Resources/The Agent API Atlas/Forms/Formstack

Everything an AI agent can do with the Formstack API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints25

API versionv2

Last updated23 June 2026

Orientation

How the Formstack API works.

The Formstack API is how an app or AI agent works with a Formstack account: listing forms and their fields, reading and creating the submissions a form collects, organizing forms into folders, and registering webhooks that fire when a form is submitted. Access is granted through an access token sent as a Bearer credential, and that token follows the in-app permissions of the Formstack user behind it, with no granular per-endpoint scopes to narrow it further. Formstack can also push a submission to a webhook URL the moment a form is submitted.

25Endpoints

7Capability groups

12Read

13Write

0Permissions

Authentication

Every call needs an access token sent as 'Authorization: Bearer '. The v2 API uses an OAuth 2.0 access token that a user grants to an application; the newer v2025 API uses a Personal Access Token generated in the Formstack admin area, in the form fs_pat_. Either token is tied to a Formstack user and follows that user's in-app permissions.

Permissions

Formstack does not break access into granular per-endpoint scopes. An OAuth access token follows the in-app permissions of the Formstack user behind it, so it reaches every form, field, submission, folder, and webhook that user can see, read and write alike. There is no token-level way to limit an integration to one form or to read-only. Folders are the in-app mechanism for grouping forms under shared permissions, but they do not narrow what an issued token can call.

Versioning

Two API generations run side by side. The v2 API authenticates with OAuth 2.0 access tokens and answers under /api/v2/, with JSON or XML responses. The v2025 API, released on 22 August 2025, authenticates with Personal Access Tokens and answers under /api/v2025/, returning JSON only with feature parity to v2. Formstack has said v2 is not being retired.

Data model

The API is resource-oriented JSON over HTTPS at www.formstack.com. Forms are the core resource, and fields, submissions, confirmation and notification emails, webhooks, and partial submissions nest under a form at /api/v2/form/{id}/..., while a single field, submission, or webhook is addressed directly by its own id. Submissions hold the data people enter, which can include personal data.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Formstack determines what it can reach. Access runs through an OAuth 2.0 access token sent as a Bearer credential, and that token follows the in-app permissions of the Formstack user it belongs to.

Ways to connect

REST API (v2)

The v2 REST API answers under https://www.formstack.com/api/v2/ and authenticates with an OAuth 2.0 access token sent as a Bearer credential. It accepts URL-encoded parameters or JSON, and returns JSON by default or XML on request.

Best forConnecting an app or AI agent to Formstack with OAuth.

Governed byThe OAuth access token and the Formstack user permissions behind it.

Docs ↗

REST API (v2025)

The newer v2025 REST API answers under https://www.formstack.com/api/v2025/ and authenticates with a Personal Access Token sent as a Bearer credential, in the form fs_pat_. It returns JSON only and has feature parity with v2.

Best forNew integrations on the modern Formstack API surface.

Governed byThe Personal Access Token and the Formstack user permissions behind it.

Docs ↗

Webhooks

A webhook registered on a form posts the submission data to a chosen URL in real time as each form is submitted, so an app receives submissions instead of polling for them.

Best forReceiving form submissions as they happen.

Governed byThe OAuth access token and the Formstack user permissions behind it.

Docs ↗

Authentication

OAuth 2.0 access token (v2)

A user authorizes an application, which receives an OAuth 2.0 access token tied to that Formstack user. The token is sent as a Bearer credential and follows the user's in-app permissions, reaching every form, field, and submission that user can see. There are no granular per-endpoint scopes to narrow it.

TokenOAuth 2.0 access token

Best forApps acting on behalf of a Formstack user

Docs ↗

Personal Access Token (v2025)

A Personal Access Token is generated in the Formstack admin area with a name and an optional expiry, then sent as a Bearer credential in the form fs_pat_. It is tied to a Formstack user and follows that user's in-app permissions. It is the credential for the v2025 API.

TokenPersonal Access Token

Best forNew integrations on the v2025 API

Docs ↗

Capability map

What an AI agent can do in Formstack.

The Formstack API is split into areas an agent can act on, such as forms, their fields, the submissions they collect, folders, webhooks, and the confirmation and notification emails a form sends. Each area has its own methods, and a single token reaches all of them across the account.

Forms

5 endpoints

List the forms in an account, read a single form, create a form, copy a form, and delete a form.

Writes here change real form data, and deleting a form removes it.

View endpoints →

Fields

5 endpoints

List a form's fields, read a single field, create a field, update a field, and delete a field.

Writes here change a form's structure and the data it collects.

