Tokens & abilities
Every API token holds a list of abilities. Each endpoint in the REST API and each tool in the MCP server lists the ability it requires. The token's abilities are the upper bound — a request without the right ability is rejected with 403 before any logic runs.
All abilities
| Ability | Powers |
|---|---|
forms:read |
List, fetch forms. |
forms:write |
Create, update, publish, unpublish, archive, restore, force-delete. |
forms:test-email |
Send test autoresponder / notification emails (no submission stored). |
submissions:read |
Read submissions, files, signed URLs. |
submissions:write |
Update, delete, bulk action. |
submissions:export |
CSV / JSON exports. |
webhooks:read |
List webhooks, deliveries. |
webhooks:write |
Create, update, delete, replay. |
billing:read |
Plan, usage, subscription, invoices. |
insights:read |
Read AI insights. |
insights:write |
Trigger regeneration. |
tokens:read |
List your own tokens. |
tokens:write |
Mint and revoke tokens; new tokens cannot exceed your own abilities. |
Sensible token sets
Read-only dashboard scrape
forms:read
submissions:read
billing:read
Spam triage agent
forms:read
submissions:read
submissions:write
Backend service that creates submissions and forwards them
forms:read
submissions:read
webhooks:read
webhooks:write
Admin-grade automation
forms:read forms:write forms:test-email
submissions:read submissions:write submissions:export
webhooks:read webhooks:write
billing:read insights:read insights:write
tokens:read tokens:write
Token minting from a token
tokens:write can mint child tokens. The child's abilities must be a subset of the parent's; the API rejects any escalation attempt with 403. This means an admin token can hand out scoped read-only tokens to your team without giving each one full power.
Cross-team
Tokens are minted in a team. Cross-team reads return 404. Switch teams in the dashboard before minting tokens you'll use against a different workspace.