The API-Call you are looking for is the “append a row” call. Here is the url of the API-documentation:
This API call requires an API token though right? API tokens only have ‘r’ and ‘rw’ permissions so if I embed that token on my websites won’t it expose the rest of my data in the table?
Is there another end-point to append rows without exposing the entire database?
Are you suggesting to embed the API token on my website HTML?
Is there a way to configure write-only API token?
Using API “append a row” works great! BUT requires API token which can only have ‘r’ or ‘rw’ permissions, this exposes entire table, if anyone finds the API token on my website.
I am currently evaluating all the major low code database “table” tools for entity with multiple applications.
Yes, this is correct, you would expose your key if you use it in your frontend - as usual.
If you allow me the comment, I wouldn’t do this even with an append-only api-key in a client-side running frontend.
So looks to me like not having it could effectively prevent you from running into troubles.
Control influx information in your backend or at least use an API Gateway if the functionality of the backend you’re using - e.g. SeaTable Server/Cloud - does not suffice.
For example if you need to control CORS Headers.
It should go without saying that during evaluation you may consider to just defer that for later and use full-access keys for evaluation of a proof-of-concept in a controlled environment.
Can I call API to add records directly from the browser ?
please explain in more details what you want to achieve. The SeaTable API can be used by any programming language to add records. What do you mean with “the browser”?
I would like to POST data from my own custom made HTML forms and apps directly to my SeaTable.
( I tried utilizing the same end-points being used by SeaTable forms / views, but got CORS errors )
I imagine there is an API end point to send data to my SeaTable but I wasn’t able to find it. I am able to send data to SeaTable from Node.JS using an API token, but the only permission levels are ‘r’ and ‘rw’ this would mean that if I embedded the API token in my websites someone could extract the token and read all the data, which would not be idea. So I just wondered if there is an end-point in the API or in the forms which can be used to POST data directly from my websites to SeaTable.
You have the following possibilities:
- use SeaTable forms to append rows with a webform. Iframes are not allowed for webforms with cloud.seatable.io
- if you want to embed SeaTable form with an iframe, use a self-hosted SeaTable instance
- if you would like to use the API to append a row, either use a backend language like PHP or python to execute the API calls.
As a “low code” platform, why would SeaTable block the ability to send data directly from my client-side web app directly to my tables?
One can easily solve this problem with a CORS-proxy or similar, but why force customers, who desire “low code” to spin up and maintain server-side apps?
How does this policy benefit SeaTable?
please describe what you have tried so far. You opened up multiple topics - all with the same topic but without describing what you already tried and what not worked. Then to answer your questions:
1. security is important to us
we have good reasons not to use a cors proxy. Let me just cite from the first hit of google search for cors proxies: (found on https://httptoolkit.tech/blog/cors-proxies/)
Are CORS proxies secure?
CORS proxies are safe only if you use them very very carefully. There are good reasons to use them, and safe ways to do so, but if you use them wrong you can create a whole world of new security problems.
2. You want low code? Then use the functions SeaTable provide!
You want to get data into SeaTable without coding? Then why don’t you use SeaTable webforms? What is wrong with them? If you intend to avoid coding, then don’t ask for API-calls.
3. there is an API call to save new rows
You will find all available API calls at https://api.seatable.io. If you have problems how to use them, then paste your code here. Otherwise, I cannot help you.
The use case is super simple.
We want to submit data to SeaTable from client-side web apps, running in a standard web browser like Chrome ( on my own website, without using SeaTable webforms ) without running a server.
We can’t use SeaTable webforms, because we want to send game data being generated while users play games and use browser apps.
" you have no possibilities to execute any kind of API call securely without reveling your secret credentials." - cdb
This should be easy for SeaTable to enable.
For example, any one of these:
+Enable a WRITE-ONLY API token in addition to READ and READ-WRITE
+Enable CORS-header on the end-point powering SeaTable webforms
+Provide simple submit end-point for Posting JSON from a website
Plenty of APIs already enable CORS. This allows building web apps without the need to maintain server-side infrastructure, or requiring customers to use fragile workarounds like cors-proxy.
Would love to understand why not. Could you elaborate?
Sure, most is because of disclosing of the credentials. As resources are limited, they can easily fill up etc. with little control apart the credential itself. Next to that there is no append-only api key so the discussion is overly theoretic, henceforth leads to speculation, which is not appropriate for tokens or keys. @orgome
Why not? Can you present just 1 reason?
What resources are limited?
Resources are that of ones own at the end. No idea what counts in your book, but that’s in mine. We can agree to disagree thought. @orgome
Customers submit to SeaTable via cors-proxy web-forms end-point.
No difference in resources for SeaTable right? Server still handles 100 requests?
But customer not forced to run redundant proxy server to fix rewrite CORS headers for web-forms end points. Or would love to know why not simply allow submit directly?
I feels like this has ceased being a constructive discussion.
I suggest we end it at this point.
Many customers will want to submit data directly from their websites and web games. Still not sure why this is blocked.
The answer to your question was already given. Please stop any side discussions.