Resources/The Agent API Atlas/Forms/Jotform

Everything an AI agent can do with the Jotform API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints29

API versionv1

Last updated23 June 2026

Orientation

How the Jotform API works.

The Jotform API is how an app or AI agent works with a Jotform account: listing forms, reading the submissions a form has collected, creating or cloning a form, and adding a webhook so new submissions are pushed out. Access is granted through an API key that belongs to one account, and the key is set to read-only or full access, which is the only permission boundary on it. The API is not versioned, so an integration always calls a single continuously updated API.

29Endpoints

7Capability groups

18Read

11Write

2Permissions

Authentication

Every call uses an API key, created in the account's API settings and sent either as the APIKEY HTTP header or as an apiKey query parameter. The header is the safer choice, because a query parameter can end up in logs and browser history. A key belongs to one account and reaches every form and submission in it; there is no per-form scoping on the key itself.

Permissions

An API key carries one of two access levels, set when it is created and changeable afterward: read-only or full access. A read-only key can read forms, questions, submissions, reports, and folders, but every create, edit, or delete call is rejected with a 401. A full-access key can do everything the account can. This is the only permission control on the key, so a read-only key is the way to give an agent safe view-only access.

Versioning

The API is not versioned by date or header. There is a single, continuously updated API reached through its path, so an integration always calls the current version and new fields appear without a migration. The hosted MCP server is the newer access route and gains tools over time.

Data model

The API is organized around forms, the questions inside a form, the submissions a form collects, plus reports and folders that present and organize them. Account-level calls live under /user, a form and its children under /form/{formID}, and a single submission under /submission/{sid}. Every response is the same JSON envelope of responseCode, message, and content.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Jotform determines what it can reach. There is a route for making calls with an API key, a hosted server that exposes Jotform tools to agents, and per-form webhooks that push new submissions, each governed by the credential behind it.

Ways to connect

REST API

The REST API answers at https://api.jotform.com, with a separate https://eu-api.jotform.com host for accounts on the European data region. Every response is a JSON envelope carrying responseCode, message, and content.

Best forConnecting an app or AI agent to Jotform.

Governed byThe API key and whether it was created read-only or full access.

Docs ↗

MCP server (Model Context Protocol)

Jotform's hosted MCP server at https://mcp.jotform.com lets an agent work with forms and submissions through the Model Context Protocol. It exposes tools to list forms, create and edit a form, create a submission, and get submissions. Connection is through OAuth 2.0; a plain API key is not accepted.

Best forConnecting an AI assistant to Jotform with conversational tools.

Governed byOAuth 2.0 authorization granted per user the first time they connect.

Docs ↗

Webhooks

A webhook registered on a form posts that form's submission data to a chosen address each time the form is submitted. The data arrives as form-encoded fields, with the answers held in a rawRequest field.

Best forReceiving new submissions without polling.

Governed byThe full-access API key that adds the webhook to the form.

Docs ↗

Authentication

API key

An API key is created in the account's API settings and sent with each request. At creation the key is set to read-only or full access, and that level can be changed later. A read-only key can read forms and submissions but cannot create, edit, or delete anything.

TokenAPI key

Best forServer-side access to one account's forms and data

Docs ↗

OAuth 2.0 (MCP)

The hosted MCP server uses OAuth 2.0 rather than an API key. Each user authorizes the connection once through a Jotform app, and the granted access is used for the MCP tools.

TokenOAuth access token

Best forConnecting an AI assistant through the MCP server

Docs ↗

Capability map

What an AI agent can do in Jotform.

The Jotform API is split into areas an agent can act on, like forms, the questions inside a form, submissions, reports, and folders. Each area has its own methods, and what an agent can change depends on whether its API key is read-only or full access.

Forms

5 endpoints

List an account's forms, read a single form, create a form, clone a form, and delete a form.

Writes here create, copy, or remove whole forms.

View endpoints →

Form questions

5 endpoints

List the questions on a form, read a single question, read a form's properties, add a question, and delete a question.

Writes here change the fields a form collects.

View endpoints →

Submissions

6 endpoints

List submissions across an account or for one form, read a single submission, create a submission, edit a submission, and delete a submission.

