Authentication
All API requests must be authenticated using an API key. Keys can be created and managed in Settings -> API Keys.
API Key Format
API keys are prefixed with sk_ followed by a unique identifier:
sk_a1b2c3d4e5f6...
Keys are stored securely. Once created, the full key cannot be retrieved - only a prefix is shown for identification.
Using Your API Key
Include your API key in the Authorization header as a Bearer token:
Authorization: Bearer sk_your_api_key_here
Example: cURL
curl -X GET https://your-domain.com/api/forms \
-H "Authorization: Bearer sk_a1b2c3d4..." \
-H "Content-Type: application/json"
Example: JavaScript (fetch)
const response = await fetch('https://your-domain.com/api/forms', {
headers: {
'Authorization': 'Bearer sk_a1b2c3d4...',
'Content-Type': 'application/json',
},
});
const data = await response.json();
Authentication Errors
| Status | Meaning | Resolution |
|---|---|---|
401 Unauthorized | Missing or invalid API key | Check that the key is included in the Authorization header |
403 Forbidden | Key is valid but lacks permission | Make sure you have permission for this resource |
Security Best Practices
- Never expose keys in client-side code. API keys should only be used in server-side code or secure environments.
- Use environment variables. Store keys in environment variables, not in source code or version control.
- Rotate keys regularly. Create new keys periodically and revoke old ones from Settings.
- Use descriptive names. Name keys after their purpose (e.g., "Production Server", "CI/CD Pipeline") for easier management.
- Revoke compromised keys immediately. If a key is exposed, revoke it in Settings and create a replacement.