Resources/The Agent API Atlas/Forms/Typeform

Everything an AI agent can do with the Typeform API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints24

AuthenticationOAuth 2.0

Last updated23 June 2026

Orientation

How the Typeform API works.

The Typeform API is how an app or AI agent works with a Typeform account: building a form from a definition, reading the responses a form has collected, registering a webhook to receive new submissions, and managing images, themes, and workspaces. Access is granted through a bearer token, either an OAuth token carrying granular scopes or a personal access token, and an agent is limited to the areas and direction those scopes allow. There is no version to pin, and Typeform can push each submission to a webhook the moment a form is completed.

24Endpoints

5Capability groups

11Read

13Write

13Permissions

Authentication

Every call carries a bearer token in the Authorization header. The token is either an OAuth 2.0 access token, which acts on behalf of a user who granted a set of scopes, or a personal access token, which authenticates a single account directly. The first-party MCP server currently accepts only a personal access token. Accounts on the EU Data Center call the api.eu.typeform.com host instead of api.typeform.com.

Permissions

Access is governed by OAuth scopes, granted per area and per direction. Read scopes include forms:read, responses:read, webhooks:read, images:read, themes:read, workspaces:read, and accounts:read; write scopes include forms:write, responses:write, webhooks:write, images:write, themes:write, and workspaces:write. The offline scope adds a refresh token. A call without the matching scope returns 403, so responses:read is what lets an agent read every submission a form has collected.

Versioning

Typeform's API is not versioned by a number or date in the request path. There is a single, continuously updated API, and notable changes, including breaking ones, are published as a dated changelog rather than as new versions. An integration tracks that changelog rather than pinning a version. A recent change required all new webhook URLs to use HTTPS.

Data model

Typeform is resource-oriented JSON over HTTPS at api.typeform.com. A form is the central object, created from a JSON definition of fields, logic, theme, and settings; its submissions are responses, read from /forms/{form_id}/responses; and a webhook on a form pushes each submission as it arrives. Images, themes, and workspaces are account-level resources that forms reference. The Create, Responses, and Webhooks APIs share the same host and token.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Typeform determines what it can reach. There is a route for building forms and reading data, a route for receiving submission events, and a hosted server that exposes Typeform tools to agents, each governed by the token behind it and the permissions that token carries.

Ways to connect

REST API

The REST API answers at https://api.typeform.com and returns JSON. Accounts on the EU Data Center call https://api.eu.typeform.com instead. It covers the Create, Responses, and Webhooks APIs, and a call authenticates with a bearer access token.

Best forConnecting an app or AI agent to Typeform.

Governed byThe access token and the scopes it carries.

Docs ↗

Webhooks

Typeform POSTs a form_response payload to a registered URL the moment a form is submitted. The receiver verifies the Typeform-Signature header, an HMAC SHA-256 of the raw body keyed with the webhook secret and base64-encoded with a sha256= prefix, to confirm the request came from Typeform. New webhook URLs must use HTTPS.

Best forReceiving Typeform submission events at an app or AI agent.

Governed byThe secret set on the webhook.

Docs ↗

MCP server (Model Context Protocol)

Typeform's first-party MCP server lets an agent call Typeform through the Model Context Protocol at https://api.typeform.com/mcp, with https://api.eu.typeform.com/mcp for EU accounts. It is in beta with a limited tool set covering reading forms, managing contacts, and workspaces, and currently authenticates with a personal access token as a bearer token; OAuth is planned.

Best forConnecting an AI agent to Typeform through MCP.

Governed byThe personal access token and the scopes it carries.

Docs ↗

Authentication

OAuth 2.0

An OAuth 2.0 application requests each user's permission for a set of scopes, then receives an access token that acts on that user's behalf. Scopes are granular per area and direction, such as forms:read, forms:write, responses:read, responses:write, and webhooks:write. Adding the offline scope returns a refresh token for continued access.

TokenOAuth access token (bearer)

Best forApps acting on behalf of other Typeform users

Docs ↗

Personal access token

A personal access token authenticates as a single account without an OAuth flow, sent as a bearer token. It is the quickest way to call the API for one account's own data, and is currently the only way to authenticate with the MCP server.

TokenPersonal access token (bearer)

Best forServer-side scripts acting on one account

Docs ↗

Capability map

What an AI agent can do in Typeform.

