The form backend
that fights back
Drop a form into any site in five minutes. Email validation, bot detection, rate limiting, and spam filtering run on every submission — no backend code, no CAPTCHAs by default.
<form action="https://api.fieldpost.dev/v1/submit" method="POST" data-fieldpost> <input type="hidden" name="access_key" value="YOUR_ACCESS_KEY"> <input type="email" name="email" required> <textarea name="message" required></textarea> <button>Send</button> </form> <script src="https://cdn.fieldpost.dev/v1/fieldpost.min.js" defer></script>
Everything a form needs. Nothing it doesn't.
Form handling and form security are the same problem. Fieldpost solves them together.
No backend code
Point your form's action at our endpoint. Works with plain HTML, Next.js, React, Vue, Svelte, Astro, Webflow, Framer — anything that can POST.
Email validation built in
Syntax, MX records, disposable domains, and role addresses checked on every submission — before it ever reaches your inbox.
Bot detection
Honeypot, fill-time analysis, and header fingerprinting catch automated submissions without making humans solve puzzles.
Rate limiting
Per-form, per-visitor limits with atomic counters at the edge. Burst traffic and form-spam scripts hit a wall.
Shield filtering
SQL injection, XSS, template injection, and header-injection payloads are detected and blocked at the field level.
CAPTCHA when you want it
Turnstile, reCAPTCHA v2/v3, and hCaptcha verified server-side. Free on every plan — not paywalled.
Your data, your Supabase
Submissions land in a Postgres database you own. Export anytime via API. Raw IPs are never stored — only salted hashes.
Integrations
Resend notifications and autoresponders, HMAC-signed webhooks, HubSpot, Slack, Discord. Zapier, Make, and n8n via webhooks.
Under 1KB embed
The optional embed script is 959 bytes gzipped with zero dependencies. Your Lighthouse score won't notice it.
Six rules. Three modes. Per form.
Every rule runs in block, flag (store as spam, dry-run), or off — tune protection without redeploying.
| Rule | Checks |
|---|---|
| email_validation | syntax · MX · disposable · role addresses |
| bot_detection | honeypot · fill-time · header heuristics |
| rate_limit | fixed-window · per form + fingerprint |
| shield | SQLi · XSS · traversal · header injection |
| captcha | Turnstile · reCAPTCHA · hCaptcha |
| redact | emails · phones · cards · IPs |
{
"email_validation": { "mode": "block",
"check_mx": true,
"block_disposable": true },
"rate_limit": { "mode": "block",
"window_seconds": 60, "max": 5 },
"bot_detection": { "mode": "block",
"min_fill_seconds": 2 },
"shield": { "mode": "flag" },
"redact": { "entities": ["credit_card"] }
}A hook, not a widget.
Headless by design — bring your own markup and styles. The hook handles submission, status, and bot-check tokens.
"use client";
import { useFieldpost } from "@fieldpost/react";
export default function ContactForm() {
const { submit, status, error } = useFieldpost({
accessKey: process.env.NEXT_PUBLIC_FIELDPOST_KEY!,
});
return (
<form onSubmit={submit}>
<input name="email" type="email" required />
<textarea name="message" required />
<button disabled={status === "submitting"}>Send</button>
{status === "success" && <p>Thanks!</p>}
{status === "error" && <p>{error}</p>}
</form>
);
}Questions
Is my access key safe in client-side code?
Yes. The access key is public by design — it only identifies which form to deliver to. Abuse is handled by the security suite (rate limits, bot detection, trusted domains), and privileged operations require your private secret key.
Do I need a CAPTCHA?
Usually not. Honeypot + fill-time + header analysis + rate limiting stops the vast majority of spam without user friction. If you want one anyway, Turnstile, reCAPTCHA, and hCaptcha verification are included on every plan.
Where is my data stored?
In Postgres (Supabase) — encrypted at rest, exportable anytime through the management API. Raw visitor IPs are never stored, only salted SHA-256 fingerprints.
Can it replace my HubSpot forms?
Yes — that's literally why we built it. Keep your custom markup, submit to Fieldpost, and the HubSpot integration syncs submissions to your portal via the HubSpot Forms API. See the comparison.
Does it work without JavaScript?
Yes. A plain HTML POST works with a redirect to your thank-you page. The optional <1KB script upgrades it to AJAX with inline success states.
Ship a protected form in 5 minutes.
One endpoint, one access key, zero backend code. Free tier included.
Start building →