Form backend API: receive form submissions without a server
A form backend API eliminates the need for server-side code to handle form submissions. Instead of writing PHP scripts, Node.js routes, or serverless functions, you point your HTML form at a hosted endpoint that receives, validates, and delivers the data.
This guide explains how form backend APIs work and how to integrate them with any website or application.
How a form backend API works
The flow is simple:
- Your HTML form has an
actionattribute pointing to the form backend URL - The form includes a public access key to identify your form
- When submitted, the browser sends a POST request to the endpoint
- The service validates the data, runs spam checks, and delivers the submission
Browser → POST /submit → Form Backend → Email / Webhook / Sheets / SlackBasic integration
Standard HTML form
<form action="https://api.formsfort.com/submit" method="POST"> <input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" /> <input type="email" name="email" required /> <textarea name="message" required></textarea> <button type="submit">Send</button></form>The browser handles everything. No JavaScript required.
AJAX submission
For single-page applications or smoother UX:
const response = await fetch("https://api.formsfort.com/submit", { method: "POST", body: new FormData(formElement),});
if (response.ok) { console.log("Submission received");}JSON submission
For API-first applications:
const response = await fetch("https://api.formsfort.com/submit", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ access_key: "YOUR_ACCESS_KEY", message: "Hello from JSON", }),});Request format
Content types
Form backend APIs typically accept:
| Content-Type | Use case |
|---|---|
multipart/form-data | Standard HTML forms, file uploads |
application/x-www-form-urlencoded | URL-encoded form data |
application/json | AJAX and API clients |
Required fields
| Field | Purpose |
|---|---|
access_key | Identifies your form (required) |
All other fields are your form data. Name them whatever you need.
Special fields
Many form backends recognize special field names for configuration:
| Field | Purpose |
|---|---|
_redirect | URL to redirect to after successful submission |
_subject | Custom email subject line |
_replyto | Set the reply-to email address |
botcheck | Honeypot field for spam detection |
Response format
Success response
{ "success": true, "requestId": "req_abc123", "message": "Submission received"}The requestId is useful for debugging delivery issues. Include it when contacting support.
Error response
{ "success": false, "message": "Invalid access key", "code": "INVALID_ACCESS_KEY"}Common error codes:
| Code | Meaning |
|---|---|
INVALID_ACCESS_KEY | The access key is missing or incorrect |
DOMAIN_NOT_ALLOWED | The submission origin is not in your allowed domains |
RATE_LIMITED | Too many submissions from this IP |
SPAM_DETECTED | The submission was flagged as spam |
FILE_TOO_LARGE | An uploaded file exceeds the size limit |
INVALID_FILE_TYPE | An uploaded file has a disallowed MIME type |
Security model
Public access keys
The access key is intentionally public. It goes in your HTML source code where anyone can see it. Security is not based on key secrecy but on:
- Domain restriction: Only accept submissions from your website
- Rate limiting: Prevent abuse from a single IP
- Spam detection: Honeypot, CAPTCHA, content filtering
- Field validation: Server-side type and length checks
What to never include in frontend code
- API secrets or admin tokens
- OAuth tokens
- CAPTCHA secret keys
- Database credentials
- Private keys
These belong on a server, never in browser-accessible code.
CORS configuration
Form backend APIs set CORS headers to allow browser submissions. The Access-Control-Allow-Origin header is typically set to * (all origins) or restricted to your configured domains.
If you see CORS errors in the browser console:
- Check that your domain is in the allowed domains list
- Ensure the form backend URL is correct (including https://)
- Check for browser extensions that block cross-origin requests
Webhook forwarding
Configure your form backend to forward submissions to your own endpoints:
POST https://your-server.com/webhook{ "name": "Ada Lovelace", "message": "Hello", "_metadata": { "requestId": "req_abc123", "submittedAt": "2026-05-28T14:32:00Z", "origin": "https://yoursite.com" }}Webhooks enable real-time integrations with CRMs, project management tools, custom databases, and automation platforms.
File uploads
For multipart submissions with files:
<form action="https://api.formsfort.com/submit" method="POST" enctype="multipart/form-data"> <input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" /> <input type="file" name="attachment" accept=".pdf,.png,.jpg" /> <button type="submit">Upload</button></form>The form backend:
- Validates the MIME type against allowed types
- Checks the file size against configured limits
- Scans the file for malware
- Stores the file and includes a download link in the delivery
Rate limiting
Form backends enforce rate limits to prevent abuse:
| Tier | Typical limit |
|---|---|
| Free | 5-10 submissions per minute per IP |
| Paid | 30-60 submissions per minute per IP |
When rate limited, the API returns a 429 Too Many Requests response. Implement retry logic with exponential backoff in AJAX handlers.
Testing your integration
Test with curl
curl -X POST https://api.formsfort.com/submit \ -F "access_key=YOUR_ACCESS_KEY" \ -F "message=Testing from curl"Test with a form endpoint tester
Use the FormsFort Form Endpoint Tester to submit test data from the browser and inspect the response.
Verify delivery
After submitting, check:
- Email inbox (including spam folder)
- Webhook endpoint logs
- Google Sheets for new rows
- Slack/Discord/Telegram for notifications
- Form backend delivery logs for the request ID
Summary
A form backend API receives HTML form submissions via HTTP POST, validates the data, runs spam checks, and delivers the submission to email, webhooks, spreadsheets, or messaging platforms. Integration requires only setting the form action to the endpoint URL and including a public access key. It works with any framework, any static site generator, and any HTTP client. No server-side code required.
Frequently asked questions
What is a form backend API?
A form backend API is a hosted endpoint that receives HTML form submissions via HTTP POST, processes spam checks, and delivers the data to email, webhooks, spreadsheets, or messaging platforms. It replaces the need for server-side form handling code.
How does a form backend API work?
You set your HTML form action attribute to the form backend URL and include a public access key. When the form is submitted, the browser sends a POST request to the endpoint. The service validates the data, runs spam checks, and forwards the submission to your configured destinations.
Can I submit JSON to a form backend API?
Yes. Most form backend APIs accept both multipart/form-data (standard HTML forms) and application/json (AJAX requests). Include the access key in the request body or as a header.
Is a form backend API secure?
Yes. The access key is public by design (it goes in browser HTML). Security is enforced through domain restrictions, rate limiting, honeypot checks, CAPTCHA verification, and server-side validation. Never embed API secrets or admin tokens in frontend code.
Can I use a form backend API with any framework?
Yes. Form backend APIs work with any framework that can produce HTTP POST requests: Astro, Next.js, Hugo, 11ty, React, Vue, Svelte, plain HTML, or any HTTP client.
Get started free
Ready to add forms to your static site?
No backend required. Point your HTML form at FormsFort and start receiving submissions in minutes.