Resources/The Agent API Atlas/Forms/Google Forms

Everything an AI agent can do with the Google Forms API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints10
API versionv1
Last updated23 June 2026
Orientation

How the Google Forms API works.

The Google Forms API is how an app or AI agent works with a Google form: creating a form, adding and editing its questions in a single batch, reading the answers people submit, and setting whether the form is published. Access is granted through an OAuth 2.0 token and the scopes it carries, and an agent is limited to the forms that the authorizing user or service account can reach. It can also push a notification when a form changes or a response arrives, so an integration learns about activity without polling.

10Endpoints
3Capability groups
4Read
6Write
3Permissions
Authentication
Every call needs an OAuth 2.0 access token sent in the Authorization header. The token is obtained after a user grants the requested Forms scopes, or through a service account for unattended automation, which reaches a form only when the form has been shared with it or through domain-wide delegation. There is no unauthenticated access.
Permissions
Access is governed by OAuth scopes. The narrow Forms scopes are forms.body for reading and writing a form's structure, forms.body.readonly for reading it, and forms.responses.readonly for reading submitted responses; the Forms API has no separate write scope for responses, since responses are submitted by people, not the API. Broader Drive scopes (drive, drive.file, drive.readonly) also satisfy these calls, and drive grants access well beyond a single form, so the narrowest Forms scope that fits is the least-privilege choice.
Versioning
The API exposes a single version, v1, reached under the /v1 path. There is no dated version header and no parallel version to pin against. New capabilities, such as the publish settings added in 2025, arrive as additive changes announced in the release notes rather than as a new version string.
Data model
The API is organized around three resources under https://forms.googleapis.com. A form is created and edited through forms.create and forms.batchUpdate and read with forms.get, where a batch update carries an ordered list of operations like createItem, updateItem, moveItem, and deleteItem. Submitted answers are read through forms.responses.list and forms.responses.get. Watches push schema and response notifications to a Cloud Pub/Sub topic. The surface is small and deliberately scoped to building forms and reading their answers.
Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Google Forms determines what it can reach. The route for making calls is governed by an OAuth token and the scopes it carries, and a separate route can push event notifications to a Cloud Pub/Sub topic the agent watches.

Ways to connect

REST API

The REST API answers at https://forms.googleapis.com under the v1 path. It covers creating and editing forms, reading responses, and managing watches, and authenticates with an OAuth 2.0 access token.

Best forConnecting an app or AI agent to Google Forms.
Governed byThe OAuth token and the scopes it carries.
Docs ↗

Push notifications (Cloud Pub/Sub watches)

A watch pushes a notification to a Cloud Pub/Sub topic when a form's schema changes or a response is submitted, so an agent learns about activity without polling. The notification carries identifiers, and the form or response is then read through the REST API.

Best forReacting to new responses or form edits without polling.
Governed byThe OAuth token and scopes, plus the project's permission to publish to the Pub/Sub topic.
Docs ↗
Authentication

OAuth 2.0 (user authorization)

An app or AI agent obtains an OAuth 2.0 access token after a user grants the requested Forms scopes, and acts within what that user can reach. The narrow scopes, such as forms.body.readonly and forms.responses.readonly, allow least-privilege access.

TokenOAuth 2.0 access token
Best forActing on a specific user's forms
Docs ↗

Service account

A service account is a non-human Google identity that authenticates on its own, suited to server-side automation. It reaches a form when that form has been shared with the service account, or through domain-wide delegation in Google Workspace.

TokenOAuth 2.0 access token (service account)
Best forUnattended server-side automation
Docs ↗
Capability map

What an AI agent can do in Google Forms.

The Google Forms API is split into three areas an agent can act on: the form itself, the responses people submit, and watches that push change notifications. Each area has its own methods and its own scopes, and writes here change a real form or the events it pushes.

Endpoint reference

Every Google Forms API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

MethodEndpointWhat it doesAccessPermissionVersion

Forms

Create a form, read a form's structure and settings, change it with a batch of updates that add, move, edit, or delete items, and set whether it is published.4

Requires one of https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/drive.file, or https://www.googleapis.com/auth/forms.body. From 30 June 2026 a form created through the API starts unpublished and needs setPublishSettings before it can take responses.

Acts onform
Permission (capability)forms.body
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitWrite request, 375 per minute per project and 150 per minute per user.
SourceOfficial documentation ↗

Requires one of https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/drive.file, https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/forms.body, or https://www.googleapis.com/auth/forms.body.readonly. The readonly scope reads the structure without granting any write.

Acts onform
Permission (capability)forms.body.readonly
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitRead request, 975 per minute per project and 390 per minute per user.
SourceOfficial documentation ↗

Requires one of https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/drive.file, or https://www.googleapis.com/auth/forms.body. Each request carries a list of write operations, such as createItem, moveItem, updateItem, deleteItem, updateFormInfo, and updateSettings, applied in order.

