FormsFort

API Reference

FormsFort public submit API reference for access-key submissions, path submissions, request fields, response codes, JSON responses, and redirect behavior.

API Reference

Submit from static sites with one public endpoint. The public API is FormsFort for browser form posts and JavaScript submissions, with production gates for paid/manual features.

Endpoints

Access key endpoint

Use this when your form can include a hidden public access key field.

POST https://api.formsfort.com/submit

Path endpoint

Use this when the builder or framework cannot preserve hidden access_key fields.

POST https://api.formsfort.com/submit/YOUR_ACCESS_KEY

Request formats

Content-Type: application/json
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data
Accept: application/json
X-Requested-With: XMLHttpRequest

JavaScript requests should send Accept: application/json. Browser fetch FormData requests can still receive JSON through Fetch Metadata. Plain HTML requests redirect after success or validation failure. Form redirect defaults apply when no redirect field is supplied. GET /submit/error serves the hosted failure status page.

Reserved request fields

NameTypeDescription
access_keystringRequired for POST /submit. Public form key. Legacy apikey is also accepted.
emailstringSubmitter email. Used as reply-to when the form reply-to mode allows it.
subjectstringNotification subject override. Blank values are ignored.
from_namestringNotification sender display-name override. New forms default to Notifications.
ccemailstringPaid/manual CC recipients. Comma or semicolon separated.
replytostringExplicit per-submit reply-to override.
redirectURLPer-submit success redirect for non-JavaScript form posts. Cross-domain redirects require a paid/manual entitlement.
botcheckboolean/stringHidden honeypot field. Filled values reject as spam; false-like JSON values are accepted.
attachmentfilePaid/manual file field for multipart forms. Other named file fields are also accepted.
webhookURLPaid/manual per-submit webhook URL for queued JSON POST delivery.
g-recaptcha-responsestringGoogle reCAPTCHA v2 token.
recaptcha_responsestringGoogle reCAPTCHA v3 token.
h-captcha-responsestringhCaptcha token.
cf-turnstile-responsestringCloudflare Turnstile token.

Success response

{
  "success": true,
  "message": "Email sent successfully!",
  "requestId": "req-id",
  "deliveryId": "email-delivery-id",
  "autoresponderDeliveryId": "optional-autoresponder-id",
  "webhookDeliveryIds": ["optional-webhook-id"],
  "notificationDeliveryIds": ["optional-slack-discord-telegram-id"],
  "googleSheetsDeliveryId": "optional-google-sheets-id",
  "body": {
    "data": {
      "name": "Ada",
      "email": "[email protected]",
      "message": "Hello"
    },
    "message": "Email sent successfully!"
  }
}

Error response

{
  "success": false,
  "message": "Recipient email is not verified. Open the recipient verification email or click Send verify in the dashboard before accepting submissions.",
  "requestId": "req-id",
  "body": {
    "data": {
      "name": "Ada",
      "email": "[email protected]"
    },
    "message": "Recipient email is not verified. Open the recipient verification email or click Send verify in the dashboard before accepting submissions."
  }
}

Validation failures include structured field errors:

{
  "success": false,
  "message": "Submission validation failed.",
  "requestId": "req-id",
  "errors": [
    {
      "field": "email",
      "rule": "email",
      "message": "email must be a valid email address."
    }
  ]
}

Response codes

CodeDescription
200Accepted JSON submission. Email and integration work has been queued.
303Plain HTML submission redirecting to hosted success, hosted validation error, the form redirect default, or a validated per-submit redirect URL.
400JSON client error such as missing access key, unverified recipient, invalid redirect, spam, captcha, upload, or feature gate.
429Rate limit or monthly quota rejection. Per-IP limits may include Retry-After.
500Non-leaky server error with requestId for support correlation.

Server-side submissions

Browser submissions are the default trust model. Server-side submissions, including requests without Origin or Referer, require a paid/manual entitlement and an exact sender IP safelist on the form.

Form validation settings

Dashboard and API form settings can include validation.fields:

{
  "validation": {
    "fields": [
      { "field": "name", "required": true, "minLength": 2, "maxLength": 80 },
      { "field": "email", "required": true, "type": "email" },
      { "field": "website", "type": "url" },
      { "field": "budget", "type": "number" },
      { "field": "projectCode", "regex": "^FF-[0-9]+$" },
      {
        "field": "resume",
        "file": {
          "required": true,
          "allowedMimeTypes": ["application/pdf"]
        }
      }
    ]
  }
}

Text rules validate submitted custom fields before delivery is queued. Regex rules must fit FormsFort's safe JavaScript subset: no groups, alternation, backreferences, lookarounds, or wildcard repetition. File rules run only when uploads are enabled for the form and apply to attachments submitted under the matching field name.

On this page