# Authentication

The programmatic API allows you to interact with forms.wtf from your own code.

**Requires Team plan or higher.**

***

## API keys

1. Go to **Settings → API Keys**
2. Click **Create API Key**
3. Give it a name (e.g. "Production integration")
4. Copy the key — it's shown only once

> Store your API key securely. Treat it like a password. Do not commit it to version control.

***

## Making requests

Include your API key as a Bearer token in the `Authorization` header:

```
Authorization: Bearer YOUR_API_KEY
```

**Base URL:**

```
https://forms.wtf/api/v1
```

**Example request:**

```bash
curl https://forms.wtf/api/v1/forms \
  -H "Authorization: Bearer YOUR_API_KEY"
```

***

## Rate limits

API requests are rate-limited per key. If you exceed the limit, you'll receive a `429 Too Many Requests` response.

Current limits:

* **60 requests per minute** per API key

***

## Error responses

All errors return JSON with an `error` field:

```json
{
  "error": "Unauthorized"
}
```

| HTTP status | Meaning                                            |
| ----------- | -------------------------------------------------- |
| `400`       | Bad request — check your request body              |
| `401`       | Unauthorized — missing or invalid API key          |
| `403`       | Forbidden — your plan doesn't include this feature |
| `404`       | Not found                                          |
| `429`       | Rate limit exceeded                                |
| `500`       | Server error                                       |

***

## Revoking keys

Go to **Settings → API Keys**, find the key, and click **Revoke**. The key is immediately invalidated.

***

## Key security best practices

* Rotate keys periodically
* Create separate keys for different integrations (easier to revoke one without disrupting others)
* Never expose your API key in client-side code or public repositories