API Reference
FormsFort public submit API reference for access-key submissions, path submissions, request fields, response codes, JSON responses, and redirect behavior.
API Reference
Submit from static sites with one public endpoint. The public API is FormsFort for browser form posts and JavaScript submissions, with production gates for paid/manual features.
Endpoints
Access key endpoint
Use this when your form can include a hidden public access key field.
POST https://api.formsfort.com/submitPath endpoint
Use this when the builder or framework cannot preserve hidden access_key fields.
POST https://api.formsfort.com/submit/YOUR_ACCESS_KEYRequest formats
Content-Type: application/json
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data
Accept: application/json
X-Requested-With: XMLHttpRequestJavaScript requests should send Accept: application/json. Browser fetch FormData requests can still receive JSON through Fetch Metadata. Plain HTML requests redirect after success or validation failure. Form redirect defaults apply when no redirect field is supplied. GET /submit/error serves the hosted failure status page.
Reserved request fields
| Name | Type | Description |
|---|---|---|
access_key | string | Required for POST /submit. Public form key. Legacy apikey is also accepted. |
email | string | Submitter email. Used as reply-to when the form reply-to mode allows it. |
subject | string | Notification subject override. Blank values are ignored. |
from_name | string | Notification sender display-name override. New forms default to Notifications. |
ccemail | string | Paid/manual CC recipients. Comma or semicolon separated. |
replyto | string | Explicit per-submit reply-to override. |
redirect | URL | Per-submit success redirect for non-JavaScript form posts. Cross-domain redirects require a paid/manual entitlement. |
botcheck | boolean/string | Hidden honeypot field. Filled values reject as spam; false-like JSON values are accepted. |
attachment | file | Paid/manual file field for multipart forms. Other named file fields are also accepted. |
webhook | URL | Paid/manual per-submit webhook URL for queued JSON POST delivery. |
g-recaptcha-response | string | Google reCAPTCHA v2 token. |
recaptcha_response | string | Google reCAPTCHA v3 token. |
h-captcha-response | string | hCaptcha token. |
cf-turnstile-response | string | Cloudflare Turnstile token. |
Success response
{
"success": true,
"message": "Email sent successfully!",
"requestId": "req-id",
"deliveryId": "email-delivery-id",
"autoresponderDeliveryId": "optional-autoresponder-id",
"webhookDeliveryIds": ["optional-webhook-id"],
"notificationDeliveryIds": ["optional-slack-discord-telegram-id"],
"googleSheetsDeliveryId": "optional-google-sheets-id",
"body": {
"data": {
"name": "Ada",
"email": "[email protected]",
"message": "Hello"
},
"message": "Email sent successfully!"
}
}Error response
{
"success": false,
"message": "Recipient email is not verified. Open the recipient verification email or click Send verify in the dashboard before accepting submissions.",
"requestId": "req-id",
"body": {
"data": {
"name": "Ada",
"email": "[email protected]"
},
"message": "Recipient email is not verified. Open the recipient verification email or click Send verify in the dashboard before accepting submissions."
}
}Validation failures include structured field errors:
{
"success": false,
"message": "Submission validation failed.",
"requestId": "req-id",
"errors": [
{
"field": "email",
"rule": "email",
"message": "email must be a valid email address."
}
]
}Response codes
| Code | Description |
|---|---|
200 | Accepted JSON submission. Email and integration work has been queued. |
303 | Plain HTML submission redirecting to hosted success, hosted validation error, the form redirect default, or a validated per-submit redirect URL. |
400 | JSON client error such as missing access key, unverified recipient, invalid redirect, spam, captcha, upload, or feature gate. |
429 | Rate limit or monthly quota rejection. Per-IP limits may include Retry-After. |
500 | Non-leaky server error with requestId for support correlation. |
Server-side submissions
Browser submissions are the default trust model. Server-side submissions, including requests without Origin or Referer, require a paid/manual entitlement and an exact sender IP safelist on the form.
Form validation settings
Dashboard and API form settings can include validation.fields:
{
"validation": {
"fields": [
{ "field": "name", "required": true, "minLength": 2, "maxLength": 80 },
{ "field": "email", "required": true, "type": "email" },
{ "field": "website", "type": "url" },
{ "field": "budget", "type": "number" },
{ "field": "projectCode", "regex": "^FF-[0-9]+$" },
{
"field": "resume",
"file": {
"required": true,
"allowedMimeTypes": ["application/pdf"]
}
}
]
}
}Text rules validate submitted custom fields before delivery is queued. Regex rules must fit FormsFort's safe JavaScript subset: no groups, alternation, backreferences, lookarounds, or wildcard repetition. File rules run only when uploads are enabled for the form and apply to attachments submitted under the matching field name.