No permission to access (403) - please help with tokens

Hi guys,
New here and not familiar with the way tokens are handled here and still confused with the API reference.
Trying to authorize my app (right now the app builder) to access the database rows for read and write.
So I’ve input the base URL and the 40 char “access token” I created from my web interface (along with/without the Accept: application/json; indent=4 header)

But I get the “error_msg”:“you don’t have permission to access” Status 403.

In my GET collection interface, I’ve followed the doc SeaTable API Reference GET List Rows and added the relative path to the base URL:

GET /dtable-server/api/v1/dtables/650d8a0d-7e27-46a8-8b18-dbvh46/rows/?table_name=Table1 HTTP/1.1

Authorization: Token eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHiOjE2MTQzNTI1OTQsImR0YWJsZV91dWlkIjoiNjUwZDhhMGQtN2UyNy00NmE4LThiMTgtNmNjNmYzZGIU3IiwidXNlcm5hbWUiOiIiLCJwZXJtaXNzaW9uIjoicnciLCJhcHBfbmFtZSI6InBvc3RtYW4ifQ.4aTmvBfFElyB3xg5jjF7zWCiyRZI17SZD980GdHT6e3

What am I doing wrong? What is this authorization token? It is Is it mine or an example? Same for the base_UUID, is it mine? If not where can I find it?

Hey fredkzk,

I am sorry that you have problems to get access your base via API. We tried our best to explain it at SeaTable API Reference. (search for the headline “how does authentication work”).

Let me recapture how the SeaTable-API works:

  • seatable API differenciates between “base API” actions and “non-base” API actions
  • for base API you need a “base access token”
  • for non-base API you need a “access token”

There are two ways to get a base access token.

normal way

  1. go to the webinterface of SeaTable and generate an API token for a base.
  2. use this api token and generate a base access token via API (this is the API call for that: SeaTable API Reference)

full API way

  1. generate auth token via API with username and password
  2. use the API to generate a base API token (use the auth token from 1.)
  3. generate base access token via API like in the normal way

Keep in mind: a base access token is only valid for 3 days.

Best regards

1 Like

Thanks Chris,
I did end up understanding - after a few days - that I needed to generate an access token with my API base token.
Once I got this figured out, I ran into the famous CORS issues. Imagie the cold shower… :expressionless:

So I gave up, because we’re in 2022 after all, one expects things to be faster and easier now, more user friendly, with nice frameworks and no code tools, etc…

The setup of my Firebase DB was easier, so was another relational DB.

You will be a true Airtable alternative when you make things quick and easy.

Until then, good luck and congrats for your initiative. There is a long road ahead…

Hey fredkzk,

I agree that SeaTable still has a lot of potential in usability and better documentation. I truly agree, and we are working hard to improve in that area.

But I could only shake my head in disbelief that you blame CORS issues as a usability issue. For all the other readers, CORS stands for “cross-origin resource sharing” and is critical if you take security serious. We (=SeaTable) take security serious and therefore not everything is allowed. And airtable in comparision for example has no API at all to manage your team or your bases. The only thing they allow is to read or add info into a base. So the question is “what is better”? Don’t even offer an API or offer a complete API that is completely documented and secure at

Therefore thanks for trying out SeaTable. You might want to try again SeaTable in one year or so. You will be astonished what we will be improved.

Best regards,

1 Like

Looking forward to the upgrades. I’ll be watching Seatable.

Not complaining about the CORS constraint, there should such security for sure. But I just could not find in the forum a practical solution to the problem (Integrate with Seafile? I can’t).

I faced the same CORS issue with Firebase and addressed it in 2 minutes with 2 lines of code in the google cloud console:

echo '[{"origin": ["*"],"responseHeader": ["Content-Type"],"method": ["GET", "HEAD"],"maxAgeSeconds": 3600}]' > cors-config.json


gsutil cors set cors-config.json gs://BUCKET_NAME

I’m a former marketing executive in the food industry, now turned no coder (using FlutterFlow and AppGyver where I want to spend most of my brainpower). So I’m not a coder, I need things to be simple and quick.
Until there is a clear, quick and easy way to address that CORS issue, I’ll remain out.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.