FormForge
24
HTTP API

Security, Guards, Middleware, and Abilities

Security layers and authorization action keys.

Security layers

  1. global route middleware (formforge.http.middleware)
  2. endpoint guard config (auth, guard, ability, abilities)
  3. endpoint middleware (formforge.http.<endpoint>.middleware)
  4. optional ownership resolution and authorization
  5. optional scoped route authorization (gate or policy)

Supported auth modes

  • public
  • optional
  • required

Authorization action keys

Examples:

  • schema.latest, schema.versions, schema.show
  • submission.submit_latest, submission.submit_version
  • upload.stage_latest, upload.stage_version
  • resolve.resolve_latest, resolve.resolve_version
  • resolve.validate_field_latest, resolve.validate_field_version
  • draft.save, draft.current, draft.delete
  • management.index, management.create, management.update, management.publish
  • management.responses, management.responses_export, management.response_delete
  • management.gdpr_policy, management.response_gdpr_anonymize, management.gdpr_run

Policy method names follow snake_case action naming.

For field-validation actions, policy methods are:

  • resolve_validate_field_latest
  • resolve_validate_field_version

Management, Responses, and GDPR

Form admin endpoints, categories, exports, and privacy operations.

Scoped Routes and Ownership

Owner-context routing and polymorphic ownership strategies.