DashboardGet Started

Authentication

Secure your API integrations with FavForm using API keys.

API access requires Business.

API keys

API requests to protected endpoints require authentication using an API key. Generate keys from your dashboard settings.

Include your API key in the Authorization header as a Bearer token:

Bash
curl -X GET "https://favform.com/api/forms" \
  -H "Authorization: Bearer fav_your_api_key_here"

Key format

API keys follow this format:

fav_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  • Keys start with fav_ prefix
  • The full key is only shown once when created
  • After creation, only the prefix (fav_xxxxxxxx...) is visible
  • Keys are stored as secure hashes — we cannot recover lost keys

Key scopes

API keys are created with default scopes that control what they can access:

forms:readRead form definitions and settings
responses:readRead form and poll responses

Additional scopes for write operations will be available in future updates.

Managing keys

From Settings → Developers, you can:

  • Generate new API keys with custom names
  • View key prefixes and creation dates
  • See when keys were last used
  • Revoke keys that are no longer needed

Security best practices

  • Never expose API keys in client-side code or public repositories
  • Use environment variables to store keys
  • Rotate keys periodically
  • Revoke unused keys immediately
  • Use separate keys for different applications

Public endpoints

Some endpoints don't require authentication — they're designed for public form/poll/widget embeds:

GET/api/forms/[id]Get published form
POST/api/forms/[id]/submitSubmit form response
GET/api/polls/[id]Get published poll
POST/api/polls/[id]/voteSubmit poll vote
GET/api/polls/[id]/resultsGet poll results
GET/api/widgets/[id]Get published widget
POST/api/widgets/[id]/submitSubmit widget response

These endpoints only return published content and don't expose sensitive data.

Error responses

Authentication errors return appropriate HTTP status codes:

StatusMeaning
401Missing or invalid API key
403Valid key but insufficient permissions
429Rate limit exceeded

Submission security

Public submission endpoints include additional security measures:

Browser fingerprinting

Anonymous device identification to prevent duplicate submissions

Honeypot fieldsPro

Hidden fields to detect and block bot submissions

Rate limitingPro

Per-IP limits to prevent abuse (configurable)

Domain allowlisting

Restrict which domains can embed your forms

IntegrationsWebhooks