I get a mixed message from your website, documentation, pricing, and examples. The added value of your service is not clear after reviewing your product.
On the Pricing page, I find a lifetime option that grants me access to an admin page of the self-hosted service I bought from you. I wonder why I don't get access to said admin-page when I'm a monthly paying customer (Startup), especially as you do not list any support option for the 'Developer' and 'Startup' package.
It looks like I have to use your clients, but they are just kick-starter projects or examples. The API is documented, and I can even use Postman to query your service. So I can write my own client software. I would rephrase the website; otherwise, it looks like I must get a server to host your clients.
All requests must contain an access_token but for how long is each token valid? How is each token validated? How can I invalidate tokens? Can I bring my token?
I can create users, but nowhere on your page or the code examples can I find how your service protects sensitive data such as user passwords, emails, forms, and documents. Nor is it stated what data-protection-law or data-privacy-law your a complying. Can I use your service for my EU business (GDPR)? Can I use your service for my US-California business (CCPA)? How is your service dealing with user account deletion requests as they are defined in law (GDPR)?
I found in the API only the possibility to delete users but not their contents, which the user has created/saved. But according to the law, I have to delete the contents as well. I thought I have to write such a service, but I feel it's impossible when looking at the API — or it's merely not described if, for example, if the files API lists only the files the user has uploaded. Maybe just a documentation issue or a real problem.
The authentication part is practically not usable, as I don't know how passwords are protected. Your service operates via HTTPS, but I can't be sure not even you or your administrators can see or decipher the passwords. Are you using salts to hash passwords? How can I get access to salt to send you only hashed passwords, not plain text passwords? Forms must also be protected, as forms can contain sensitive data.
If I need to care about storing the salt used for hashing the password and then send you the hashed passwords, I have nothing won. Not just only can some of your admins still pick up the hashed passwords, and I also have a useless storage system that costs maintenance.
I suggest you kick the password thingy from your API and passwordless authentication. For example, FIDO or implement an email-based authentication as the one Hashnode uses.
Practically I have to try to break all your API endpoints to learn about all possible error responses to prepare my software.
Use either plural or singular.
The file/image exists before I can upload it to your service.
Other endpoints use submit or send.
$30/mo is too much as I feel. Not only is it unsafe to use for businesses in the EU and US-California. I also need to create an admin interface and implement my password storage, as yours shouldn't be used in production.