Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 108 additions & 0 deletions apps/docs/content/docs/en/integrations/airtable-service-account.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
---
title: Airtable Personal Access Tokens
description: Set up an Airtable personal access token with scoped base access to use Airtable in Sim workflows
---

import { Callout } from 'fumadocs-ui/components/callout'
import { Step, Steps } from 'fumadocs-ui/components/steps'
import { FAQ } from '@/components/ui/faq'

Airtable personal access tokens (PATs) let your workflows authenticate to Airtable with a token that has explicit scopes and explicit base access — instead of a person's OAuth login. The token never expires on its own, and what it can touch is decided at creation time.

On Airtable Enterprise Scale plans, admins can create the same tokens from a dedicated **service account** in the Admin Panel. Those tokens are wire-identical to personal access tokens and are the better choice for organization-level use: they don't stop working when an employee leaves.

## Prerequisites

Any Airtable user can create a personal access token for the bases they have access to. Keep in mind the token is capped by its creator's own permissions — a PAT created by a read-only collaborator cannot write, no matter which scopes it has. Create the token from an account with the access level your workflows need.

For service-account tokens, you need an Enterprise Scale plan and an admin with access to the Admin Panel.

## Creating the Token

<Steps>
<Step>
Open [airtable.com/create/tokens](https://airtable.com/create/tokens) and click **Create token**

{/* TODO(screenshot): Airtable token builder page with the "Create token" button */}
</Step>
<Step>
Give the token a name (e.g. `sim-airtable-bot`)
</Step>
<Step>
Add the scopes your workflows need. The full set Sim's Airtable tools and triggers use is:

```
data.records:read
data.records:write
schema.bases:read
user.email:read
webhook:manage
```

Reading records needs `data.records:read`; creating, updating, upserting, and deleting records need `data.records:write`; listing bases and tables and reading base schemas need `schema.bases:read`; `user.email:read` lets Sim show the token owner's email as the credential name; and `webhook:manage` is only needed if you use Airtable triggers in Sim.

{/* TODO(screenshot): token builder scopes section with the five scopes added */}
</Step>
<Step>
Under **Access**, add the bases or entire workspaces the token should reach. The token can only see what you list here — a token with all five scopes but no base access can't read anything.

{/* TODO(screenshot): token builder access section with a workspace added */}
</Step>
<Step>
Click **Create token** and copy it when it's shown. Airtable only displays it once — if you close the dialog, you'll have to regenerate it.
</Step>
</Steps>

<Callout type="warn">
The token is bearer credentials for every base you granted. Treat it like a password — do not commit it to source control or share it publicly. Sim encrypts the token at rest.
</Callout>

### Enterprise Scale: Service Account Tokens

On Enterprise Scale plans, an admin can create up to 30 service accounts (raisable via Airtable support) from the Admin Panel, each with its own name and email. From a service account's **Personal access tokens** panel, the admin creates tokens with the same scopes-plus-base-access builder shown above. The resulting token works in Sim exactly like a user PAT — same format, same `pat…` prefix, same behavior — but it belongs to the organization, not a person, so it survives employee offboarding. If your plan supports it, prefer this over a user-created PAT.

<Callout type="info">
Enterprise organizations can enable "Block API access to organization-owned bases and workspaces". If your organization uses this setting, the service account must be allowlisted or every call fails despite a valid token.
</Callout>

## Adding the Service Account to Sim

<Steps>
<Step>
Open your workspace **Settings** and go to the **Integrations** tab
</Step>
<Step>
Search for "Airtable Service Account" and click it, then click **Add to Sim** and choose **Add personal access token**

{/* TODO(screenshot): Integrations page with "Airtable Service Account" in the service list */}
</Step>
<Step>
Paste the **Personal access token**, and optionally set a display name and description

{/* TODO(screenshot): Add Airtable personal access token dialog with the personal access token filled in */}
</Step>
<Step>
Click **Add personal access token**. Sim verifies the token by calling Airtable's `whoami` endpoint — if it fails, you'll see a specific error explaining what went wrong.
</Step>
</Steps>

<Callout type="warn">
Validation only proves the token is real — Airtable doesn't expose a PAT's scopes or base access for inspection. A token that validates fine can still fail every tool call if you skipped a scope or forgot to grant base access. If a block returns a 403 (`INVALID_PERMISSIONS`) or an unexpected 404 (`NOT_FOUND`), check the token's scopes and base access first.
</Callout>

## Using the Service Account in Workflows

Add an Airtable block to your workflow. In the credential dropdown, your Airtable service account appears alongside any OAuth credentials. Select it and configure the block as you normally would.

