NEW AI agents now first-class: authorize · audit · revoke in one click — your agents submit cleanly, bots stay blocked. Read agent docs →
form4dev
Sign in Start free
agent-first

Build agents that submit forms.

Form4Dev treats AI agents as first-class clients. Authorize an agent, and its submissions land in your inbox cleanly, tagged with the agent's label, ready for review or automation.

Why agents?

Most form backends were built for browsers. When an LLM or scripted agent submits, the defenses designed for anonymous browser traffic flag it. The result is dropped submissions or a manual triage burden.

Form4Dev recognises authorised agents as trusted callers, so real automation goes through cleanly while anonymous bots stay blocked.

Ownership model — a human owns, an agent operates

Form4Dev is deliberate about this: an agent never owns an account. A human signs up, owns the account, and is responsible for billing. That human then mints a scoped API token and hands it to the agent. The agent operates within the account the human owns — it cannot create one.

This is enforced, not just convention. Account registration is protected by a human-verification challenge, so an autonomous agent cannot self-onboard, open an account, or start a subscription. The signup, the plan, and the bill are always a human's. If you are building an agent, plan for this: a person completes signup once, then provisions the token your agent uses.

  • Human: registers, owns the account, pays, sets the plan, creates and revokes tokens.
  • Agent: receives a token and acts within that account — create forms, submit, read, export — nothing account-level.

Tokens are also scoped. Give an agent only what it needs: a submissions:read token can read and export but cannot create or delete forms. See API tokens.

1. Authorize an agent

Sign in, open Dashboard → Settings → API tokens, check "This token is for an AI agent", give it a label so you remember what it's for (e.g. Claude Desktop, Cursor, internal-script), and click Create. Copy the credential immediately — it's shown once.

2. Submit on a user's behalf

The agent makes a standard authenticated web request to your form's endpoint. Any HTTP client works — no SDK needed. 

$ curl -X POST <your-form-endpoint> \
     -H "Authorization: Bearer <your-agent-token>" \
     -H "Content-Type: application/json" \
     -d '{"name":"Ada","message":"hi from the agent"}'

Configure forms via API

An agent can do everything the dashboard does — create a form, define its fields, and set every option (recipients, subject template, autoresponder, CAPTCHA, allowed origins, file uploads, payments). A complete form is three calls.

1. Create the form — returns its id and endpointSlug.

$ curl -X POST <app>/api/forms \
     -H "Authorization: Bearer <token>" -H "Content-Type: application/json" \
     -d '{"name":"Internship Enquiry"}'

2. Define the fieldsPATCH /api/forms/{id}/builder. This is the ONLY endpoint that sets form fields; sending schemaJson to the settings endpoint is rejected.

curl -X PATCH <app>/api/forms/<id>/builder \
     -H "Authorization: Bearer <token>" -H "Content-Type: application/json" \
     -d '{"schema":[
       {"id":"name","type":"text","label":"Name","required":true},
       {"id":"email","type":"email","label":"Email","required":true}
     ]}'

3. Set every other optionPATCH /api/forms/{id}. All fields optional; one call can set any combination.

curl -X PATCH <app>/api/forms/<id> \
     -H "Authorization: Bearer <token>" -H "Content-Type: application/json" \
     -d '{
       "notifyEmails":["[email protected]"],
       "ccEmails":["[email protected]"],
       "emailSubjectTemplate":"New lead: {{name}}",
       "autoresponderEnabled":true,
       "autoresponderSubject":"Thanks, {{name}}!",
       "autoresponderBodyHtml":"<p>We got your enquiry.</p>",
       "captchaRequired":true,
       "allowedOrigins":["https://acme.com"],
       "successRedirectUrl":"https://acme.com/thanks"
     }'

Every dashboard control maps to one field on PATCH /api/forms/{id} — recipients, retention, file-upload limits, the full autoresponder, CAPTCHA, allowed origins, and the Razorpay payment block. The OpenAPI spec's UpdateForm schema lists all of them with types and limits. Integrations (Slack, Discord, Telegram, Mailchimp) and webhooks each have their own POST endpoint under /api/forms/{id}.

Token scopes apply: configuring forms needs a forms:write token. A forms:read token can read settings but not change them.

How agent traffic is handled

Authorized agent submissions skip the spam-detection layer designed for anonymous browser traffic — since we already know who they are, the friction designed to catch unknown callers doesn't apply.

Your per-form and account-level limits still apply to agent traffic. A misbehaving script can't bypass your monthly quota or burst-protection. The system protects you against your own automation as well as against attackers.

Account scoping

Each credential is scoped to a single account. An agent authorised under your account can only submit to your forms. There's no path to use one account's credential against another account's resources.

Audit trail

Every agent submission is tagged in the inbox with the agent's label. You can see at a glance which submissions came from which agent, review their history, and revoke any agent in one click. Revoking stops future submissions without affecting historical records.

Public API spec

Modern agent frameworks (tool-use APIs, MCP servers, function calling) can consume an OpenAPI spec directly. Form4Dev publishes one at login.form4dev.com/api/openapi.json so an agent pointed at the spec can discover the endpoint, learn the expected fields, and submit — without a human writing integration code.

Get started Read the deep dive