Skip to main content

Authentication

All API requests require a valid API key passed in the Authorization header.

API Keys

API keys are scoped to your user account. Any form you've published is accessible with any of your active keys.

Authorization: Bearer fmb_live_your_key_here

Keys start with fmb_live_ and are created in Settings > API Keys.

Key Limits

  • Up to 5 active keys per account.
  • Keys can be revoked at any time from Settings. Revoked keys are rejected immediately.
  • The raw key is shown only once at creation. Store it securely (e.g. in environment variables or a secrets manager).

Key Prefix

Each key stores a visible prefix (e.g. fmb_live_Xk9...) so you can identify which key is which in the Settings UI without exposing the full value.

Error Responses

If authentication fails, the API returns 401:

{
  "error": "Missing or invalid API key. Use Authorization: Bearer fmb_live_..."
}

A revoked or unknown key returns:

{
  "error": "Invalid or revoked API key"
}

Rate Limits

Submissions are subject to your account's monthly submission limit based on your subscription tier. When the limit is reached, the API returns 429:

{
  "error": "submission_limit_reached"
}

Read-only endpoints (listing forms, fetching specs, exporting submissions) are not rate-limited.