Authentication
Deploy complex forms instantly
Server-to-Server Access
API Keys
Generate scoped credentials directly from your FormFlow dashboard to authenticate backend services, webhooks, and cron jobs without handling user sessions.
Navigate to Settings > Developers > API Keys and click Create Key. Assign granular permissions like forms:read, submissions:write, or webhooks:manage. All production keys use the ff_live_ prefix and are hashed with bcrypt before storage. We recommend rotating keys every 90 days and enforcing IP allowlists for enterprise workspaces.
Key Generation
Keys are generated using cryptographically secure pseudorandom number generators. Store the full secret immediately; it is only displayed once. Prefix ff_test_ keys are restricted to sandbox environments and automatically expire after 7 days.
Rate Limits & Quotas
Standard API keys allow 1,200 requests per minute with a burst capacity of 50. Enterprise plans scale to 10,000 RPM. Exceeding limits returns HTTP 429 with Retry-After headers. Monitor usage via the X-RateLimit-Remaining response metadata.
Security Best Practices
Never embed API keys in client-side JavaScript or public repositories. Use environment variables in your deployment pipeline. Enable audit logging to track key creation, rotation, and unauthorized access attempts across your organization.
Third-Party Integration
OAuth 2.0
Enable secure delegated access for external applications, automation platforms, and custom dashboards using industry-standard OAuth 2.0 with PKCE enforcement.
Register your application at auth.formflow.io/developer/apps to receive a client_id and client_secret. Configure allowed redirect URIs, then initiate the authorization code flow. Access tokens expire in 15 minutes, while refresh tokens remain valid for 30 days unless revoked. All requests must include the Authorization: Bearer token header.
Authorization Flow
FormFlow supports the Authorization Code flow with Proof Key for Code Exchange. Direct users to /oauth/authorize with your client_id, redirect_uri, scope, and code_challenge. Upon consent, FormFlow returns a short-lived authorization code to exchange for tokens.
Scope Management
Define precise permissions during app registration. Common scopes include profile:read, forms:export, integrations:manage, and billing:view. Users can restrict granted scopes during the consent screen, and administrators can enforce scope policies across teams.
Token Refresh & Revocation
Use the /oauth/token endpoint with grant type refresh_token to obtain new access credentials without re-prompting users. Revoke tokens instantly via the dashboard or by calling /oauth/revoke. Enterprise accounts support automated token rotation and SSO session alignment.