Personal Access Tokens are the credentials you’ll use to authenticate with the OpnForm REST API. They’re scoped, revocable, and tied to your user account – keep them secret.

Creating a token

  1. Sign in to your OpnForm account.
  2. Open Settings → Access Tokens (/home?user-settings=access-tokens).
  3. Click Create new token.
  4. Pick a descriptive name (e.g. “Zapier Integration”).
  5. Select the abilities you want to grant (see the table below).
  6. Click Create and copy the token value – you won’t be able to see it again after closing the dialog.
Create token

Abilities

AbilityGrants
workspaces-readList workspaces
workspaces-writeCreate, update or delete workspaces
workspace-users-readList members and invites
workspace-users-writeManage members and invites
forms-readList forms and submissions
forms-writeCreate or modify forms and submissions

You can combine abilities as needed – choose the minimum set your integration requires.

Using the token

Send the token in the Authorization header:

Authorization: Bearer <access_token>

Revoking a token

If a token is leaked or no longer needed:

  1. Go back to Settings → Access Tokens.
  2. Click Revoke next to the token.
  3. Any further API requests that use that token will receive 401 Unauthorized.

Best practices

  • Store tokens securely (environment variables, secret managers, CI secrets).
  • Use a dedicated token per integration – easier to revoke individually.
  • Avoid committing tokens to version control.
  • Rotate tokens periodically.