View endpoints →

Submissions

4 endpoints

List a form's submissions, read a single submission, create a submission, and delete a submission.

Submissions hold the data people enter into a form, so reads here can expose personal data.

View endpoints →

Folders

2 endpoints

List the folders that organize forms, and create a folder.

Writes here change how forms are organized in the account.

View endpoints →

Webhooks

3 endpoints

List a form's webhooks, create a webhook that posts on submission, and delete a webhook.

A webhook sends submission data to an external URL on every submission.

View endpoints →

Confirmation & notification emails

4 endpoints

List and create the confirmation emails a form sends to the submitter, and the notification emails it sends to the team.

Writes here change who receives email when a form is submitted.

View endpoints →

Partial submissions

2 endpoints

List the partial submissions saved before a form was finished, and read a single partial submission.

Partial submissions hold data entered before a form was completed.

View endpoints →

Endpoint reference

Every Formstack API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Forms List the forms in an account, read a single form, create a form, copy a form, and delete a form.5
GET	`/api/v2/form.json`	List all forms in the account, with paging, folder filtering, and sorting.	read	—	Current
An OAuth access token reaches every form the underlying Formstack user can see; there is no per-endpoint scope to narrow it. Acts onform Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v2/form/{id}.json`	Get the details of a single form, including its fields and settings.	read	—	Current
Access follows the token's user; there is no per-form scope on the token itself. Acts onform Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/form.json`	Create a new form in the account.	write	—	Current
A token that can write reaches every form the user can manage; the OAuth grant is account-level. Acts onform Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/form/{id}/copy.json`	Create a copy of an existing form.	write	—	Current
The copy is created in the same account the token belongs to. Acts onform Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/api/v2/form/{id}.json`	Delete a form from the account.	write	—	Current
Deleting removes the form and the submissions stored on it; the token reaches any form the user can manage. Acts onform Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Fields List a form's fields, read a single field, create a field, update a field, and delete a field.5
GET	`/api/v2/form/{id}/field.json`	List all fields on a form.	read	—	Current
Fields define what a form asks for; the token's user must be able to see the form. Acts onfield Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/form/{id}/field.json`	Add a new field to a form.	write	—	Current
Adding a field changes what the form collects from every future submitter. Acts onfield Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v2/field/{id}.json`	Get the details of a single field.	read	—	Current
Access follows the token's user and the form the field belongs to. Acts onfield Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/api/v2/field/{id}.json`	Update a field's settings, such as its label, type, or options.	write	—	Current
Changing a field changes what the live form asks for. Acts onfield Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/api/v2/field/{id}.json`	Delete a field from a form.	write	—	Current
Removing a field removes the data it collected from the form's structure. Acts onfield Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Submissions List a form's submissions, read a single submission, create a submission, and delete a submission.4
GET	`/api/v2/form/{id}/submission.json`	List the submissions on a form, with paging and date filtering.	read	—	Current
Submissions hold whatever people entered, including any personal data; the token reaches every submission on forms the user can see. Acts onsubmission Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v2/submission/{id}.json`	Get the details of a single submission, including its field values.	read	—	Current
Returns the data a person entered into the form, which can include personal data. Acts onsubmission Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/form/{id}/submission.json`	Create a submission on a form by supplying field values.	write	—	Current
Creating a submission can trigger the form's confirmation emails, notifications, and webhooks, the same as a real submitter. Acts onsubmission Permission (capability)None required VersionAvailable since the API’s base version Webhook event`form_submission` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/api/v2/submission/{id}.json`	Delete a submission from a form.	write	—	Current
Deleting permanently removes the data a person entered. Acts onsubmission Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Folders List the folders that organize forms, and create a folder.2
GET	`/api/v2/folder.json`	List the folders used to organize forms in the account.	read	—	Current
Folders are one way Formstack assigns form permissions to a group of forms. Acts onfolder Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/folder.json`	Create a folder for organizing forms.	write	—	Current
The folder is created in the account the token belongs to. Acts onfolder Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Webhooks List a form's webhooks, create a webhook that posts on submission, and delete a webhook.3
GET	`/api/v2/form/{id}/webhook.json`	List the webhooks registered on a form.	read	—	Current
Shows where a form sends submission data, which reveals external destinations. Acts onwebhook Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/form/{id}/webhook.json`	Create a webhook on a form that posts submission data to a URL on each submission.	write	—	Current
Adding a webhook starts sending every future submission to an external URL. Acts onwebhook Permission (capability)None required VersionAvailable since the API’s base version Webhook event`form_submission` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/api/v2/webhook/{id}.json`	Delete a webhook from a form.	write	—	Current
Removing a webhook stops the form sending submissions to that URL. Acts onwebhook Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Confirmation & notification emails List and create the confirmation emails a form sends to the submitter, and the notification emails it sends to the team.4
GET	`/api/v2/form/{id}/confirmation.json`	List the confirmation emails a form sends to the submitter.	read	—	Current
Shows the messages a form sends back to people who submit it. Acts onconfirmation email Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/form/{id}/confirmation.json`	Add a confirmation email that the form sends to the submitter.	write	—	Current
Changes what message a submitter receives after submitting. Acts onconfirmation email Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v2/form/{id}/notification.json`	List the notification emails a form sends to the team on submission.	read	—	Current
Shows who on the team is emailed when the form is submitted. Acts onnotification email Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/form/{id}/notification.json`	Add a notification email that the form sends to the team on submission.	write	—	Current
Changes which addresses receive submission data by email. Acts onnotification email Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Partial submissions List the partial submissions saved before a form was finished, and read a single partial submission.2
GET	`/api/v2/form/{id}/partialsubmission.json`	List the partial submissions saved on a form before it was finished.	read	—	Current
Partial submissions hold data entered before a person completed the form. Acts onpartial submission Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v2/partialsubmission/{id}.json`	Get the details of a single partial submission.	read	—	Current
Returns the partial data a person entered before finishing. Acts onpartial submission Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Formstack can notify an app or AI agent the moment a form is submitted, instead of the app repeatedly asking. A webhook registered on a form posts the submission payload to a chosen URL in real time as each submission arrives.

