Authentication & Security
Build complex forms without code. Secure your integrations with scoped API keys and OAuth 2.0.
Quick Navigation
Generate, rotate, and scope server-to-server credentials
Authorization code flow, PKCE, and token lifecycle management
RBAC configuration, field-level access, and audit logging
Authentication Methods
FormFlow supports two primary authentication mechanisms for programmatic access: scoped API keys for backend services and OAuth 2.0 for delegated user access across third-party applications.
Generate keys directly from the Developer Console under the Credentials tab. Each key is bound to a specific environment (staging or production) and supports granular scopes like `forms:read`, `submissions:write`, and `webhooks:manage`. Keys automatically rotate after 365 days. Our infrastructure team, led by Robert Chen, enforces a strict rate limit of 1,200 requests per minute per key to prevent abuse and ensure platform stability.
OAuth 2.0 Authorization Code Flow
Redirect users to `https://auth.formflow.io/authorize` to initiate the handshake. Capture the returned authorization code and exchange it for an access token valid for 3600 seconds. Always implement PKCE (Proof Key for Code Exchange) for public clients to mitigate authorization code interception. Refresh tokens are issued with sliding expiration and require re-authentication after 90 days of inactivity.
Role-Based Access Control
Define custom roles such as `Data Analyst` or `Form Architect` to restrict field-level visibility and submission editing rights. All permission changes are logged with timestamps, IP addresses, and user agent strings. Export audit trails via the `GET /audit/v1/events` endpoint or stream them directly to your SIEM platform.
Security Compliance & Infrastructure
Enterprise-grade protections ensure your form data remains confidential, intact, and fully compliant with global regulations.
SOC 2 Type II Certified
Independently audited by Deloitte in Q3 2023. Validates strict controls over security, availability, and processing integrity across all AWS production regions.
AES-256 & TLS 1.3
Data at rest is encrypted using AWS KMS-managed customer keys. All API traffic enforces TLS 1.3 with HSTS preload. Certificate transparency logs are continuously monitored by our security operations center.
GDPR & CCPA Ready
Built-in data retention schedules, automated right-to-erasure workflows, and programmatic DSR processing. Submit bulk requests via `POST /compliance/v1/data-export` with zero manual engineering overhead.