API Authentication
Use API keys for server-side integrations and higher rate limits.
Overview
API keys are optional. Submito forms accept public submissions without any authentication — just point an HTML form at your endpoint and it works. API keys are useful when you need:
- Server-side integrations — Submit from your backend without IP-based rate limits
- Higher rate limits — 60 requests/minute per key vs 10/minute per IP
- Usage tracking — See when each key was last used
- Access control — Revoke a key without affecting other integrations
Creating API Keys
- Go to Workspace Settings and select the API Keys tab
- Click Create API Key
- Enter a descriptive name (e.g., "Production Server", "Staging", "CI Pipeline")
- Copy the key immediately — it won't be shown again
Save your key
The full API key is only displayed once at creation. If you lose it, you'll need to revoke it and create a new one. Store it securely in an environment variable.
You can create up to 10 active API keys per workspace.
Using API Keys
Include your API key in the Authorization header as a Bearer token:
Authorization: Bearer sk_your_api_key_hereExamples
curl -X POST https://api.submi.to/f/YOUR_FORM_ID \
-H "Authorization: Bearer sk_your_api_key_here" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '{"name": "Jane Doe", "email": "[email protected]"}'Key Format
API keys use the prefix sk_ followed by 40 random characters, for a total of 43 characters:
sk_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0In your workspace settings, keys are shown by their prefix only (e.g., sk_a1b2...) for identification.
Key Scoping
Each API key is scoped to a single workspace. A key can only submit to forms that belong to the same workspace. Attempting to submit to a form in a different workspace returns a 403 Forbidden error.
If you manage multiple workspaces, create a separate API key in each workspace that needs programmatic access.
Rate Limits with API Keys
Authenticated requests get their own rate limit bucket:
| Method | Limit | Window |
|---|---|---|
| Without API key (per IP per form) | 10 requests | 1 minute |
| With API key (per key) | 60 requests | 1 minute |
Revoking Keys
To revoke a key, go to Workspace Settings > API Keys and click the trash icon next to the key. Revocation is immediate — any request using that key will receive a 401 Unauthorized response.
Revoked keys remain visible in the list for audit purposes but cannot be reactivated. Create a new key if needed.
Security Best Practices
- Use environment variables — Never hardcode API keys in source code. Store them in
.envfiles or your hosting platform's secrets manager. - Don't expose keys client-side — API keys are meant for server-to-server communication. Never include them in frontend JavaScript, mobile apps, or public repositories.
- Use descriptive names — Name keys after their purpose ("Production Server", "Zapier Integration") so you know which to revoke if compromised.
- Rotate regularly — Create a new key, update your integration, then revoke the old key.
- Revoke immediately if compromised — If a key is exposed in a commit, log, or public channel, revoke it right away and create a new one.
Never commit API keys
Add .env to your .gitignore and use environment variables in your CI/CD pipeline. If you accidentally commit a key, revoke it immediately.