Event	What it signals	Triggered by
`Form submission`	Fires when a form is submitted. Formstack posts the submission data to the webhook URL registered on that form in real time, including data created through the submission endpoint.	`/api/v2/form/{id}/submission.json` `/api/v2/form/{id}/webhook.json`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Formstack limits how much an app or AI agent can call through a daily request quota counted per access token. Going over the quota returns a 429 error until the quota resets.

Request rate

Formstack counts requests against a daily quota per access token, not per account or per user. On the v2 API the quota is 14,400 calls per access token per day. On the v2025 API the daily quota varies by account plan type. The quota resets daily at midnight, and a call made after the quota is used up returns 429 Too Many Requests.

Pagination

List endpoints page through results with the page and per_page query parameters, for example form.json with page and per_page. The submission search service, which looks across every form in an account, returns at most 10,000 matching submissions per search.

Request size

Requests can be sent as URL-encoded parameters or JSON, and the v2 API returns JSON by default or XML when asked; the v2025 API returns JSON only. No single payload size limit is published across the whole API.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
400	`Bad Request`	The request URI was invalid, or a parameter was malformed.	Correct the path and parameters, then resend the request.
401	`Unauthorized`	Valid authentication credentials were not supplied, so the access token is missing, invalid, or expired.	Send a valid access token in the Authorization Bearer header.
403	`Forbidden`	The current user does not have access to this method or resource.	Use a token whose Formstack user has permission for the form or action.
404	`Not Found`	The resource requested could not be found, such as a form or submission id that does not exist.	Confirm the id and path are correct.
415	`Unsupported Media Type`	A valid media type was not used. The API accepts JSON, XML, or HTTP URL-encoded input.	Set a supported Content-Type, such as application/json, on the request.
429	`Too Many Requests`	The current access token has hit its daily rate limit.	Wait for the daily quota to reset at midnight, then retry.
500	`Internal Server Error`	An error occurred while processing the request.	Retry after a short delay, and contact Formstack support if it persists.
503	`Service Unavailable`	The service is temporarily unavailable, such as during maintenance.	Retry after a short delay.

Versioning & freshness

Version history.

Formstack runs two API generations side by side. The v2 API uses OAuth 2.0 access tokens, and the newer v2025 API uses Personal Access Tokens; v2 is not being retired.

Version history

What changed, and when

Latest versionv2

v2Current version

OAuth 2.0 REST API (current)

The v2 REST API authenticates with OAuth 2.0 access tokens sent as a Bearer credential, answers under /api/v2/, accepts URL-encoded parameters or JSON, and returns JSON by default or XML on request. It is rate limited to 14,400 calls per access token per day. Formstack has confirmed v2 is not being retired alongside the newer v2025 API.

What changed

OAuth 2.0 access tokens, tied to a Formstack user and that user's in-app permissions
JSON or XML responses
14,400 calls per access token per day

v2025-09-10

Themes API features added to v2025

Theme management was added to the v2025 API, with methods to view, copy, delete, and assign themes across main accounts and subaccounts. Released on 10 September 2025.

