REST API

Lesson 23 of 25 2 min read
  • JNext lesson
  • KPrevious lesson
  • FSearch lessons
  • EscClear search

The Core Forms REST API is small and honest about its job: it exposes form data for the Gutenberg block’s form selector. It isn’t a full CRUD surface for submissions, and that’s deliberate. Form data flows through the form endpoint; everything else stays behind admin capability checks.

Endpoint

GET /wp-json/cf/forms

Returns a list of all forms.

Authentication: Requires the edit_forms capability. Only authenticated users with this capability can access this endpoint.

Response:

[
    {
        "ID": 123,
        "title": "Contact Form",
        "slug": "contact-form"
    },
    {
        "ID": 456,
        "title": "Newsletter Signup",
        "slug": "newsletter-signup"
    }
]

Each object in the array contains:

  • ID (int) – The form post ID.
  • title (string) – The form title.
  • slug (string) – The form slug.

AJAX Endpoints

Form submission and most admin operations use WordPress AJAX rather than the REST API.

Form Submission

Action: cf_form_submit
URL: admin-ajax.php
Method: POST
Authentication: Works for both authenticated and unauthenticated users (registered on both wp_ajax_ and wp_ajax_nopriv_ hooks).

Request body:

  • action = cf_form_submit
  • _cf_form_id – The form ID
  • _cf_h{ID} – Honeypot field (must be empty)
  • _wpnonce – WordPress nonce (only if nonce verification is enabled)
  • All form field values

Success response:

{
    "message": {
        "type": "success",
        "text": "Thank you! We will be in touch soon."
    },
    "hide_form": false,
    "redirect_url": "https://example.com/thank-you/"
}

The hide_form boolean indicates whether the form should be hidden after success. The redirect_url is only present if a redirect URL is configured.

Error response:

{
    "message": {
        "type": "error",
        "text": "Please fill in the required fields."
    }
}

Spam response:

Spam submissions receive a success response (to trick bots):

{
    "message": {
        "type": "success",
        "text": "Thank you! We will be in touch soon."
    },
    "hide_form": false
}

Admin Actions

Admin operations use the cf_admin_action AJAX action. These require the edit_forms capability and are used for operations like saving forms, deleting submissions, and other admin tasks.

JavaScript Events

The form submission JavaScript dispatches custom events on the form element that you can listen for:

  • cf-submit – Fired when the form is about to be submitted.
  • cf-submitted – Fired after the AJAX request completes (success or error).
  • cf-success – Fired on successful submission.
  • cf-error – Fired on validation error.
  • cf-message – Fired when a message is displayed.
var form = document.querySelector('.cf-form-123');

form.addEventListener('cf-success', function(e) {
    console.log('Form submitted successfully');
});

form.addEventListener('cf-error', function(e) {
    console.log('Form submission failed');
});

Localized Script Variables

The core-forms JavaScript receives configuration via wp_localize_script:

// Available as cf_js_vars
{
    ajax_url: "https://example.com/wp-admin/admin-ajax.php"
}

For programmatic access beyond this endpoint, use the PHP functions server-side. The hooks reference covers extending what the API returns.