Authentication

Every Form Plume API request authenticates with an API key sent as a bearer token:

Authorization: Bearer fp_sk_live_xxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Create keys in the dashboard under API Keys in the sidebar. Only organization admins and owners can create, rename, reveal, or revoke them.

If an AI coding assistant is implementing the automation, give it the form-plume-api skill. Provide the key through FORMPLUME_API_KEY or a secret manager rather than pasting it into the prompt.

Scopes

You pick a scope when you create a key:

  • read can call every GET endpoint. Write requests fail with a 403 and the code read_only_key, so a key wired into a dashboard or report can never modify anything.
  • full can call everything on the API surface.

How keys behave

Keys belong to the organization, not to the person who created them. They keep working when someone leaves the team. An organization can hold up to 50 active keys.

You can rename, revoke, and reveal keys again from the dashboard. Secrets are stored encrypted rather than hashed, so you can recover a lost key instead of rotating it.

To verify a key and see which organization it belongs to, call:

curl -s https://api.formplume.com/v1/api-keys/current \
  -H "Authorization: Bearer $FORMPLUME_API_KEY"
{
  "key": {"id": "...", "name": "CI", "scope": "full", "key_prefix": "fp_sk_live_a1b2c3d4"},
  "tenant": {"id": "...", "name": "Acme", "plan": "pro"}
}

This is a cheap "does my key still work" probe. Put it at the start of scripts and agent sessions so a revoked key fails immediately with a clear error instead of halfway through a run.

What API keys cannot do

Account-level endpoints reject API keys with a 403 and the code session_required. That covers billing, organization membership, invitations, avatar, and API key management itself. These endpoints only accept a dashboard session.

So a leaked key can read or change form data within its scope, but it cannot mint new keys, change who is in the organization, or touch billing.

Treat API keys like passwords. Keep them in server-side configuration or a secrets manager, never in browser code or a public repository. If a key leaks, revoke it in the dashboard. Revocation takes effect immediately.

API keys are not the per-form access keys that protect private forms. Access keys authorize submissions to one form. API keys authorize management of the whole organization.

On this page