P
ProFormsDocs

API Keys

Create and manage API keys for programmatic access. Requires owner or admin role.

ℹī¸
API key management requires an Agency or Enterprise plan. Rate limits are automatically set based on your plan: Agency gets 300/min, Enterprise gets 600/min.

Security Restrictions

For security, the following actions are not available via API keys and require dashboard session authentication:

Restricted ActionReason
SMTP / Email settingsCredentials exposure risk
Billing / Plan changesFinancial actions require dashboard
Organization settingsOrg-level changes too risky via API
Team invites & managementPrevents unauthorized access escalation
File uploadsPrevents abuse as free file hosting
Admin endpointsPlatform admin is session-only
GET/v1/api-keys

List all API keys for your organization.

curl
curl "https://proforms.io/api/v1/api-keys" \
  -H "Authorization: Bearer pf_your_api_key"
200 OK
{
  "success": true,
  "data": {
    "keys": [
      {
        "id": "key_abc123",
        "name": "Production Key",
        "keyPrefix": "pf_a1b2c3d",
        "permissions": [
          "forms.view",
          "submissions.view"
        ],
        "rateLimitPerMin": 60,
        "lastUsedAt": "2026-02-20T10:00:00.000Z",
        "expiresAt": null,
        "isRevoked": false,
        "createdBy": {
          "name": "John Doe",
          "email": "john@example.com"
        },
        "createdAt": "2026-01-15T09:00:00.000Z"
      }
    ]
  }
}
POST/v1/api-keys

Create a new API key. The secret key is only returned once — store it securely.

⚠ī¸
API keys cannot be created using another API key — you must be authenticated via session (dashboard). The full secret key (secretKey) is only returned on creation and cannot be retrieved later.

Request Body

name*string

Key name (max 255 chars)

permissionsstring[]

Permissions array. Omit for full API access (excludes restricted actions above). Cannot include settings.email, settings.billing, settings.org, team.invite, or team.manage.

expiresInDaysnumber

Auto-expire after N days. Omit for no expiry.

curl
curl -X POST "https://proforms.io/api/v1/api-keys" \
  -H "Authorization: Bearer session_token" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "CI/CD Pipeline",
    "permissions": ["forms.view", "submissions.view", "submissions.export"],
    "expiresInDays": 90
  }'
200 OK
{
  "success": true,
  "data": {
    "key": {
      "id": "key_new123",
      "name": "CI/CD Pipeline",
      "secretKey": "pf_a1b2c3d4e5f6...full_key_here",
      "keyPrefix": "pf_a1b2c3d",
      "permissions": [
        "forms.view",
        "submissions.view",
        "submissions.export"
      ],
      "rateLimitPerMin": 300,
      "expiresAt": "2026-05-23T09:00:00.000Z",
      "createdAt": "2026-02-22T09:00:00.000Z"
    }
  }
}
GET/v1/api-keys/:id

Get details of a specific API key. Does not return the secret.

curl
curl "https://proforms.io/api/v1/api-keys/key_abc123" \
  -H "Authorization: Bearer pf_your_api_key"
PUT/v1/api-keys/:id

Update an API key's name, permissions, or rate limit.

namestring

New key name

permissionsstring[]

Updated permissions. Restricted permissions (email, billing, team management) are not allowed.

curl
curl -X PUT "https://proforms.io/api/v1/api-keys/key_abc123" \
  -H "Authorization: Bearer pf_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Renamed Key",
    "permissions": ["forms.view"]
  }'
DELETE/v1/api-keys/:id

Revoke an API key. Revoked keys immediately stop working. Call again with ?permanent=true on an already-revoked key to permanently delete it.

curl
curl -X DELETE "https://proforms.io/api/v1/api-keys/key_abc123" \
  -H "Authorization: Bearer pf_your_api_key"
200 OK
{
  "success": true,
  "data": {
    "message": "API key revoked"
  }
}
💡
Organization limit: 25 API keys per organization. Revoked keys count toward the limit until permanently deleted.