Skip to main content

Overview

The SitePlot API uses API key authentication to secure access to your data. All API requests must include a valid API key in the Authorization header.

Creating an API Key

API keys can only be created by users with Global Administrator privileges:
  1. Navigate to your SitePlot admin dashboard
  2. Go to OrganizationAPI Keys
  3. Click Create New API Key
  4. Provide a descriptive name for your API key
  5. Copy the generated API key immediately (it will only be shown once)
API keys are only displayed once upon creation. Store them securely and never share them publicly.

Authentication Method

Include your API key in the Authorization header of every request using the Bearer token format: 
Authorization: Bearer YOUR_API_KEY

Example Request

curl -X GET "https://your-domain.com/api/v1/forms" \
  -H "Authorization: Bearer sk_live_1234567890abcdef" \
  -H "Content-Type: application/json"

Error Responses

Missing Authorization Header

{
  "error": "Missing authorization header",
  "message": "Please provide an API key in the Authorization header as \"Bearer YOUR_API_KEY\""
}

Invalid Authorization Format

{
  "error": "Invalid authorization format",
  "message": "Authorization header must be in the format \"Bearer YOUR_API_KEY\""
}

Invalid API Key

{
  "error": "Invalid API key",
  "message": "The provided API key is invalid or has been revoked"
}

Inactive API Key

{
  "error": "API key inactive",
  "message": "The provided API key has been deactivated"
}

API Key Management

Security Best Practices

  • Store securely: Never commit API keys to version control
  • Use environment variables: Store API keys in environment variables or secure configuration files
  • Rotate regularly: Generate new API keys periodically and revoke old ones
  • Limit scope: Create separate API keys for different applications or environments
  • Monitor usage: Regularly review API key usage in your dashboard

Revoking API Keys

To revoke an API key:
  1. Go to OrganizationAPI Keys in your admin dashboard
  2. Find the API key you want to revoke
  3. Click the Revoke button
  4. Confirm the action
Revoking an API key immediately invalidates it. Any applications using the revoked key will receive authentication errors.

API Key Permissions

All API keys have the same permissions as the user who created them. Currently, API keys provide:
  • Read access to all forms and form submissions
  • Read access to all pages and redirects
  • No write access (API is read-only)

Testing Authentication

You can test your API key authentication by making a simple request to any endpoint: 
curl -X GET "https://your-domain.com/api/v1/forms?pageSize=1" \
  -H "Authorization: Bearer YOUR_API_KEY"
A successful response indicates your API key is valid and properly configured.