{/* TODO(screenshot): Airtable block in a workflow with the Airtable service account selected as the credential */}

The block calls `api.airtable.com` using the token — exactly the same requests as the OAuth flow, so every Airtable tool works unchanged, limited to the scopes and bases you granted.

<FAQ items={[
{ question: "Why a personal access token instead of OAuth?", answer: "PATs don't expire and don't depend on any user staying logged in or re-consenting. You decide scopes and base access once at creation, and the token is stable until you regenerate or delete it — which is what you want for an automated workflow." },
{ question: "What's the difference between a user PAT and a service-account PAT?", answer: "Nothing on the wire — both are the same token format and behave identically in Sim. The difference is ownership: a user PAT dies with the user's base access (or when they leave the org), while a service-account PAT (Enterprise Scale, created in the Admin Panel) belongs to the organization." },
{ question: "My token validates but every block fails with 403 or 404 — why?", answer: "The token is missing a scope or, more commonly, base access. Airtable deliberately blurs the two: an unauthorized base can return 403 INVALID_PERMISSIONS or a plain 404 NOT_FOUND. Edit the token at airtable.com/create/tokens and check both the scopes list and the Access section." },
{ question: "Do tokens expire?", answer: "No. Airtable PATs remain active indefinitely until they're manually deleted, regenerated, or modified. A user PAT also stops working if its creator loses access to the granted bases or leaves the organization." },
{ question: "How do I rotate the token?", answer: "Create a new token with the same scopes and base access, update the credential in Sim with the new token, and once it's working, delete the old one. Note that regenerating an existing token invalidates the old value immediately." },
{ question: "Do I need the webhook:manage scope?", answer: "Only if you use Airtable triggers in Sim — the trigger creates and manages webhooks on your base. For workflows that only read and write records, you can omit it." },
]} />
114 changes: 114 additions & 0 deletions apps/docs/content/docs/en/integrations/asana-service-account.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
---
title: Asana Service Accounts & Personal Access Tokens
description: Connect Asana to Sim with a service account token or a personal access token from a dedicated bot account
---

import { Callout } from 'fumadocs-ui/components/callout'
import { Step, Steps } from 'fumadocs-ui/components/steps'
import { Image } from '@/components/ui/image'
import { FAQ } from '@/components/ui/faq'

Asana service accounts let your workflows authenticate as a non-human bot identity instead of a person's account. The service account has its own name and its own token, managed centrally by a super admin — no one person's OAuth consent to expire, and access can be revoked without touching anyone's personal account.

There are two ways to get a token, and both work in Sim:

- **Service account token** (recommended for teams) — available on Asana **Enterprise** and **Enterprise+** plans, created by a super admin in the Admin Console.
- **Personal access token (PAT)** — available on any plan, created from any user account. For production workflows, create it from a dedicated bot account rather than a personal one.

Both token types use the same format and paste into the same field in Sim.

## Option A: Service Account Token (Enterprise / Enterprise+)

### Prerequisites

You need an Asana **super admin** on an **Enterprise** or **Enterprise+** plan. Service accounts are an organization-level feature — regular users cannot create them.

### Create the Service Account

<Steps>
<Step>
Open the Asana **Admin Console** and go to **Apps** → **Service accounts**

{/* TODO(screenshot): Asana Admin Console with Apps → Service accounts highlighted */}
</Step>
<Step>
Click **Add service account**, give it a name (e.g. `Sim Integration`) — this is the name that will appear on tasks and comments the workflows create
</Step>
<Step>
Grant the service account **Full Permissions**. Scoped service accounts (for example, ones limited to User Provisioning / SCIM) cannot call the standard Asana API and will fail when you connect them to Sim

