FormsFortAPI Reference
FormsFort public submit API reference for access-key submissions, path submissions, request fields, response codes, JSON responses, and redirect behavior.
API Reference
Submit from static sites with one public endpoint. The public API is Web3Forms-compatible for browser form posts and JavaScript submissions, with production gates for paid/manual features.
Endpoints
Access key endpoint
Use this when your form can include a hidden public access key field.
POST https://api.formsfort.dev/submitPath endpoint
Use this when the builder or framework cannot preserve hidden access_key fields.
POST https://api.formsfort.dev/submit/YOUR_ACCESS_KEYRequest formats
Content-Type: application/json
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data
Accept: application/json
X-Requested-With: XMLHttpRequestJavaScript requests should send Accept: application/json. Browser fetch FormData requests can still receive JSON through Fetch Metadata. Plain HTML requests may redirect after a successful submit. Form redirect defaults apply when no redirect field is supplied. GET /submit/error serves the hosted failure status page.
Reserved request fields
| Name | Type | Description |
|---|---|---|
access_key | string | Required for POST /submit. Public form key. Legacy apikey is also accepted. |
email | string | Submitter email. Used as reply-to when the form reply-to mode allows it. |
subject | string | Notification subject override. Blank values are ignored. |
from_name | string | Notification sender display-name override. New forms default to Notifications. |
ccemail | string | Paid/manual CC recipients. Comma or semicolon separated. |
replyto | string | Explicit per-submit reply-to override. |
redirect | URL | Per-submit success redirect for non-JavaScript form posts. Cross-domain redirects require a paid/manual entitlement. |
botcheck | boolean/string | Hidden honeypot field. Filled values reject as spam; false-like JSON values are accepted. |
attachment | file | Paid/manual file field for multipart forms. Other named file fields are also accepted. |
webhook | URL | Paid/manual per-submit webhook URL for queued JSON POST delivery. |
recaptcha_response | string | Google reCAPTCHA v3 token. |
h-captcha-response | string | hCaptcha token. |
cf-turnstile-response | string | Cloudflare Turnstile token. |
Success response
{
"success": true,
"message": "Email sent successfully!",
"requestId": "req-id",
"deliveryId": "email-delivery-id",
"autoresponderDeliveryId": "optional-autoresponder-id",
"webhookDeliveryIds": ["optional-webhook-id"],
"notificationDeliveryIds": ["optional-slack-discord-telegram-id"],
"googleSheetsDeliveryId": "optional-google-sheets-id",
"body": {
"data": {
"name": "Ada",
"email": "ada@example.com",
"message": "Hello"
},
"message": "Email sent successfully!"
}
}Error response
{
"success": false,
"message": "Invalid or unverified access_key.",
"requestId": "req-id",
"body": {
"data": {
"name": "Ada",
"email": "ada@example.com"
},
"message": "Invalid or unverified access_key."
}
}Response codes
| Code | Description |
|---|---|
200 | Accepted JSON submission. Email and integration work has been queued. |
303 | Accepted plain HTML submission redirecting to hosted success, the form redirect default, or a validated per-submit redirect URL. |
400 | Client error such as missing access key, unverified recipient, invalid redirect, spam, captcha, upload, or feature gate. |
429 | Rate limit or monthly quota rejection. Per-IP limits may include Retry-After. |
500 | Non-leaky server error with requestId for support correlation. |
Server-side submissions
Browser submissions are the default trust model. Server-side submissions, including requests without Origin or Referer, require a paid/manual entitlement and an exact sender IP safelist on the form.