An API key is a unique string of characters used to authenticate and authorize requests to a web API, identifying the caller and controlling access to API resources.
By Vaibhav Jain · Last updated March 27, 2026
API keys are the simplest form of API authentication. When you want to access an API programmatically — creating forms, reading submissions, or managing integrations via code — you include your API key with each request to prove your identity.
Think of an API key like a password for your application. The API server checks the key against its records: if the key is valid, the request is processed; if not, it's rejected with a 401 Unauthorized error. Unlike user passwords, API keys are typically long random strings that are hard to guess.
API keys should be treated as secrets. Never commit them to public git repositories, never include them in client-side JavaScript (where anyone can see them in the browser), and never share them in emails or chat. Store them in environment variables or secret management services.
FormsList provides API keys for programmatic access to the REST API. You can create forms, list submissions, export data, and manage integrations entirely through API calls. Generate keys in the dashboard under Account > API Keys, and revoke them instantly if compromised.
What is an API key? An API key is a unique, randomly generated string of characters that serves as an authentication credential for accessing a web API (Application Programming Interface) programmatically. When you make an HTTP request to an API — to create a resource, read data, update settings, or delete records — you include your API key with the request to identify yourself and prove you are authorized to perform the action. The API server validates the key against its database of issued keys: if the key is valid and has the necessary permissions, the request is processed and a response is returned; if the key is missing, invalid, or revoked, the server returns a 401 Unauthorized or 403 Forbidden error.
API keys work by being included in HTTP requests, typically in one of three locations: the Authorization header (Authorization: Bearer your_api_key), a custom header (X-API-Key: your_api_key), or as a query parameter in the URL (api_key=your_api_key). The Authorization header with Bearer token format is the modern standard and the most secure approach, as headers are encrypted in HTTPS requests and do not appear in server access logs the way query parameters do. API keys are distinct from other authentication methods like OAuth tokens (which represent delegated user authorization and expire) or session cookies (which are browser-specific). API keys are typically long-lived, do not expire automatically, and represent application-level or account-level access rather than individual user sessions.
Security best practices for API keys are critical because a compromised key grants full access to your account's API capabilities. Never commit API keys to version control repositories (especially public ones on GitHub) — use .env files and add them to .gitignore. Never embed API keys in client-side JavaScript, HTML, or mobile app code where they can be extracted from browser source code or decompiled applications. Store keys in environment variables on your server, in secrets management services (AWS Secrets Manager, HashiCorp Vault, Vercel Environment Variables), or in CI/CD platform secret stores (GitHub Actions secrets, GitLab CI variables). Rotate keys periodically, and revoke compromised keys immediately. Use separate keys for different environments (development, staging, production) so that revoking one does not affect others.
FormsList provides API keys for full programmatic access to its REST API on paid plans. You generate keys in the dashboard under Account > API Keys, and each key is shown only once at creation time — copy it immediately and store it securely. The FormsList API lets you create and configure forms, list and search submissions with filters, export data as JSON, manage webhook integrations, and retrieve analytics — everything available in the dashboard is accessible via API. A real-world example: a development agency builds a custom client portal that displays form submission data from FormsList alongside data from other sources. They use a FormsList API key stored in their server's environment variables to fetch recent submissions via the REST API, merge the data with CRM records, and render a unified dashboard for their client. The API key authenticates every request, and if the agency onboards a new developer, they generate a separate key for the development environment rather than sharing the production key.
Include your API key in the Authorization header: Authorization: Bearer fl_key_abc123. The server validates the key and processes your request.
Store your API key in a .env file: FORMSLIST_API_KEY=fl_key_abc123. Access it in code via process.env.FORMSLIST_API_KEY instead of hardcoding it.
Add your API key as a secret in GitHub Actions or your CI/CD platform to run automated scripts that interact with the FormsList API during deployments.
Set up your form backend in under a minute. No server required, no complex configuration — just a simple endpoint for your forms.