debug logs, SDK traces, CI output, exception traces, HTTP request captures, and support bundles
Notes
Airtable base IDs, table IDs, record IDs, endpoint URLs, and pagination tokens are API context, not credential values. AIRTABLE_ENDPOINT_URL is intentionally not listed as a credential env var.
Legacy API Key
airtable / legacy-api-key
Older Airtable integrations and detector rules modeled legacy Airtable API keys as 17-character lower-case alphanumeric values near Airtable-specific context. Airtable now directs developers to create personal access tokens, but legacy keys may still appear in old code, examples, and configuration.
Looks like
pattern(?i)(?:airtable)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{17})(?:\\?['"\x60]|[\s;]|\\[nr]|$)Location
AIRTABLE_API_KEYAirtable SDK examples use this env var for the secret API token/API key value
AuthorizationBearer token/API key used for Airtable Web API requests
.env, .env.local, airtable.js, config.js, config.ts, settings.py, test/test_files/index.htmlLegacy SDK examples, browser demos, and local app configuration files that may contain legacy API keys
Older Airtable.js integrations, browser demos, tests, notebooks, scripts, and automation repos
API debug logs, HTTP traces, browser demos, CI output, and support bundles
Notes
The 17-character pattern is noisy without Airtable-specific context and should not be used as a generic standalone token detector.
OAuth Access Token
airtable / oauth-access-token
Airtable OAuth integrations receive bearer access tokens for API calls. Betterleaks models Airtable OAuth tokens with a versioned dot-separated token format and validates candidate tokens against the /v0/meta/whoami endpoint.
Looks like
exampleAIRTABLE.v1.ABCDEFGHIJKLMNOPQRSTUVWXYZ_0123456789.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa(?i)(?:airtable)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([A-Z0-9]+\.v1\.[A-Z0-9_-]+\.[a-f0-9]+)(?:\\?['"\x60]|[\s;]|\\[nr]|$)Location
AuthorizationBearer OAuth access token used for Airtable Web API requests
OAuth token responses containing access_token, refresh_token, token_type, scope, and expiry fields
.env, oauth.json, airtable-oauth.json, config.json, config.js, settings.pyOAuth callback handlers, app configs, token stores, SDK settings, and local development files
OAuth client secret stores, CI/CD variables, cloud secret managers, enterprise vaults, and app-installation secret stores
OAuth callback code, app manifests, automation scripts, tests, and examples
OAuth exchange logs, callback logs, API traces, failed auth errors, and support bundles
Notes
No exact official Airtable environment variable for OAuth access or refresh tokens was found in the checked sources, so none is listed.
OAuth Client Secret / Refresh Token
airtable / oauth-client-secret
Airtable OAuth integrations can use client secrets and refresh tokens as part of token exchange and token refresh flows. These values are usually stored in application configuration or secret stores rather than an Airtable-owned local CLI file.
Location
AuthorizationBasic client authentication or bearer token during OAuth token exchange and API calls
OAuth token responses can contain refresh_token and access_token fields
.env, oauth.json, airtable-oauth.json, config.json, config.js, settings.pyOAuth application configs, callback handlers, SDK settings, and local development files
OAuth client secret stores, CI/CD variables, cloud secret managers, enterprise vaults, and app-installation secret stores
OAuth callback code, app manifests, automation scripts, tests, and examples
OAuth exchange logs, callback logs, API traces, failed auth errors, and support bundles
Notes
Generic names such as AIRTABLE_CLIENT_SECRET and AIRTABLE_REFRESH_TOKEN were not listed as environment locations because the checked official SDK/docs did not establish them as Airtable-owned credential-value env vars.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.