Writes here add, change, or remove collected response data.

View endpoints →

Reports

3 endpoints

List an account's reports, list a form's reports, and read a single report.

Reports expose submission data in a shareable view.

View endpoints →

Folders

3 endpoints

List an account's folders, read a single folder, and create a folder.

Writes here change how forms are organized.

View endpoints →

User & account

4 endpoints

Read the account's profile, its daily usage, its settings, and its sub-users.

Writes here change account-wide settings.

View endpoints →

Webhooks

3 endpoints

List a form's webhooks, add a webhook to a form, and delete a webhook from a form.

Writes here change where submission data is sent.

View endpoints →

Endpoint reference

Every Jotform API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Forms List an account's forms, read a single form, create a form, clone a form, and delete a form.5
GET	`/user/forms`	List the forms in the account, with their status, submission count, and metadata.	read	`Read`	Current
Returns every form the API key's account can reach. A read-only key can call this; the key carries no per-form scoping. Acts onform Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/form/{formID}`	Get a single form's details, including its title, status, and counts.	read	`Read`	Current
Readable with a read-only or full-access key. Acts onform Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/user/forms`	Create a new form, defining its questions, properties, and emails.	write	`Full Access`	Current
Requires a full-access API key. A read-only key is rejected with a 401. Acts onform Permission (capability)`Full Access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/form/{formID}/clone`	Clone a form, creating a copy of it in the account.	write	`Full Access`	Current
Requires a full-access API key. Acts onform Permission (capability)`Full Access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/form/{formID}`	Delete a form. The form is moved to trash rather than permanently removed.	write	`Full Access`	Current
Requires a full-access API key. Acts onform Permission (capability)`Full Access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Form questions List the questions on a form, read a single question, read a form's properties, add a question, and delete a question.5
GET	`/form/{formID}/questions`	List the questions on a form, with each question's type and properties.	read	`Read`	Current
Readable with a read-only or full-access key. Acts onquestion Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/form/{formID}/question/{qid}`	Get a single question on a form by its question id.	read	`Read`	Current
Readable with a read-only or full-access key. Acts onquestion Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/form/{formID}/properties`	Get a form's properties, like its theme, language, and submission settings.	read	`Read`	Current
A single property is read at /form/{formID}/properties/{key}. Readable with a read-only key. Acts onform property Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/form/{formID}/questions`	Add one or more questions to a form.	write	`Full Access`	Current
Requires a full-access API key. Acts onquestion Permission (capability)`Full Access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/form/{formID}/question/{qid}`	Delete a single question from a form.	write	`Full Access`	Current
Requires a full-access API key. Removing a question removes the field from the form. Acts onquestion Permission (capability)`Full Access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Submissions List submissions across an account or for one form, read a single submission, create a submission, edit a submission, and delete a submission.6
GET	`/user/submissions`	List submissions across all of the account's forms.	read	`Read`	Current
Returns response data people entered into forms. Readable with a read-only key. Acts onsubmission Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/form/{formID}/submissions`	List the submissions for a single form, with filtering and ordering.	read	`Read`	Current
Returns the answers submitted to that form. Readable with a read-only key. Acts onsubmission Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/submission/{sid}`	Get a single submission by its id, with each answer.	read	`Read`	Current
Readable with a read-only key. Acts onsubmission Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/form/{formID}/submissions`	Create a submission on a form by supplying answers for its questions.	write	`Full Access`	Current
Requires a full-access API key. A submission added through the API does not trigger the form's webhooks or integrations. Acts onsubmission Permission (capability)`Full Access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/submission/{sid}`	Edit an existing submission, changing one or more of its answers.	write	`Full Access`	Current
Requires a full-access API key. Acts onsubmission Permission (capability)`Full Access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/submission/{sid}`	Delete a single submission.	write	`Full Access`	Current
Requires a full-access API key. The submission is removed permanently. Acts onsubmission Permission (capability)`Full Access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Reports List an account's reports, list a form's reports, and read a single report.3
GET	`/user/reports`	List the reports created across the account.	read	`Read`	Current
Readable with a read-only key. Acts onreport Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/form/{formID}/reports`	List the reports built on a single form.	read	`Read`	Current
Readable with a read-only key. Acts onreport Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/report/{reportID}`	Get a single report by its id, including its type and settings.	read	`Read`	Current
A report can carry a public URL that exposes submission data without the API key. Readable with a read-only key. Acts onreport Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Folders List an account's folders, read a single folder, and create a folder.3
GET	`/user/folders`	List the account's folders and the forms inside them.	read	`Read`	Current
Readable with a read-only key. Acts onfolder Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/folder/{folderID}`	Get a single folder and its contents.	read	`Read`	Current
Readable with a read-only key. Acts onfolder Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/folder`	Create a folder to organize forms.	write	`Full Access`	Current
Requires a full-access API key. Acts onfolder Permission (capability)`Full Access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
User & account Read the account's profile, its daily usage, its settings, and its sub-users.4
GET	`/user`	Get the account's profile, including name, email, plan, and account type.	read	`Read`	Current
Returns the account holder's email and plan. Readable with a read-only key. Acts onuser Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/user/usage`	Get the account's monthly usage, like submissions, payments, and uploads against plan limits.	read	`Read`	Current
Readable with a read-only key. Acts onusage Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/user/settings`	Get the account's settings, like time zone, language, and security options.	read	`Read`	Current
Updated with a POST to the same path, which requires a full-access key. Reading is allowed with a read-only key. Acts onsettings Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/user/subusers`	List the sub-users that share the account, with their access levels.	read	`Read`	Current
Readable with a read-only key. Acts onsub-user Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Webhooks List a form's webhooks, add a webhook to a form, and delete a webhook from a form.3
GET	`/form/{formID}/webhooks`	List the webhooks registered on a form.	read	`Read`	Current
Readable with a read-only key. Acts onwebhook Permission (capability)`Read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/form/{formID}/webhooks`	Add a webhook to a form, so Jotform posts each new submission to a chosen address.	write	`Full Access`	Current
Requires a full-access API key. The webhook URL receives the submission data on each new submission. Acts onwebhook Permission (capability)`Full Access` VersionAvailable since the API’s base version Webhook event`submission` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/form/{formID}/webhooks/{webhookID}`	Delete a webhook from a form by its index.	write	`Full Access`	Current
Requires a full-access API key. Acts onwebhook Permission (capability)`Full Access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Jotform can notify an app or AI agent when a form receives a new submission, instead of the app repeatedly asking. A webhook is registered on a single form, and Jotform posts the submission data to that address each time the form is submitted.

