How to create a Typeform API key (personal access token)
A Typeform personal access token is a credential you generate in your own account so a developer or a connected tool can read your forms and responses through the Typeform API, without ever signing in as you. You choose which scopes the token carries, so you can keep it to read-only access (for example forms:read and responses:read) and the connected tool can then pull data such as form structures and submitted responses automatically. The token is a long secret string that begins with "tfp_". You can name each token to track what it is for, and you can delete or regenerate it at any time, which immediately cuts off whatever was using it. This guide walks through creating the token, choosing read-only scopes, copying it safely, and revoking it when the work is done.
Keep this credential safe
A personal access token is like a password. Anyone who has it can use the Typeform API to access everything the token allows, so treat it with the same care. Scope it to read-only (for example forms:read and responses:read) so it can never change or delete your data, give each token a clear name, and share it only through a secure method such as a password-manager share link, never plaintext email or chat. Delete or regenerate the token as soon as the work is finished, the tool no longer needs it, or you suspect it has been leaked. Typeform shows the token only once when you create it, so store it securely from the start.
Access to grant
Personal access token scoped to read-only access (for example forms:read and responses:read). Avoid write scopes unless the tool genuinely needs to create or change data.
Who you're granting access to
- The developer, consultant, or tool that will read your forms and responses through the Typeform API.
Before you start
- Access to the Typeform account whose forms and responses you want to share, signed in at admin.typeform.com.
- A clear idea of what the connected tool needs to do, so you can limit the token to read-only scopes such as forms:read and responses:read.
- A secure way to hand the token to the person or tool that will use it, such as a password-manager share link.
Step by step
- 1
Open your account settings
Sign in to Typeform at admin.typeform.com. In the upper-left corner, click the drop-down menu next to your username and choose Account. This opens your account settings.
- 2
Go to Personal tokens
In the left-hand menu, click Personal tokens. You can also go there directly at admin.typeform.com/user/tokens. This page lists any tokens you have already created.
- 3
Generate a new token
Click "Generate a new token". Give the token a clear name in the Token name field, such as "Clever Ops read-only", so you can recognise later what it is for and delete the right one when it is no longer needed.
- 4
Choose read-only scopes
Select only the scopes the connected tool actually needs. For reading form structures and responses, tick forms:read and responses:read. Leave the write scopes (forms:write, responses:write, and similar) unticked so the token cannot create, change, or delete anything. Add other read scopes such as workspaces:read or accounts:read only if the tool needs them.
- 5
Generate and copy the token immediately
Click "Generate token". Typeform shows the token (a long string starting with "tfp_") once. Copy it straight away, because you will not be able to view it again. Do not paste it into plaintext email or chat. Share it through a secure method such as a password-manager share link, then close the dialog.
Removing access afterwards
- Sign in to Typeform and open Account, then Personal tokens (admin.typeform.com/user/tokens).
- Find the token in the list by the name you gave it, and click the three-dot menu next to it.
- Choose "Delete this token" to revoke it permanently, or "Regenerate token" to rotate it to a new value. Either action immediately stops the old token from working, so make sure the connected tool no longer needs it (or update it with the new value).
If that option is not available
Only personal access tokens reading your own account can be created this way. If a tool needs to connect to many different Typeform accounts, or you would rather not generate a long-lived token, ask the developer to use a registered OAuth application instead, which lets you authorise read-only access from a sign-in screen and revoke it later. If you are unsure which approach fits, share your screen on a short call and walk the developer through your account live. You should never need to share your Typeform password.
Frequently Asked Questions
It is a secret credential you generate in your own account so a developer or tool can read your forms and responses through the Typeform API. It starts with "tfp_" and carries only the scopes you choose, so you control exactly what it can do.
Treat it like a password. Scope it to read-only, give it a clear name, and share it through a secure method such as a password-manager share link rather than plaintext email or chat. Never commit it to source control. Typeform shows the token only once, so copy and store it securely the moment you create it.
For most read-only connections, forms:read and responses:read are enough. They let a tool retrieve your form structures and the responses people submit. Leave the write scopes (forms:write, responses:write) unticked so the token cannot create, change, or delete anything.
No, as long as you grant only read scopes such as forms:read and responses:read. Without write scopes the token can view your data through the API but cannot create, edit, or delete forms or responses.
No. Generating a personal access token does not change your Typeform subscription. The data a tool can reach through the API still depends on your plan, but creating and using the token itself is free.
Related guides
Steps last checked against Typeform on 2026-06-09.
Based on official Typeform documentation: Typeform developers: Personal access token for Typeform's APIs, Typeform developers: OAuth 2.0 scopes for your applications, Typeform help centre: Typeform API personal access token. Typeform is a trademark of its respective owner; this guide is independent and for instruction only.
Want this handled for you?
Clever Ops connects and automates the systems mid-market businesses already run. Book a free assessment and we will map your stack.