SOLUTION: Prevent injecting data into AirTable schema via prefill_[fieldname] API

Problem: If you have fields in AirTable specified as as single select or multi-select and use a form block in Softr, then load the page with prefill_[fieldname] query parameters, the user can change and overwrite the value in the URL and this changes the select option in any drop-down. Finally, when the user submits the form the manipulated data is injected into the AirTable schema. The result is that ALL other form users will see the injected data in the drop-down when the form is loaded.

  • Note, even if the prefill_[fieldname] query parameters are not on the URL, the user can simply add them and guess the fieldnames (often very simple, such as State).

High-level Solution: the personal access token (PAT) must be created by an account set to Editor permissions/access restrictions.


To prevent Users from injecting data into your AirTable schema by hijacking the prefill_[field_name] feature you must:

  1. create a “Team” or higher AirTable account plan
  2. Sign in as the account Owner, eg
  3. Invite a new user to the Base you want in AirTable and then sign-in and create the new user in AirTable which is going to be the “API” account which you will bind the personal access token (PAT), eg.
    a. Account settings> Workspace Settings for your Base > Add or manage workspace collaborators
    b. Select Editor from the drop-down
    c. Send Invite
  4. Follow invite email and Sign in as apieditor@
  5. create a PAT with the appropriate permissions, no special configuration is required at this step (although I do question the schema.bases.write Scope)
  6. store the PAT for use in Softr
  7. [IF you did not set the invited user to Editor or if you already have a dedicated account for you API] returning to the owner@ account, Change apieditor@ collaborator permissions to Editor
    a. Account settings> Workspace Settings for your Base > Add or manage workspace collaborators > Manage access
    b. Change permission dropdown to Editor
  8. Signing into Softr, navigate to the Root of the dashboard and click Data sources (or from within the App click Settings > Data Sources > … > Manage on the AirTable Data source you are going to change the permissions
  9. For the AirTable data source you wish to tighten the permissions, click “…” > Re-authenticate
  10. Follow the workflow replacing the old for the new Personal Access Token (saved in step 6) and Done!

This will replace ALL existing configured blocks connected from wide open permissions to the new more restricted API access token. ← you do not need to change each block site-wide

Be Aware: as of mid-2024 moving to an AirTable team plan will cost $240 per seat annually. To support this improved security feature you will need 2 seats at $480 annually, total.