The Typeform API is split into areas an agent can act on, like forms, responses, webhooks, images and themes, and workspaces. Each area has its own methods and its own permission, and some reach far more than others, such as reading every response a form has collected.

Forms

8 endpoints

List, read, create, update, and delete forms, and read and update their custom screen messages.

Writes here change real form data, including deleting a form.

View endpoints →

Responses

2 endpoints

Retrieve the submissions a form has collected, and delete responses by id.

Reads here return respondent answers; deletes remove submissions permanently.

View endpoints →

Webhooks

4 endpoints

List a form's webhooks, read a single webhook, create or update one, and delete it.

Writes here change where submission events are sent.

View endpoints →

Images & themes

5 endpoints

List and add account images, and list, create, and delete the themes that style forms.

Writes here change real image and theme data.

View endpoints →

Workspaces & account

5 endpoints

List, create, read, and delete workspaces, and read the authenticated account's basic profile.

Writes here change real workspace data, including deleting a workspace and the forms in it.

View endpoints →

Endpoint reference

Every Typeform API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Forms List, read, create, update, and delete forms, and read and update their custom screen messages.8
GET	`/forms`	List the forms in the account, with paging, search, and workspace filtering.	read	`forms:read`	Current
Returns a list of forms. page_size defaults to 10 and tops out at 200. Acts onform Permission (capability)`forms:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/forms`	Create a new form from a JSON definition.	write	`forms:write`	Current
The full form definition, fields, logic, theme, and settings, is sent in the request body. Acts onform Permission (capability)`forms:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/forms/{form_id}`	Retrieve a single form's full definition.	read	`forms:read`	Current
Read-only. Acts onform Permission (capability)`forms:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/forms/{form_id}`	Replace a form's entire definition.	write	`forms:write`	Current
A whole-definition update; the body replaces the existing form. Acts onform Permission (capability)`forms:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/forms/{form_id}`	Apply a partial update to a form using JSON Patch operations.	write	`forms:write`	Current
Takes a JSON Patch array, so individual fields can change without resending the whole form. Acts onform Permission (capability)`forms:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/forms/{form_id}`	Delete a form.	write	`forms:write`	Current
Removes the form and its configuration. Acts onform Permission (capability)`forms:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/forms/{form_id}/messages`	Retrieve a form's custom screen messages.	read	`forms:read`	Current
Returns the customizable text shown on a form, such as button labels and screens. Acts onform message Permission (capability)`forms:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/forms/{form_id}/messages`	Update a form's custom screen messages.	write	`forms:write`	Current
Replaces the customizable message text on the form. Acts onform message Permission (capability)`forms:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Responses Retrieve the submissions a form has collected, and delete responses by id.2
GET	`/forms/{form_id}/responses`	Retrieve the responses a form has collected, with date filters and paging.	read	`responses:read`	Current
Returns respondent answers. page_size defaults to 25 and tops out at 1000. Very recent submissions, within roughly the last 30 minutes, may not appear yet. Acts onresponse Permission (capability)`responses:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/forms/{form_id}/responses`	Delete responses to a form by id.	write	`responses:write`	Current
The included_response_ids parameter lists up to 1000 response ids. A 200 confirms the deletion was registered, not that it finished immediately. Acts onresponse Permission (capability)`responses:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Webhooks List a form's webhooks, read a single webhook, create or update one, and delete it.4
GET	`/forms/{form_id}/webhooks`	List all webhooks configured on a form.	read	`webhooks:read`	Current
Read-only. Acts onwebhook Permission (capability)`webhooks:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/forms/{form_id}/webhooks/{tag}`	Retrieve a single webhook by its tag.	read	`webhooks:read`	Current
The tag is the chosen name for the webhook on that form. Acts onwebhook Permission (capability)`webhooks:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/forms/{form_id}/webhooks/{tag}`	Create a webhook on a form, or update the existing one for that tag.	write	`webhooks:write`	Current
Sets the destination URL, the enabled flag, and the secret used to sign deliveries. The same call both creates and updates. Acts onwebhook Permission (capability)`webhooks:write` VersionAvailable since the API’s base version Webhook event`form_response` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/forms/{form_id}/webhooks/{tag}`	Delete a webhook from a form.	write	`webhooks:write`	Current
Stops further deliveries for that tag. Acts onwebhook Permission (capability)`webhooks:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Images & themes List and add account images, and list, create, and delete the themes that style forms.5
GET	`/images`	Retrieve the JSON descriptions of all images in the account.	read	`images:read`	Current
Read-only. Acts onimage Permission (capability)`images:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/images`	Add an image to the account for use in forms.	write	`images:write`	Current
The image is sent base64-encoded or by URL in the request body. Acts onimage Permission (capability)`images:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/themes`	Retrieve the JSON descriptions of all themes in the account.	read	`themes:read`	Current
Read-only. Acts ontheme Permission (capability)`themes:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/themes`	Create a theme that styles a form's colors, fonts, and background.	write	`themes:write`	Current
A core styling write. Acts ontheme Permission (capability)`themes:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/themes/{theme_id}`	Delete a theme.	write	`themes:write`	Current
Removes the theme from the account. Acts ontheme Permission (capability)`themes:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Workspaces & account List, create, read, and delete workspaces, and read the authenticated account's basic profile.5
GET	`/workspaces`	Retrieve all workspaces the account has access to.	read	`workspaces:read`	Current
page_size defaults to 10 and tops out at 200. Acts onworkspace Permission (capability)`workspaces:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/workspaces`	Create a workspace.	write	`workspaces:write`	Current
A workspace groups forms together. Acts onworkspace Permission (capability)`workspaces:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/workspaces/{workspace_id}`	Retrieve a single workspace.	read	`workspaces:read`	Current
Read-only. Acts onworkspace Permission (capability)`workspaces:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/workspaces/{workspace_id}`	Delete a workspace.	write	`workspaces:write`	Current
Deleting a workspace also affects the forms inside it. Acts onworkspace Permission (capability)`workspaces:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/me`	Retrieve the authenticated account's alias, email address, and language.	read	`accounts:read`	Current
Returns only the token owner's own profile; there is no endpoint to list all users in an account. Acts onaccount Permission (capability)`accounts:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Typeform can notify an app or AI agent the moment a form is submitted, instead of the app repeatedly asking. It posts the submission payload to a webhook URL registered on the form, and a signature header lets the receiver confirm the payload came from Typeform.