Event	What it signals	Triggered by
`New submission`	Fires when a form is submitted through its submit button, posting the submission data to each webhook registered on that form. A submission created through the API does not fire this.	`/form/{formID}/webhooks`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Jotform limits how much an app or AI agent can call through a daily request quota that depends on the account plan, and each response reports how many calls are left for the day.

Request rate

Jotform limits calls by a daily quota tied to the account plan rather than a per-second rate. A starter account gets 1,000 API calls per day, bronze 10,000, silver 50,000, and gold 100,000; Enterprise accounts have no call limit. The daily count resets at midnight Eastern time, and every response carries a limit-left field showing how many calls remain for the day. Once the quota is used up, further calls fail with an API-Limit exceeded message until the reset.

Pagination

List endpoints take offset and limit query parameters, where limit defaults to 20 and can be raised, and accept filter and orderby parameters to narrow and sort results. There is no cursor; pages are stepped through by increasing offset.

Request size

Responses are JSON wrapped in the responseCode, message, and content envelope. Uploaded files attached to submissions are subject to the account plan's upload and storage limits rather than an API payload cap.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
200	`success`	The request succeeded. The body holds responseCode 200, message 'success', the content payload, and a limit-left field with the calls remaining today.	Read the content field. Watch limit-left to stay inside the daily quota.
401	`Unauthorized`	The API key is missing, invalid, or lacks the access for the call. A read-only key calling a write endpoint returns 401 with a not-authorized message naming the endpoint.	Send a valid API key in the APIKEY header, and use a full-access key for writes.
403	`Forbidden`	The key is recognized but not permitted to act on the requested resource.	Confirm the account owns the form or submission and the key has full access.
404	`Not Found`	The form, submission, report, or folder id does not exist or is not reachable by this account.	Check the id is correct and belongs to the account behind the key.

