Skip to main content

Authentication

All ZeroForms API requests require authentication using an access key.

Getting Your Access Key

  1. Log in to your ZeroForms Dashboard
  2. Navigate to Settings → Access Keys
  3. Click Generate New Key
  4. Copy your key (starts with zf_)
  • Keep your access key secure like a password
  • Never commit it to version control
  • Use environment variables in production
  • Regenerate keys regularly
  • You can have multiple active keys

Using Your Access Key

Include your access key in the x-access-key header for every request: 
curl https://api.zeroforms.dev/api/forms \
  -H "x-access-key: zf_your_key_here"

JavaScript Example

const accessKey = process.env.ZEROFORMS_ACCESS_KEY;

const response = await fetch('https://api.zeroforms.dev/api/forms', {
  method: 'GET',
  headers: {
    'x-access-key': accessKey,
    'Content-Type': 'application/json'
  }
});

const data = await response.json();

Python Example

import os
import requests

access_key = os.getenv('ZEROFORMS_ACCESS_KEY')

headers = {
    'x-access-key': access_key,
    'Content-Type': 'application/json'
}

response = requests.get(
    'https://api.zeroforms.dev/api/forms',
    headers=headers
)

data = response.json()

Environment Variables

Store your access key as an environment variable:

.env file (Node.js)

ZEROFORMS_ACCESS_KEY=zf_your_key_here

Load in code

const accessKey = process.env.ZEROFORMS_ACCESS_KEY;

.env file (Python)

ZEROFORMS_ACCESS_KEY=zf_your_key_here

Load in code

import os
access_key = os.getenv('ZEROFORMS_ACCESS_KEY')

Security Best Practices

Use Environment Variables

Never hardcode keys in your source code.

Rotate Keys Regularly

Generate new keys and retire old ones every 90 days.

Scope Keys to Forms

Create separate keys for different applications.

Monitor Usage

Check the API logs for suspicious activity.

Key Permissions

Each access key can have specific permissions:
  • forms:read - Read form data
  • forms:write - Create and modify forms
  • submissions:read - Read submissions
  • submissions:export - Export submission data
  • webhooks:write - Manage webhooks
  • analytics:read - View analytics

Generating New Keys

You can have multiple active access keys: 
# In Dashboard: Settings → Access Keys → Generate New Key
Give each key a descriptive name:
  • production-api
  • staging-api
  • mobile-app
  • zapier-integration

Regenerating Keys

If you suspect a key is compromised:
  1. Go to Settings → Access Keys
  2. Click the Regenerate button next to the key
  3. Update all applications using the old key
  4. Delete the old key once all applications are updated

Scoped Access (Enterprise)

For enterprise customers, you can create API keys with limited permissions: 
curl -X POST https://api.zeroforms.dev/api/keys \
  -H "x-access-key: your-admin-key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Read-only API Key",
    "permissions": [
      "forms:read",
      "submissions:read"
    ],
    "expiresAt": "2026-12-31"
  }'

Troubleshooting

”Invalid or missing access key”

  • Verify your key is spelled correctly
  • Check that the header name is exactly x-access-key (lowercase)
  • Ensure the key hasn’t been revoked or regenerated

”Unauthorized”

  • Verify you have the correct permissions for this operation
  • Check that the key belongs to the correct organization

”Forbidden”

  • Your key doesn’t have permission for this endpoint
  • Contact support to increase key permissions

Need Help?

Check our troubleshooting guide for more authentication issues.