Skip to main content
Contact Support

Formstack Personal Access Tokens

Ryan J.

Note: This article applies only to
  * Parent Accounts using the Subaccount Model with access to the Subaccount API, or
  * Accounts with access to the Forms API add-on using the V2025 API (released in August, 2025)

 

Formstack Personal Access Tokens (PATs) offer secure API access with user-level permissions, ensuring authorized access to Formstack services while upholding security measures. PATs grant access to the Subaccount API based on the users’ access level, enabling Parent accounts to programmatically retrieve information about their subaccounts and interact with them.

Admin Controls for PAT Access

  • Manual Enablement for Admins: PAT generation is no longer automatically granted to all Admins. Organization Admins must now explicitly enable this ability for themselves or other Admins.

 

  • User-Level Settings: Admins can enable or disable PAT creation for specific non-admin users from the user's profile settings.

 

Token Management

 

Creating Tokens

 

Navigate to the administration area and select "access tokens" from the left-hand menu

1.png

 

Click "generate token" to create a new token

 

2.png

Enter required information:

  • Unique name

  • Optional description

  • Optional expiration date (30, 60, or 90 days)

 

3.png

 

Token Security

 

The token string is only displayed once upon generation and must be copied immediately, as it cannot be retrieved later for security purposes. Use the copy button to securely save the token string.

 

4.png

 

Token Properties

 

The PAT management page displays the following information:

  • Token name

  • Creator

  • Creation date

  • Expiration date

  • Last usage timestamp

  • Status (active/revoked)

5.png

 

Token Actions


The Actions Menu provides administrators with the necessary tools to effectively manage their Personal Access Tokens (PATs) including editing, regenerating, and revoking the tokens.

 

6.png

 

Editing

 

Users can modify the token name and description, but the token string itself cannot be altered.

 

7.png

 

Regeneration

 

Tokens can be regenerated with a new expiration period (30, 60, or 90 days). This action requires updating all applications and services using the existing token.

 

8.png

 

Revocation

 

  • Revoking a token immediately terminates its access to production

  • This action is permanent and cannot be reversed

  • Revoked tokens are moved to the inactive token section

  • Revoked tokens do not count toward the token limit

 

9.png

PAT Management Dashboard

A new dashboard is available for Admins, offering a centralized view of:

 

  • All PATs within the organization

  • Token metadata (creator, creation date, expiration, last used)

  • Filters for token status

  • The ability to revoke PATs individually or in bulk

 

Limitations

 

  • Users are limited to creating 10 tokens per user account

  • Tokens provide access to the sub-account API (available by request)

  • Access levels are determined by the user's existing permissions

 

Related articles