Public API reference
This page documents every endpoint your integration code should call. Internal, admin, and webhook endpoints are not listed here.
https://my.contactfire.comAuthentication
The submission endpoint accepts two authentication methods:
Pass as a form field named _token:
_token=cf_embed_...
Pass as an HTTP header:
x-api-key: cf_api_...
Token management and form management endpoints (listed below with "JWT session" auth) require you to be logged in to my.contactfire.com. These endpoints are for programmatic account management — use them from your own backend scripts or automation, not from client-side code.
/api/form/submitSubmit a form. The primary integration endpoint.
application/x-www-form-urlencoded, multipart/form-data, or application/json/api/public/forms/{formId}Fetch the form definition for rendering. Used by the embed script.
/api/public/forms/{formId}/submitSubmit data to a public Form Studio form. Supports live draft upgrades.
application/json/api/public/forms/{formId}/partialLoad a saved partial (in-progress) submission by session ID.
/api/public/forms/{formId}/partialCreate or update an in-progress submission. Returns a session ID for resume.
application/json/api/plansList all active plans with pricing. Used to display pricing on your site.
/api/plans/{planId}Fetch a single plan by ID or slug.
/api/apikeysList all API keys for your account. Keys are masked — only the prefix is returned, never the full secret.
/api/apikeysCreate an API key. The full key is returned once — store it securely, it cannot be retrieved again.
application/json/api/apikeys/:idUpdate an API key — rename it, change the reply-to field, or update notification recipients.
application/json/api/apikeys/:idRevoke an API key. All future requests using this key are rejected immediately — no grace period.
/api/embed-tokensList all embed tokens for your account.
/api/embed-tokensCreate an embed token. Safe to include in client-side HTML and JavaScript.
application/json/api/embed-tokensUpdate an embed token. Pass the token ID as the ?id= query parameter.
application/json/api/embed-tokensRevoke an embed token. Pass the token ID as the ?id= query parameter. Requests using this token are rejected immediately.
/api/forms/:idFetch a form by its ID. Returns the full form definition including fields, sections, and settings.
/api/forms/:idUpdate a form. Accepts partial updates — only provided fields are changed.
application/jsonError codes
* SPAM_DETECTED returns 200 so the form submitter does not know their message was flagged.
Rate limits
| Submission endpoint | 10 requests / IP / minute (enforced at Cloudflare edge) |
| Plan monthly quota | Varies by plan — see Pricing |
CORS
The public form endpoints return CORS headers based on your form's allowed domains list. If your domain is not on the list, the browser rejects the preflight request.
- Add your site's domain to the form or embed token allowed domains list
- Both
yoursite.comandhttps://yoursite.comare matched - Server-side calls (API key via
x-api-key) are not subject to CORS