Form Plume API

Use the API to automate forms, submissions, delivery settings, integrations, analytics, and usage. Billing, organization membership, invitations, and API key management remain dashboard-session-only. Give an AI coding assistant the form-plume-api skill, or use the MCP server if you prefer ready-made agent tools.

The API skill is for authenticated workspace automation. If you are only building a form that sends visitor submissions, use the form-building skill and the public form endpoint instead; you do not need an organization API key.

Use it to:

Authenticate with an organization API key and try these three requests:

# Who am I?
curl -s https://api.formplume.com/v1/api-keys/current \
  -H "Authorization: Bearer $FORMPLUME_API_KEY"
 
# Create a form
curl -s -X POST https://api.formplume.com/v1/forms \
  -H "Authorization: Bearer $FORMPLUME_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "Contact", "emoji": "📬"}'
 
# Read submissions
curl -s "https://api.formplume.com/v1/forms/FORM_ID/submissions?status=received" \
  -H "Authorization: Bearer $FORMPLUME_API_KEY"

Need the OpenAPI spec? Open /v1/openapi.json

What the API covers

  • Forms and submissions: manage forms, settings, submissions, files, and exports.
  • Delivery and automation: configure email, autoresponders, webhooks, and integrations.
  • Protection and reporting: manage spam protection, analytics, and usage.

Conventions

  • Field names are snake_case in requests and responses.
  • Errors use one JSON envelope with a stable machine-readable code. Validation failures name the exact field that was rejected. See Errors.
  • Pagination: list endpoints that paginate take ?cursor= and return next_cursor, which is null on the last page. The cursor is opaque. Pass it back verbatim.
  • Timestamps are RFC 3339 UTC strings. IDs are short opaque strings.
  • Enums: every accepted value is listed in the OpenAPI spec with a description. Submission statuses are received, spam, verified, and archived. Bulk actions are mark_spam, mark_verified, mark_received, archive, delete, restore, and redeliver.

Unknown top-level fields in a request body are rejected, so typos fail loudly. Inside settings, unknown keys in the typed sections (spam, rate_limit, privacy, email, retention) are dropped. Unknown top-level settings keys are preserved for forward compatibility.

The API is separate from the submission endpoint your forms post to. Form submissions go to POST /f/{public_slug} without an API key, as described in the quickstart. They are governed by per-form submission rate limits, not the API rate limit.

On this page