What is the primary authentication method for the Formstack API?

The primary authentication method for the Formstack API is the use of API Keys. These keys are included in the headers of your API requests to verify your identity and authorization.

How do I generate an API Key for Formstack?

You can generate an API Key by logging into your Formstack account, navigating to the API integration or developer settings, and following the instructions to create a new key. Always consult the Formstack Help Center for the most current steps.

Can I use Single Sign-On (SSO) with Formstack?

Yes, Formstack supports Single Sign-On (SSO) for user logins, allowing integration with identity providers to centralize user authentication and leverage existing organizational credentials.

Is Multi-Factor Authentication (MFA) available for Formstack accounts?

Yes, Multi-Factor Authentication (MFA) can be enabled for Formstack user accounts to add an extra layer of security beyond just a password, typically requiring a second verification method.

What is the recommended way to secure Formstack API Keys?

API Keys should be stored securely in environment variables, secure configuration files, or secret management services. They should never be hardcoded into client-side code or committed to public version control.

Should Formstack API requests always use HTTPS?

Yes, all Formstack API requests must use HTTPS to encrypt data in transit, protecting your API Keys and sensitive information from interception.

Can I restrict an API Key to specific permissions?

Yes, when generating an API Key, it is often possible to assign specific permissions or scopes to limit its access to only the necessary resources and actions, adhering to the principle of least privilege.

Formstack Authentication: API Access and Security (2026)

Formstack authentication secures access to its API for managing forms, submissions, and integrations. It relies on API Keys for programmatic access, ensuring that only authorized applications and users can interact with Formstack's services. Proper handling of these credentials is vital for data integrity and system security.

Authentication overview

Formstack provides an API for developers to integrate its form, document, and e-signature capabilities into custom applications and workflows. Authentication for the Formstack API primarily involves the use of API Keys, which serve as unique identifiers and secret tokens to verify the identity and authorization of a requesting application or user. This mechanism ensures that only legitimate requests can access and manipulate data within a Formstack account.

The API Key system is designed to facilitate secure programmatic interactions, enabling operations such as retrieving form submissions, managing forms, or triggering document generation. It is essential to manage these keys securely, as their compromise could lead to unauthorized access to sensitive data and functionalities within your Formstack account. Formstack's platform also incorporates user authentication for direct access via its web interface, often supporting single sign-on (SSO) and multi-factor authentication (MFA) for enhanced security of administrative access.

Supported authentication methods

For API access, Formstack primarily utilizes API Keys. These keys are long, randomly generated strings that grant access to your account's data and functionality. When making an API request, the API Key is included in the request headers or as a query parameter, allowing the Formstack API to authenticate the request.

For interactive user logins to the Formstack web application, the platform supports several authentication methods aimed at securing user accounts:

Username and Password: Standard authentication method for individual users.
Single Sign-On (SSO): Integrates with identity providers (IdPs) like Okta or Azure AD, allowing users to log in using their existing organizational credentials. This enhances security by centralizing identity management and often leveraging stronger authentication policies from the IdP.
Multi-Factor Authentication (MFA): Adds an extra layer of security beyond a password, typically requiring a second verification method, such as a code from an authenticator app or a security key. This is a critical control against credential theft.

Comparison of authentication methods

Method	When to Use	Security Level
API Key	Programmatic access, server-to-server communication, backend integrations.	High (when securely managed and rotated).
Username/Password	Direct user login to the Formstack web application.	Moderate (can be enhanced with MFA).
Single Sign-On (SSO)	Organizational user access, centralized identity management, enhanced enterprise security.	High (relies on IdP's security posture).
Multi-Factor Authentication (MFA)	Adds a second factor to Username/Password or SSO for user logins.	Very High (significantly reduces risk of credential compromise).

Getting your credentials

To obtain an API Key for Formstack, you typically need to navigate to your account settings within the Formstack web application. The process generally involves:

Logging into your Formstack account.
Accessing the API integration or developer settings section.
Generating a new API Key. Formstack's help documentation provides specific steps for API key generation and management, which should be consulted for the most current instructions.

When generating an API Key, it is often possible to assign specific permissions or scopes to limit the key's access to only the necessary resources and actions. This adheres to the principle of least privilege, minimizing the impact if a key is compromised.

For SSO and MFA setup, administrators will configure these options within the Formstack account settings, often involving integration with an external identity provider and enabling MFA for users or groups. The Formstack Help Center offers detailed guides for configuring these advanced authentication methods to align with organizational security policies.

Authenticated request example

When interacting with the Formstack API, your API Key is typically included in the request header. Below is an example using cURL to retrieve a list of forms, where YOUR_API_KEY is your actual Formstack API Key and YOUR_ACCOUNT_ID is your Formstack account identifier:


curl -X GET \
  'https://www.formstack.com/api/v2/form.json' \
  -H 'X-API-KEY: YOUR_API_KEY'

Replace YOUR_API_KEY with the key generated in your Formstack account. The X-API-KEY header is the standard method for transmitting the API Key. Always ensure that your API requests are made over HTTPS to encrypt the communication and protect your API Key from interception.

For more complex API interactions, such as creating submissions or managing documents, consult the Formstack API Integrations documentation for specific endpoint details and required parameters.

Security best practices

Adhering to security best practices is crucial when working with Formstack authentication credentials to protect your data and maintain compliance:

Secure API Key Storage: Never hardcode API Keys directly into client-side code or commit them to version control systems like Git. Instead, store them in environment variables, secure configuration files, or dedicated secret management services. For server-side applications, use secure vaults (e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault) to retrieve keys at runtime.
Use HTTPS: Always ensure all communication with the Formstack API occurs over HTTPS. This encrypts data in transit, preventing eavesdropping and man-in-the-middle attacks that could expose your API Keys and sensitive data. The IETF RFC 2818 defines HTTP over TLS, the foundation for HTTPS.
Principle of Least Privilege: Generate API Keys with the minimum necessary permissions required for the task. If a key is only needed to read form submissions, do not grant it permission to delete forms. Regularly review and adjust key permissions as application requirements evolve.
API Key Rotation: Implement a regular schedule for rotating API Keys. This practice limits the window of exposure if a key is compromised. When rotating, generate a new key, update your applications to use it, and then revoke the old key.
Monitor API Usage: Regularly review API access logs for unusual activity, such as high volumes of requests from unexpected locations or failed authentication attempts. Many API gateways, such as Kong Gateway, offer robust monitoring capabilities.
Error Handling: Implement robust error handling in your applications to gracefully manage authentication failures without exposing sensitive information. Avoid verbose error messages that could aid attackers.
Multi-Factor Authentication (MFA) for User Logins: Enable MFA for all Formstack user accounts, especially administrative ones. This significantly reduces the risk of unauthorized access even if passwords are stolen.
Single Sign-On (SSO) Integration: For organizations, integrate Formstack with your identity provider via SSO. This centralizes user management and leverages your IdP's advanced security features like conditional access policies and detailed audit trails.
IP Whitelisting: If supported for your Formstack plan or API, restrict API Key usage to specific IP addresses where your applications are known to operate. This adds an extra layer of defense against unauthorized use from other locations.

Formstack Authentication: API Access and Security (2026)

Authentication overview

Supported authentication methods

Comparison of authentication methods

Getting your credentials

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by