What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.

At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.

We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.


  • Profile Image

    Is There Any Security Around API Key?

    Asked by timrowell on November 06, 2015 at 06:20 AM

    Hello,

    We would like to build our own frontend around the Jotform API and integrate our forms with other third party services. Currently, we are considering using POST /form/{id}/submissions on the client side. Are there any security considerations to be wary of? If the api key is exposed on the frontend could someone use it to view other submissions?

    Many thanks, Tim

    security question jotform api
  • Profile Image
    JotForm Support

    Answered by mert on November 06, 2015 at 09:25 AM

    Hi Tim,

    Normally, it is not possible; but if you have security concerns, you can change its permission settings to "Read Only".

    Each generated API Keys comes with permissions. Read Access permission to read only private information and Full Access permission to grant them with full access to your data, e.g. add, edit, delete form submissions.

    For more information about Jotform API, please visit Jotform's API Documentation page. http://api.jotform.com.

     

    If you need more information, please let us know.

    Thanks.

  • Profile Image

    Answered by timrowell on November 06, 2015 at 10:49 AM

    Hi Mert,

    Thank you for the reply. I am still confused about a couple of things.

    >> Normally, it is not possible

    What is not possible? Viewing the submissions? Building a frontend around the API?

    >> Read Access permission to read only private information

    This is exactly what we don't want. If the apikey was exposed, we don't want snooping users to be able to view other submissions. Unless I've misunderstood what 'read access' means, what we really want is 'write access' only.

    My questions are:

    1. Is it possible to read people's submissions with just the api key? The documentation seems to imply that this is possible.

    2. Will setting the permission to "read only" still allow users to post submissions?

    3. Are we better off building this service in the backend and not worry about exposing the api key?

    Best,

    Tim

  • Profile Image
    JotForm Support

    Answered by Welvin on November 06, 2015 at 12:55 PM

    Hi Tim,

    I think that answer is pertaining to your last question. But I need to confirm this to Mert so just to be sure. And our API team should be able to address your additional questions.

    Thank you and my apologies.

  • Profile Image

    Answered by timrowell on November 09, 2015 at 04:56 AM

    Hi Welvin,

    Thank you for clarifying. Will the API team answer my questions in this thread? I've asked the original question in the developers' forum (http://developers.jotform.com/forum/post/563b99e6b71a89072300004e) but it has still been unanswered.

    Just to let you know the contact button in the API docs (http://api.jotform.com/docs/#contact) doesn't seem to point to anything.

    Best,

    Tim

  • Profile Image
    JotForm Support

    Answered by Charlie on November 09, 2015 at 09:28 AM

    Hi,

    The API key is not usually shared and exposed, I believe. As displayed in the documentation, you can easily view submission data by just knowing the API key and a submission ID. It would be best to either store it on a database, call it on your backend code (PHP is not exposed on the frontend so it is more secure), and then tie that in a session variable.

    You can try to contact the API team in this address api@jotform.com

  • Profile Image

    Answered by timrowell on November 09, 2015 at 09:40 AM

    Hi Charlie,

    We guessed this would be the case, however I've just tried retrieving a specific submission by providing the submission ID and I get a 401. The API key is set to full access. Any ideas?

    Cheers,

    Tim

  • Profile Image
    JotForm Support

    Answered by mert on November 09, 2015 at 09:48 AM

    Hi there,

    In addition to what Charlie said, there is no option like "Write Access Only" on JotForm's API. You can change this option as "Read Only" or "Full Access".

    To change the API setting,

     

    Moreover, if you set your API permission as "read only", it is not possible to add a new record. So, Charlie's idea is the better one, if  you have security concerns. However, our API key doesn't expose normally.

     

    If you need any other information, please let us know.

    Thanks.