Acts onform
Permission (capability)forms.body
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitWrite request, 375 per minute per project and 150 per minute per user.
SourceOfficial documentation ↗

Requires one of https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/drive.file, or https://www.googleapis.com/auth/forms.body. Legacy forms without a publishSettings field are not supported.

Acts onform
Permission (capability)forms.body
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitWrite request, 375 per minute per project and 150 per minute per user.
SourceOfficial documentation ↗

Responses

List the responses people have submitted to a form, and read a single response by its id.2

Requires one of https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/drive.file, or https://www.googleapis.com/auth/forms.responses.readonly. Returns the answers people submitted, which can include personal data.

Acts onresponse
Permission (capability)forms.responses.readonly
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitExpensive read request, 450 per minute per project and 180 per minute per user.
SourceOfficial documentation ↗

Requires one of https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/drive.file, or https://www.googleapis.com/auth/forms.responses.readonly. Returns one person's submitted answers, which can include personal data.

Acts onresponse
Permission (capability)forms.responses.readonly
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitRead request, 975 per minute per project and 390 per minute per user.
SourceOfficial documentation ↗

Watches

Create a watch that pushes change or response notifications to a Cloud Pub/Sub topic, list the watches a project owns on a form, renew one for another seven days, and delete one.4

Requires one of https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/drive.file, https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/forms.body, https://www.googleapis.com/auth/forms.body.readonly, or https://www.googleapis.com/auth/forms.responses.readonly. The watch eventType is SCHEMA or RESPONSES, and the calling project must be able to publish to the named Pub/Sub topic.

Acts onwatch
Permission (capability)forms.body.readonly
VersionAvailable since the API’s base version
Webhook eventschema
Rate limitWrite request, 375 per minute per project and 150 per minute per user.
SourceOfficial documentation ↗

Requires one of https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/drive.file, https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/forms.body, https://www.googleapis.com/auth/forms.body.readonly, or https://www.googleapis.com/auth/forms.responses.readonly.

Acts onwatch
Permission (capability)forms.body.readonly
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitRead request, 975 per minute per project and 390 per minute per user.
SourceOfficial documentation ↗

Requires one of https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/drive.file, https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/forms.body, https://www.googleapis.com/auth/forms.body.readonly, or https://www.googleapis.com/auth/forms.responses.readonly. A watch expires seven days after creation unless renewed.

Acts onwatch
Permission (capability)forms.body.readonly
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitWrite request, 375 per minute per project and 150 per minute per user.
SourceOfficial documentation ↗

Requires one of https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/drive.file, https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/forms.body, https://www.googleapis.com/auth/forms.body.readonly, or https://www.googleapis.com/auth/forms.responses.readonly.

Acts onwatch
Permission (capability)forms.body.readonly
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitWrite request, 375 per minute per project and 150 per minute per user.
SourceOfficial documentation ↗
No endpoints match those filters.
Webhooks

Webhook events.

Google Forms can notify an app or AI agent when a form's content changes or a new response arrives, instead of the app repeatedly asking. It delivers each notification to a Cloud Pub/Sub topic that a watch has been registered against, and the notification carries identifiers rather than the form or response data itself.

EventWhat it signalsTriggered by
SCHEMAFires when a form's content or settings are edited, such as items being added, changed, or removed./v1/forms/{formId}/watches
RESPONSESFires when a form response is submitted, covering both new and updated responses./v1/forms/{formId}/watches
No events match that search.
Rate limits & pagination

Rate limits, pagination & request size.

Google Forms limits how fast an app or AI agent can call, through per-minute request quotas counted both per project and per user, with reads, response listing, and writes each holding their own ceiling.

Request rate

Google Forms counts requests per minute against two ceilings at once, a per-project ceiling and a per-user-per-project ceiling, and sorts methods into three buckets. Ordinary read requests, such as getting a form or a single response, allow 975 per minute per project and 390 per minute per user. Listing a form's responses is treated as an expensive read at 450 per minute per project and 180 per minute per user. Write requests, such as creating a form, batch updates, setting publish settings, and managing watches, allow 375 per minute per project and 150 per minute per user. Daily totals are unlimited, and exceeding a per-minute ceiling returns 429: Too many requests, which should be retried with exponential backoff.

Pagination

Listing responses uses page-based paging through the pageSize and pageToken query parameters. A response carries a nextPageToken when more results exist, and that token is passed as pageToken on the next request until it is absent. When pageSize is not set, the list returns up to 5000 responses.

