SheetDream supports HTTP basic authentication, powered by a specialty "users" table within your SheetDream admin interface.
This "users" table gets autogenerated for you when you create your SheetDream account for the first time. You can modify the table and add more users to it by adding a Google Sheet configuration with the destination table set to "users", or by adding an Airtable configuration for a table called "users". You can also add and maintain new users via your API.
There are 3 different fields for any given user in your API:
This is the username for the user accessing your API.
This is the cleartext password for the user accessing your API.
This is either "read", "write" or "admin". More detail below on what these values mean and enable a given user to do.
The users table can be accessed and modified just like any other table within your API. Users with an "admin" access level can create new users by doing a POST to your API's users endpoint.
You cannot create an admin level access user via the API. Admin users (besides the default "admin" user that gets generated for you) can only be created via Google Sheets or Airtable and synced.
Users with any level of access (read, write, admin) are allowed to change their password via a PUT/PATCH call to the users API.
By default, you will have two default users created for your project. A "system" user that will have read access to your API, and an "admin" user that will have admin level access.
It probably goes without saying... but be very careful about distributing the credentials or API key for the admin user! This user has elevated access to your data.
The table below outlines the 3 access levels for any given user.
The user has read only access to your API. Any attempt to call DELETE, POST, PUT or PATCH will result in a 401 error getting returned from the API restricting access. The user can read any record within the API (there is no such thing as read restrictions in SheetDream).
The user has read access, as well as the ability to create new records or to modify records they own. A user has ownership of a record if they created it or if it was created on their behalf.
The user has full access to the API. They can create new records and modify any record in the spreadsheet(s), even if the record is owned by another.
If you expose the API key of a user that has admin access, either via embedded HTML on your website or in code on the frontend, anyone with the key can take over control of the data on your spreadsheets. Proceed with extreme caution when working with non-read access users.
It is generally recommended that you only use write/admin level users in protected areas, either within your internal intranet or behind some sort of a trusted members-only area.