Versioning & freshness

Version history.

Jotform exposes one continuously updated API. There is no dated version to pin, so an integration always calls the current API and reads new fields as they appear.

Version history

What changed, and when

Latest versionv1

v1Current version

Single continuously updated API

Jotform exposes one API reached through its path, with no dated versions and no version header to pin. New fields and endpoints are added to the same API over time, so an integration always calls the current version and reads new fields as they appear. The hosted MCP server is the newer access route and gains tools over time.

What changed

API key authentication via the APIKEY header or apiKey query parameter
European data region served from a separate eu-api.jotform.com host
Hosted MCP server at mcp.jotform.com using OAuth 2.0, with form and submission tools

There is no version header to set; the API path itself is the only version marker.

Jotform developer hub ↗

Questions

Jotform API, answered.

How does an agent authenticate to the Jotform API?+

With an API key. The key is created in the account's API settings and sent on each request, either as an APIKEY HTTP header or an apiKey query parameter. The header is preferred, since a query parameter can be captured in server logs or browser history. One key covers the whole account, so it reaches every form and submission the account owns.

What is the difference between a read-only and a full-access API key?+

A Jotform key is created at one of two levels, and the level can be changed later. A read-only key can read forms, questions, submissions, reports, and folders, but any attempt to create, edit, or delete returns a 401. A full-access key can do everything the account can. There is no finer-grained permission than these two levels, so a read-only key is how to give an agent safe view-only access to forms and submissions.

What are the rate limits?+

Jotform meters a daily quota tied to the plan, not a per-second rate. A starter account gets 1,000 calls a day, bronze 10,000, silver 50,000, and gold 100,000, while Enterprise has no limit. The count resets at midnight Eastern time, and each response includes a limit-left field with the calls left for the day. When the quota runs out, calls fail with an API-Limit exceeded message until the reset.

How does an agent receive new submissions instead of polling?+

By adding a webhook to a form. A webhook is registered on a single form with a full-access key, and Jotform posts that form's submission data to the chosen address each time the form is submitted through its submit button. The answers arrive as form-encoded fields, with the JSON held in a rawRequest field. A submission created through the API does not trigger the webhook.

Does Jotform have an official MCP server?+

Yes. Jotform hosts a Model Context Protocol server at mcp.jotform.com that lets an AI assistant work with forms and submissions through conversational tools, covering listing forms, creating and editing a form, creating a submission, and getting submissions. It connects through OAuth 2.0 rather than an API key, with each user authorizing once, and it is included at no extra charge on an existing plan.

How does pagination work?+

List endpoints take offset and limit query parameters, where limit defaults to 20 and can be raised, plus filter and orderby parameters to narrow and sort the results. Paging is done by stepping the offset forward rather than following a cursor.

Is there a separate API host for European accounts?+

Yes. Accounts in the European data region use https://eu-api.jotform.com in place of https://api.jotform.com, with the same paths and the same API key. Calling the wrong host for the account's region returns an authorization error.

What is Bollard AI?

Control what every AI agent can do in Jotform.

Bollard AI sits between a team's AI agents and Jotform. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Jotform API key.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Jotform access in Bollard Browse all APIs →

Jotform

Forms Agent

Read submissions ResourceOffReadFull use

Create forms ActionOffReadFull use

Delete submissions ActionOffReadFull use

Per-agent access, set in Bollard AI, not in Jotform

How the Jotform API works.

Connection & authentication methods.

REST API

MCP server (Model Context Protocol)

Webhooks

API key

OAuth 2.0 (MCP)

What an AI agent can do in Jotform.

Forms

Form questions

Submissions

Reports

Folders

User & account

Webhooks

Every Jotform API method.

Forms

Form questions

Submissions

Reports

Folders

User & account

Webhooks

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Jotform API, answered.

More forms API guides for agents

SurveyMonkey

Tally

Formstack

Typeform

Google Forms

Control what every AI agent can do in Jotform.