Event	What it signals	Triggered by
`form_response`	Fires when a form is submitted, delivering the respondent's answers, the form definition, and landing and submission timestamps. This is the single event the Webhooks API delivers.	`/forms/{form_id}/webhooks/{tag}`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Typeform limits how fast an app or AI agent can call, by a request rate measured per second and per Typeform account, with separate ceilings on how many forms and responses a single response query returns.

Request rate

Typeform allows two requests per second, per Typeform account, for the Create and Responses APIs. Going over returns HTTP 429, so an integration that batches form edits or pulls large response sets should pace its calls rather than send them in a burst. The limit is per account, so several agents sharing one account's token share the same two-per-second budget.

Pagination

List endpoints page through results with the page and page_size parameters. For forms and workspaces, page_size defaults to 10 and reaches a maximum of 200. The Responses endpoint pages differently, defaulting to 25 responses with a maximum page_size of 1000, and it also supports cursor-style before and after parameters and since and until date filters.

Request size

A single Responses request returns at most 1000 responses, and a forms or workspaces list returns at most 200 items per page. A delete-responses request can name up to 1000 response ids at once.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
400	`Bad Request`	The request was malformed, such as an invalid form definition, a bad JSON Patch operation, or an invalid query parameter.	Read the error message, correct the request body or parameters, and resend.
401	`Unauthorized`	The access token is missing, invalid, or expired.	Send a valid bearer token in the Authorization header, refreshing the OAuth token if it has expired.
403	`Forbidden`	The token is valid but lacks the scope the call needs, or the account does not have access to the resource.	Grant the missing scope, such as responses:read or forms:write, and reconnect.
404	`Not Found`	The form, response, webhook, theme, or workspace does not exist, or the token cannot see it.	Confirm the id in the path and that the token has access to it.
429	`Too Many Requests`	The request rate of two per second per account was exceeded.	Slow the request rate and retry after a short pause.

Versioning & freshness

Version history.

Typeform's API is not versioned by a number or date in the path. There is a single, continuously updated API, and notable changes are published as a dated changelog.

Version history

What changed, and when

Latest versionCurrent

CurrentCurrent version

Single, continuously updated API

Typeform's API has no version number or date in the request path. It is a single, continuously updated API, and notable changes, including breaking ones, are published as a dated changelog rather than as new versions. An integration tracks that changelog rather than pinning a version. The dated entries below are recent changes from that changelog, newest first.

