Options Reference
FormsFort options reference for FormsFort hidden fields, reserved names, captcha tokens, uploads, redirects, and paid/manual gates.
Options Reference
Any non-reserved input name is forwarded as submitted data. Reserved names below control routing, email behavior, redirects, spam checks, uploads, captcha, and integrations.
Routing
| Option | Description |
|---|---|
access_key | Required public form key for POST /submit. |
apikey | Legacy alias for access_key. |
POST /submit/YOUR_ACCESS_KEY | Path variant when hidden fields are not available. |
| Option | Description |
|---|---|
email | Submitter email. Used as reply-to when the form reply-to mode allows it. |
subject | Notification subject override. Blank values are ignored. |
from_name | Notification display-name override. New forms default to Notifications. |
replyto | Explicit per-submit reply-to address override. |
reply-to mode | Dashboard setting for submitted email, default address, or no reply-to. |
ccemail | Paid/manual comma- or semicolon-separated CC recipients. |
Flow and Spam
| Option | Description |
|---|---|
redirect | Per-submit success redirect for non-JavaScript posts. Overrides the form redirect default. |
redirect default | Dashboard setting used when an HTML post does not include redirect. |
botcheck | Hidden honeypot. Filled values reject as spam; JSON false-like values are accepted. |
allowed domains | Dashboard setting that restricts browser submissions to exact hostnames; wildcard patterns require Pro or Lifetime. |
Files, Captcha, and Integrations
| Option | Description |
|---|---|
attachment | Paid/manual file upload field for multipart forms. |
data-advanced | Advanced uploader file-input attribute handled by the client helper script. |
data-fileupload | Legacy advanced uploader placeholder or file-input attribute. |
g-recaptcha-response | Google reCAPTCHA v2 token. |
recaptcha_response | Google reCAPTCHA v3 token. |
h-captcha-response | hCaptcha token. |
cf-turnstile-response | Cloudflare Turnstile token. |
webhook | Paid/manual per-submit webhook URL. |
Common hidden fields
<form action="https://api.formsfort.com/submit" method="POST">
<input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />
<input type="hidden" name="subject" value="New website lead" />
<input type="hidden" name="from_name" value="Example Site" />
<input type="hidden" name="replyto" value="[email protected]" />
<input type="hidden" name="redirect" value="https://example.com/thanks" />
<input type="checkbox" name="botcheck" style="display:none" />
</form>Paid/manual options
<input type="hidden" name="ccemail" value="[email protected]; [email protected]" />
<input type="hidden" name="webhook" value="https://example.com/formsfort" />
<input type="file" name="attachment" />
<input
type="file"
name="attachment"
data-advanced="true"
multiple
data-max-files="3"
data-max-file-size="5MB"
/>
<!-- Legacy placeholder markup is also supported. -->
<input type="hidden" data-fileupload="true" data-max-files="3" />
<script src="https://api.formsfort.com/client/script.js" async defer></script>Captcha token names
reCAPTCHA v2: g-recaptcha-response
reCAPTCHA v3: recaptcha_response
hCaptcha: h-captcha-response
Cloudflare Turnstile: cf-turnstile-responseForwarding rules
FormsFort forwards custom fields to email, autoresponder copies, Google Sheets, native notifications, and generic webhooks. Reserved routing fields, captcha tokens, honeypots, access keys, and attachment content are excluded from generic webhook payloads.
- Repeated browser field names are joined as comma-separated values.
- Blank subject, from_name, and replyto values do not replace safe defaults.
- Dashboard reply-to mode decides whether submitted email, a default address, or no reply-to is used.
- Per-submit redirect values override the form redirect default.
- Server-side submissions require a paid/manual IP safelist.
- JavaScript requests should handle JSON instead of relying on redirect.
Server-side validation rules
Dashboard form settings can define validation.fields for custom field names. Supported rules are required, type: "email", type: "url", type: "number", minLength, maxLength, regex, and file rules for uploaded fields. Regex rules use a safe JavaScript subset with no groups, alternation, backreferences, lookarounds, or wildcard repetition:
{
"fields": [
{ "field": "email", "required": true, "type": "email" },
{ "field": "message", "required": true, "minLength": 10, "maxLength": 1000 },
{ "field": "order_id", "regex": "^ORD-[0-9]+$" },
{
"field": "resume",
"file": {
"required": true,
"allowedMimeTypes": ["application/pdf", "image/*"]
}
}
]
}JSON submissions receive errors with field, rule, and message. Plain HTML submissions redirect to the hosted error page, which renders the validation messages.