Accessing cloud hosted table via API

Hi everyone,
I’m probably misunderstanding something about the access to table via the API, but as I can’t find any answer, here is a full description of my problem :
I’d like to access one of my table (read&write) which is hosted on cloud.seatable.io
Unfortunately, I can’t use Node.js and I’m trying to access the table from the client side (a simple html page). First question : is it possible ?
Here’s the script I included in my webpage :

function accessTable() {
  const xhttp = new XMLHttpRequest();
  xhttp.onload = function() {
    /*  Stuf I'd like to do */
  }
  xhttp.withCredentials = true;
  xhttp.open("GET", "https://cloud.seatable.io/api/v2.1/dtable/app-access-token/");
  xhttp.setRequestHeader('Authorization', 'Token my_base_token');
  xhttp.setRequestHeader('Accept', 'application/json; indent=4');
  xhttp.setRequestHeader('name', 'the_name_of_my_table');
  xhttp.send();
}

Unfortunately, I get a CORS error saying that the CORS header Access-Control-Allow-Origin is missing. As it is the cloud version, I can’t modify the config to add this header. Any idea ?

Thanks a lot !
Benjamin

Hi, you are right - the Access-Control-Allow-Origin on cloud.seatable.io is set to a limited number of domains. Therefore you cannot just use any other domain to access your bases in the cloud. @cdb do you think we should open this access to all domains?

The API endpoints, on the other hand, for example Postman or Zapier, n8n etc. should be able to access the bases in the cloud. Judging from your code, I think your my_base_token is the API token of your base and the_name_of_my_table is the name of your base? Why do you send the name of the base here, because the API request Get Base Access Token via API Token doesn’t require the name of the base.

Hey bennhatton,

I am a little bit confused. There should be no CORS Access-Control-Allow-Origin. And I am quite sure there is none.

I just tried the following:

First try:
curl -H “origin: example.com” -v “https://cloud.seatable.io/api/v2.1/dtable/app-access-token/

This deliveries:

< HTTP/1.1 403 Forbidden
< Server: nginx/1.20.1
< Date: Mon, 08 Nov 2021 08:54:09 GMT
< Content-Type: application/json
< Content-Length: 34
< Connection: keep-alive
< Vary: Accept, Accept-Language, Cookie
< Allow: GET, HEAD, OPTIONS
< Content-Language: en
< Strict-Transport-Security: max-age=63072000
< 
* Connection #0 to host cloud.seatable.io left intact
{"error_msg":"Permission denied."}

Second try - this time with a access token:
curl -H “origin: example.com” -v “https://cloud.seatable.io/api/v2.1/dtable/app-access-token/” --header “Authorization: Token 5dcdc639eee5…removed…”
This request delivers the requested results…

The important thing is: I can add any value I want into -H origin: example.com. There is no limitation regarding the origin.

I know I used curl and not xmlhttprequest. Give me some time and I will clarify.
Best regards
Christoph

Hi both of you,
Thanks for you help. @cdb you’re right, when I try to use curl, everything works, but using xmlhttprequest or fetch doesn’t because of CORS.
@Karlheinz, you’re right to my_base_token and the_name_of_my_table are just strings to show you which info I provided but you’re right too, there’s no need (or no place) for the table’s name here… Anyway, I didn’t manage to find the Seatable API Reference you linked in your previous message : it’s a really nice and complete document !!
Unfortunately, based on this document, I tried again xhr, fetch and jQuery, but each method stops on the CORS error…

OK! So it seems that the nice and complete API document is a little bit hard to find?

It’s here:
1636640563(1)

or:

Hi @cdb, have you been able to discover anything new about this?
Thanks a lot for your help by the way.

Bests,