What changed

View, copy, delete, and assign themes
Theme management across main accounts and subaccounts

v2025-08-22

v2025 Forms API released

Formstack launched the v2025 Forms API, built on an OpenAPI specification and authenticating with Personal Access Tokens managed in the Formstack admin area rather than OAuth. It answers under /api/v2025/, returns JSON only, and has feature parity with the v2 API. Released on 22 August 2025.

What changed

New v2025 API surface under /api/v2025/
Authentication with Personal Access Tokens (fs_pat_) instead of OAuth
OpenAPI specification and an llms.txt index for AI assistants
Feature parity with the v2 API; v2 is not being retired

v2025-02-26

New subaccount services

Three subaccount management services were added, for listing subaccounts, copying themes to subaccounts, and duplicating forms into subaccounts. Released on 26 February 2025.

What changed

List subaccounts
Copy themes to subaccounts
Duplicate forms into subaccounts

v2025-02-13

Submission search service

A submission search service was added to look across every form in an account for specific submission values, capped at 10,000 matching submissions per search, supporting GDPR data retention requests. Released on 13 February 2025.

What changed

Search submissions across all forms in an account
Capped at 10,000 matching submissions per search

An integration built on v2 keeps working, and can move to v2025 on a schedule that suits it.

Formstack API changelog ↗

Questions

Formstack API, answered.

How does an agent authenticate to the Formstack API?+

With an access token sent in the Authorization header as a Bearer credential. On the v2 API the token is an OAuth 2.0 access token that a Formstack user grants to an application; on the newer v2025 API it is a Personal Access Token generated in the Formstack admin area, in the form fs_pat_. Either token is tied to a Formstack user and follows that user's in-app permissions.

Can I limit a token to one form or to read-only?+

Not through the token itself. Formstack does not offer granular per-endpoint scopes, so an issued access token reaches every form, field, and submission its Formstack user can see, both read and write. Narrowing access to a single form or to read-only has to happen outside Formstack, which is what a gateway like Bollard AI does by checking each call against a per-agent policy.

What are the rate limits?+

Formstack counts requests against a daily quota per access token, not per account. On the v2 API the quota is 14,400 calls per access token per day. On the v2025 API the daily quota varies by account plan type. The quota resets daily at midnight, and a call made after the quota is used up returns 429 Too Many Requests.

How does an agent receive submissions instead of polling?+

By registering a webhook on a form. A webhook posts the submission data to a chosen URL in real time as each form is submitted, so the app receives submissions as they happen rather than repeatedly listing them. Creating a submission through the API can fire the same webhook.

What is the difference between the v2 and v2025 APIs?+

They cover the same ground but authenticate differently and return different formats. The v2 API uses OAuth 2.0 access tokens, answers under /api/v2/, and returns JSON or XML. The v2025 API, released on 22 August 2025, uses Personal Access Tokens, answers under /api/v2025/, and returns JSON only, with feature parity to v2. Formstack has said v2 is not being retired, so a v2 integration keeps working.

How does Formstack signal errors?+

Through standard HTTP status codes. A 401 means the token is missing or invalid, a 403 means the user lacks access to that method or resource, a 404 means the form or submission was not found, a 415 means an unsupported request format, and a 429 means the daily rate limit was hit. A 500 or 503 indicates a server or maintenance problem.

What is Bollard AI?

Control what every AI agent can do in Formstack.

Bollard AI sits between a team's AI agents and Formstack. A Formstack access token reaches the whole account, so Bollard narrows each agent to exactly the forms and actions it needs, read or write, and checks and logs every call.

Set read, write, or full access per agent, never a shared Formstack token.
Denied by default, so an agent reaches only the forms and actions explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Formstack access in Bollard Browse all APIs →

Formstack

Intake Agent

Read form submissions ResourceOffReadFull use

Create submissions ActionOffReadFull use

Delete forms ActionOffReadFull use

Manage webhooks ResourceOffReadFull use

Per-agent access, set in Bollard AI, not in Formstack

How the Formstack API works.

Connection & authentication methods.

REST API (v2)

REST API (v2025)

Webhooks

OAuth 2.0 access token (v2)

Personal Access Token (v2025)

What an AI agent can do in Formstack.

Forms

Fields

Submissions

Folders

Webhooks

Confirmation & notification emails

Partial submissions

Every Formstack API method.

Forms

Fields

Submissions

Folders

Webhooks

Confirmation & notification emails

Partial submissions

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Formstack API, answered.

More forms API guides for agents

SurveyMonkey

Tally

Jotform

Typeform

Google Forms

Control what every AI agent can do in Formstack.