Zapier Problems

The Coda API key one provides to Zapiers to setup a Zap neesd to have no restrictions in order to list documents and tables for setup stage (you can’t skip this or provide them as simple strings). This is far from optimal from a principle of least privilege mindset.

Please find a way to handle this, possible solutions:

  • Allow one to edit the restrictions after creation - i.e. I could create an api key that has full permission and then one the Zap setup is done I can reduce the permissions (still a small risk if we don’t trust Zapier in that point in the time)
  • Add a listing permission that is configurable in addition to document restriction
  • Work with your Zapier contact to allow one to specify document name by textbox rather than autofill dropdown

Look forward to a fix. Thanks

Hey there Matt, thanks for posting! Completely understand why limited scopes would be preferable.

Zapier’s handling of authentication makes this a bit difficult to implement currently (source: am a previous Zapier employee :sweat_smile:) — one token/authentication is expected to read all docs and work across all triggers and actions. (It’s actually not currently possible at all in Zapier to pass custom text values for the document selector.) I might recommend sending their support team an email and letting them know this is a change you’d like to see.

In the short term, you could get around this with Zapier + Coda by either creating a custom dev app on their developer platform for your private use or by using custom Webhooks by Zapier triggers and actions. In either of those cases, you could probably create an API token that only has permissions for a specific doc (via coda.io/account), and then hard code the doc ID into your custom Zapier steps. The downside to this solution is that Zapier’s team isn’t super able to support these custom use cases.

We’ll definitely keep an eye on any changes on Zapier’s end, though!

3 Likes