{/* TODO(screenshot): service account permission picker with "Full Permissions" selected */}
</Step>
<Step>
Copy the token when it's shown. Asana only displays it once — if you lose it, you'll have to regenerate it — plan to update the credential in Sim at the same time, since the old token stops working once it's replaced.
</Step>
</Steps>

<Callout type="warn">
A service account with Full Permissions has org-wide access to all data in your Asana organization, including private projects. Treat the token like an admin password.
</Callout>

## Option B: Personal Access Token

If you're not on an Enterprise plan, a personal access token works identically on the wire. For production workflows, create a dedicated bot user account (e.g. `sim-bot@yourcompany.com`) and generate the PAT from that account — a PAT is tied to the user who created it, inherits only that user's permissions, and stops working if the user is deprovisioned.

<Steps>
<Step>
Log in as the bot account and open the developer console at [app.asana.com/0/my-apps](https://app.asana.com/0/my-apps)

{/* TODO(screenshot): Asana developer console "My apps" page with "Create new token" button */}
</Step>
<Step>
Click **+ Create new token**, give it a name that describes its use (e.g. `Sim Integration`), and click **Create token**
</Step>
<Step>
Copy the token immediately — Asana only shows it once.
</Step>
<Step>
Add the bot account to the workspaces and projects your workflows need. A PAT can only see what its user can see.
</Step>
</Steps>

## Adding the Token to Sim

<Steps>
<Step>
Open your workspace **Settings** and go to the **Integrations** tab
</Step>
<Step>
Search for "Asana Service Account" and click it, then click **Add to Sim** and choose **Add access token**

{/* TODO(screenshot): Integrations page with "Asana Service Account" in the service list */}
</Step>
<Step>
Paste the token — service account token or personal access token, both work in the same field — and optionally set a display name and description

{/* TODO(screenshot): Add Asana access token dialog with the access token filled in */}
</Step>
<Step>
Click **Add access token**. Sim verifies the token by calling Asana's `/users/me` endpoint — if it fails, you'll see a specific error explaining what went wrong.
</Step>
</Steps>

<Callout type="info">
If a brand-new token fails validation with an authentication error, wait a few minutes and try again — newly created service account tokens can take a short time to become active.
</Callout>

The token is encrypted before being stored.

## Using the Service Account in Workflows

Add an Asana block to your workflow. In the credential dropdown, your Asana service account appears alongside any OAuth credentials. Select it and configure the block as you normally would.

{/* TODO(screenshot): Asana block in a workflow with the service account selected as the credential */}

The block calls the Asana API (`app.asana.com/api/1.0`) with the token as a standard Bearer credential. There's no impersonation step — the token acts as itself: the service account identity, or the bot user for a PAT.

<FAQ items={[
{ question: "What's the difference between a service account token and a personal access token?", answer: "A service account is an org-level bot identity with its own name and (with Full Permissions) org-wide access — it isn't tied to any person. A PAT is tied to the user who created it, inherits only their permissions, and breaks if that user is deactivated. Both use the same token format and paste into the same field in Sim; prefer the service account for team use if your plan supports it." },
{ question: "Why does my scoped service account fail to connect?", answer: "Scoped service accounts (e.g. limited to User Provisioning / SCIM) can't call the standard Asana API, so Sim's validation call fails. Ask your super admin to create the service account with Full Permissions." },
{ question: "Does the token expire?", answer: "No scheduled expiry — the token is long-lived until a super admin revokes or regenerates it (for a PAT, until the user deletes it or is deprovisioned). If a working credential suddenly starts failing with 401 errors, the token was revoked; paste a new one." },
{ question: "How do I rotate the token?", answer: "Regenerate the service account token in the Admin Console, then update the credential in Sim with the new token right away — the old token stops working once it's replaced, so expect a brief window of failed runs if workflows execute in between." },
{ question: "Do I need to enter a workspace or domain?", answer: "No. Asana has a single API host, and Sim's Asana blocks take workspace and project IDs as block parameters — the token is all the credential needs." },
{ question: "Will one shared token hit rate limits?", answer: "Asana rate-limits per token, so all workflows sharing one service account token draw from a single rate-limit bucket. If you run heavy concurrent workloads, watch for 429 responses and consider splitting workloads across tokens." },
]} />
Loading
Loading