Airtable and Zapier Security: Protecting Your Data

By Scannly Security Team · April 2026

Airtable connected to Zapier is one of the most common automation setups for small businesses. It is also one of the most sensitive — Airtable often holds customer records, financial data, and operational information that would be damaging if exposed. Here is how to secure this integration.

Use a dedicated Airtable service account

Never connect Zapier to Airtable using a personal admin account. Create a dedicated service account with access only to the specific bases your Zap needs. If this account is compromised, the blast radius is limited to those specific bases rather than your entire Airtable workspace.

Use personal access tokens, not API keys

Airtable's personal access tokens allow you to grant granular, scoped permissions — read-only access to specific bases, for example. This is far more secure than using a legacy API key, which grants access to your entire Airtable account. Migrate to personal access tokens if you have not already.

Be careful what Zapier writes to Airtable

If your Zap writes data to Airtable based on external inputs — form submissions, emails, webhook payloads — validate and sanitise that data before writing. An attacker who can inject data into your Airtable base can corrupt your records, inject malicious content, or exfiltrate data through subsequent automations that read from those records.

Audit what reads from your Airtable

Review every Zap that reads from your Airtable bases. Who can trigger those Zaps? Where does the data go after it is read? Any Zap that reads sensitive Airtable data and sends it to an AI service, external webhook, or third-party app deserves careful security review.