[sbr464]

All media/photos you upload to a private airtable.com app are public links. No authentication required if you know the url.

[andix]

There is a dilemma for web developers with images loaded from CDNs or APIs. Regular <img> tags can't set an Authorization header with a token for the request, like you can do with fetch() for API requests. The only possibility is adding a token to the URL or by using cookie authentication.

Cookie auth only works if the CDN is on the same domain, even a subdomain can be problematic in many cases.

[internetter]

This is actually fairly common for apps using CDNs – not just airtable. I agree it's potentially problematic

[blue_green_maps]

Yes, this is the case for images uploaded through GitHub comments, I think.

[eddythompson80]

That's not true. There is a JWT token in the url with about 5 minute expiration window.