2026-05-19Requires migration

HTTPS required for new webhook URLs

All new webhook URLs must use HTTPS. Existing HTTP webhooks keep working but cannot be repointed to another HTTP URL, and the verify_ssl parameter became read-only.

What changed

New webhook URLs must use https.
Existing http webhooks continue working but cannot be updated to a different http URL.
The verify_ssl parameter became read-only.

2025-06-17Feature update

Translations API documentation fix

The Translations API documentation was corrected: the properties.labels field is a plain object, not an array.

What changed

properties.labels documented as a plain object rather than an array.

2024-08-13Requires migration

Removed settings.capabilities field

The undocumented settings.capabilities field was removed from form definitions as part of cleanup work.

What changed

Removed the undocumented settings.capabilities field from form definitions.

2024-07-01Feature update

Enrichment form setting

Added the ability to configure an enrichment form setting through the API for eligible accounts.

What changed

Added an enrichment form setting configurable through the API for eligible accounts.

2024-03-07Feature update

Milestones and partial responses

The Create API added the ability to define milestones within form definitions, and the Responses API added a query parameter to retrieve partial responses.

What changed

Create API: milestones can be added within form definitions.
Responses API: a query parameter retrieves partial responses.

There is no version to pin; an integration tracks the dated changelog for breaking changes.

Typeform API changelog ↗

Questions

Typeform API, answered.

OAuth or a personal access token, which should I use?+

A personal access token is the quickest route for a script acting on one account's own data, sent as a bearer token with no authorization flow. OAuth 2.0 suits an app that acts on behalf of other Typeform users, since each user grants a specific set of scopes and can revoke them. The MCP server currently accepts only a personal access token, with OAuth planned.

What scopes does an agent need to read responses or create forms?+

Scopes are granted per area and direction. Reading submissions needs responses:read, and deleting them needs responses:write. Building forms needs forms:write, and listing or reading them needs forms:read. Webhooks use webhooks:read and webhooks:write. A call without the matching scope returns 403. Adding the offline scope returns a refresh token for continued access.

What are the rate limits?+

Typeform allows two requests per second, per Typeform account, for the Create and Responses APIs, and exceeding it returns HTTP 429. The limit is per account rather than per token or per form, so several integrations sharing one account's credentials share the same budget. Pacing calls and handling 429 with a short backoff keeps an integration within the limit.

How do I receive submissions instead of polling for them?+

Register a webhook on the form with a PUT to /forms/{form_id}/webhooks/{tag}, setting a destination URL and a secret. Typeform then POSTs a form_response payload the moment someone submits. New webhook URLs must use HTTPS. The Typeform-Signature header on each delivery, an HMAC SHA-256 of the raw body keyed with the secret, lets the receiver confirm the payload came from Typeform.

How is the API versioned?+

It is not versioned by a number or date in the path. There is a single, continuously updated API, and Typeform publishes notable changes, including breaking ones, as a dated changelog. There is no version to pin, so an integration follows the changelog and adjusts when a breaking change is announced, such as the move to require HTTPS for new webhook URLs.

Why didn't my latest responses show up in the API?+

The Responses endpoint may not return very recent submissions, within roughly the last 30 minutes, so a poll immediately after a submission can miss it. For real-time delivery, use a webhook instead, which pushes each submission as it arrives rather than waiting for the next poll.

What is Bollard AI?

Control what every AI agent can do in Typeform.

Bollard AI sits between a team's AI agents and Typeform. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Typeform token.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Typeform access in Bollard Browse all APIs →

Typeform

Survey Agent

Read responses ResourceOffReadFull use

Create and edit forms ActionOffReadFull use

Delete responses ActionOffReadFull use

Per-agent access, set in Bollard AI, not in Typeform

How the Typeform API works.

Connection & authentication methods.

REST API

Webhooks

MCP server (Model Context Protocol)

OAuth 2.0

Personal access token

What an AI agent can do in Typeform.

Forms

Responses

Webhooks

Images & themes

Workspaces & account

Every Typeform API method.

Forms

Responses

Webhooks

Images & themes

Workspaces & account

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Typeform API, answered.

More forms API guides for agents

SurveyMonkey

Tally

Jotform

Formstack

Google Forms

Control what every AI agent can do in Typeform.