Request size

Requests and responses are JSON. A watch pushes a small notification carrying the form id, watch id, and event type rather than the form or response content, and each watch receives at most one notification every thirty seconds, so a single notification can represent several events.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

StatusCodeMeaningWhat to do
400INVALID_ARGUMENTThe request is malformed, such as an invalid field, an unsupported batch operation, or a bad page token.Correct the named field or parameter and resend the request.
401UNAUTHENTICATEDThe OAuth access token is missing, invalid, or expired.Refresh or re-obtain the access token, then send it in the Authorization header.
403PERMISSION_DENIEDThe token is valid but lacks the scope for this call, or the user cannot reach the form, or a quota was exceeded.Grant the required scope, confirm the user has access to the form, or wait for the quota to reset.
404NOT_FOUNDThe form, response, or watch does not exist, or the caller cannot see it.Confirm the id is correct and the caller has access to the resource.
429RESOURCE_EXHAUSTEDA per-minute request quota was exceeded, returned as 429: Too many requests.Slow the request rate and retry with exponential backoff.
500INTERNALAn unexpected error occurred on Google's side.Retry with exponential backoff, and report it if it persists.
Versioning & freshness

Version history.

Google Forms exposes a single version of its API, v1. New capabilities ship as dated entries in the release notes rather than as a new version string.

Version history

What changed, and when

Latest versionv1
v1Current version
Publish settings and a new default for API-created forms

The Google Forms API exposes a single version, v1, and gains capabilities as additive changes rather than new versions. On 8 April 2025 it gained publish settings, letting the API publish a form and use Drive permissions to control who can respond. From 30 June 2026, a form created through the API starts in an unpublished state and must be published explicitly with setPublishSettings, a change from the earlier published-by-default behavior.

What changed
  • 30 June 2026: forms created through the API start unpublished and must be published with setPublishSettings
  • 8 April 2025: setPublishSettings added to publish forms, paired with Drive permissions for controlling who can respond
GA
General availability

The Google Forms API became generally available on 17 March 2022, opening programmatic creation and editing of forms and reading of responses to all developers.

What changed
  • 17 March 2022: the Google Forms API became generally available

There is one version to build against, and additive changes arrive without a version bump.

Google Forms API release notes ↗
Questions

Google Forms API, answered.

Can the API submit a response to a form?+
No. The Google Forms API can create and edit a form and read the responses people have submitted, but it cannot submit a response on someone's behalf. There is no endpoint that writes a response and no write scope for responses, which is why forms.responses.readonly is the only response scope. Responses are submitted by people filling in the form.
Which scope should an agent ask for?+
Ask for the narrowest scope that fits the job. To read a form's structure use forms.body.readonly; to create or edit a form use forms.body; to read submitted answers use forms.responses.readonly. The broader Drive scopes also satisfy these calls, but the drive scope reaches far beyond a single form, so a Forms scope is the safer choice unless Drive-level access is genuinely needed.
How does an agent learn about new responses without polling?+
By registering a watch through forms.watches.create with eventType RESPONSES, which pushes a notification to a Cloud Pub/Sub topic when a response is submitted. The notification carries identifiers, not the response data, so the agent then calls forms.responses.get or forms.responses.list to read the answers. A watch with eventType SCHEMA does the same for edits to the form.
How long does a watch last?+
A watch expires seven days after it is created. To keep receiving notifications, call forms.watches.renew before it expires, which extends it for another seven days. Each form allows up to 50 watches per event type across all projects, a project may create up to 20 watches on a form, and a watch receives at most one notification every thirty seconds.
What are the rate limits?+
Requests are limited per minute against both a per-project and a per-user ceiling. Ordinary reads allow 975 per minute per project and 390 per minute per user, listing responses allows 450 and 180, and writes allow 375 and 150. Daily totals are unlimited. Exceeding a per-minute ceiling returns 429: Too many requests, which should be retried with exponential backoff.
Why might a form created through the API not accept responses?+
From 30 June 2026, a form created through the API starts in an unpublished state and will not accept responses until it is published. Call forms.setPublishSettings to publish it. This is a behavior change, before that date API-created forms were published by default.
Related

More forms API guides for agents

SurveyMonkey

36 endpoints
View guide

Tally

34 endpoints
View guide

Jotform

29 endpoints
View guide

Formstack

25 endpoints
View guide

Typeform

24 endpoints
View guide
What is Bollard AI?

Control what every AI agent can do in Google Forms.

Bollard AI sits between a team's AI agents and Google Forms. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.

  • Set read, write, or full access per agent, never a shared Google account.
  • Denied by default, so an agent reaches only what has been explicitly allowed.
  • Every call recorded in plain English: who, what, where, and the decision.
Control Google Forms access in BollardBrowse all APIs
Google Forms
Survey Agent
Read responses ResourceOffReadFull use
Edit form items ActionOffReadFull use
Create forms ActionOffReadFull use
Per-agent access, set in Bollard AI, not in Google Forms