> ## Documentation Index > Fetch the complete documentation index at: https://docs.craftkit.dev/llms.txt > Use this file to discover all available pages before exploring further. # Submit an embed form > Submit form-fill data for a `fill`-mode embed session. Authenticated by the embed session JWT (which must match the path `sessionId` and carry the `submitForm` permission). Validates against the template manifest, merges JWT prefill under user data, and enqueues a render. The returned `pollUrl` points at the embed-scoped render wrapper, not `/v1/renders/:id`. ## OpenAPI ````yaml /openapi.yaml post /v1/embed/form-submit/{sessionId} openapi: 3.1.0 info: title: Craftkit API version: 1.0.0 description: > The Craftkit public REST API. Design templates with typed variables, render PDFs asynchronously, share and track them, and send them out for digital signature. ## Authentication Most endpoints authenticate with a **project API key** as a bearer token: ``` Authorization: Bearer ck_live_xxxxxxxxxxxxxxxx ``` Keys come in `ck_live_` (production) and `ck_test_` (test) flavours. Embed iframe surfaces use a short-lived **embed session JWT** instead, and the admin provisioning endpoint uses the deployment-wide `CRAFTKIT_ADMIN_KEY`. Inbound webhooks (`/v1/hooks/*`) are not bearer-authed — they are verified by an HMAC signature header. ## Idempotency `POST /v1/templates/{slug}/render` and `POST /v1/signatures` accept an `Idempotency-Key` request header. Retrying with the same key returns the original resource instead of creating (and, for signatures, billing) a duplicate. ## Errors Application errors use a shared envelope: ```json { "error": { "code": "invalid_request", "message": "...", "issues": { } } } ``` A small number of admin/embed endpoints return a flatter shape (`{ "error": "invalid_credentials" }`); those are documented inline. servers: - url: https://api.craftkit.dev description: Production security: - bearerApiKey: [] tags: - name: Templates description: Create, list, fetch, republish, delete templates and enqueue renders. - name: Renders description: Poll render status, download PDFs, manage shares, email, and engagement. - name: Signatures description: >- Send rendered PDFs out for digital signatures via the signature service and track status. - name: Webhooks description: Inbound webhook receivers (HMAC-authenticated, not bearer-authed). - name: Embed description: Embed session minting, catalogs, builder templates, form submission. - name: Admin description: Org provisioning (deployment admin key only). - name: System description: Health and status. paths: /v1/embed/form-submit/{sessionId}: parameters: - $ref: '#/components/parameters/SessionId' post: tags: - Embed summary: Submit an embed form description: > Submit form-fill data for a `fill`-mode embed session. Authenticated by the embed session JWT (which must match the path `sessionId` and carry the `submitForm` permission). Validates against the template manifest, merges JWT prefill under user data, and enqueues a render. The returned `pollUrl` points at the embed-scoped render wrapper, not `/v1/renders/:id`. operationId: submitEmbedForm requestBody: required: true content: application/json: schema: type: object required: - data properties: data: type: object additionalProperties: true description: Flat dot-keyed or nested variable values. datasetSelection: type: object additionalProperties: type: string example: data: customer.name: Acme Corp responses: '202': description: Render queued. content: application/json: schema: $ref: '#/components/schemas/RenderEnvelope' example: id: 3f2a1b4c-5d6e-7f80-9a1b-2c3d4e5f6071 status: queued pollUrl: >- https://api.craftkit.dev/v1/embed/renders/3f2a1b4c-5d6e-7f80-9a1b-2c3d4e5f6071 downloadUrl: null errorMessage: null createdAt: '2026-06-21T10:00:00.000Z' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': description: Session is not in fill mode, or lacks submitForm permission. content: application/json: schema: $ref: '#/components/schemas/Error' examples: wrongMode: value: error: code: wrong_mode message: form-submit requires scope.mode="fill" permissionDenied: value: error: code: permission_denied message: submit_form permission required '404': description: Session/template mismatch, unresolved or unpublished template. content: application/json: schema: $ref: '#/components/schemas/Error' example: error: code: session_not_found message: Session ID in path does not match the bearer token. '503': description: Render queue temporarily unavailable. content: application/json: schema: $ref: '#/components/schemas/Error' security: - embedSessionJwt: [] components: parameters: SessionId: name: sessionId in: path required: true description: The embed session id (must match the JWT subject). schema: type: string format: uuid schemas: RenderEnvelope: type: object description: Render shape returned by render/idempotent-replay and embed form-submit. required: - id - status - pollUrl - downloadUrl - errorMessage - createdAt properties: id: type: string format: uuid status: $ref: '#/components/schemas/RenderStatusEnum' pollUrl: type: string format: uri downloadUrl: type: - string - 'null' format: uri errorMessage: type: - string - 'null' createdAt: type: string format: date-time Error: type: object description: Shared application error envelope. required: - error properties: error: type: object required: - code - message properties: code: type: string message: type: string issues: description: Optional Zod flatten() / issues detail. example: error: code: invalid_request message: Request body did not match expected shape. RenderStatusEnum: type: string enum: - queued - rendering - succeeded - failed - cancelled responses: BadRequest: description: Invalid JSON or request shape. content: application/json: schema: $ref: '#/components/schemas/Error' example: error: code: invalid_request message: Request body did not match expected shape. Unauthorized: description: Missing or invalid bearer token. content: application/json: schema: $ref: '#/components/schemas/Error' example: error: code: unauthorized message: Missing Bearer token. securitySchemes: bearerApiKey: type: http scheme: bearer description: > Project API key (`ck_live_…` or `ck_test_…`) presented as a bearer token. For embed partner endpoints this is the partner secret key, which is the same credential type. embedSessionJwt: type: http scheme: bearer bearerFormat: JWT description: > Short-lived embed session JWT minted by `POST /v1/embed/sessions`. Used by the iframe form-submit / upload-image endpoints and accepted (alongside a partner key) by builder template creation. ````