forms + security, one API

The form backend
that fights back

Drop a form into any site in five minutes. Email validation, bot detection, rate limiting, and spam filtering run on every submission — no backend code, no CAPTCHAs by default.

index.html — this is the whole integration
<form action="https://api.fieldpost.dev/v1/submit" method="POST" data-fieldpost>
  <input type="hidden" name="access_key" value="YOUR_ACCESS_KEY">

  <input type="email" name="email" required>
  <textarea name="message" required></textarea>
  <button>Send</button>
</form>

<script src="https://cdn.fieldpost.dev/v1/fieldpost.min.js" defer></script>
<1KB
embed script, gzipped
6
security rules per submission
0
lines of backend code
Features

Everything a form needs. Nothing it doesn't.

Form handling and form security are the same problem. Fieldpost solves them together.

No backend code

Point your form's action at our endpoint. Works with plain HTML, Next.js, React, Vue, Svelte, Astro, Webflow, Framer — anything that can POST.

✉️

Email validation built in

Syntax, MX records, disposable domains, and role addresses checked on every submission — before it ever reaches your inbox.

🤖

Bot detection

Honeypot, fill-time analysis, and header fingerprinting catch automated submissions without making humans solve puzzles.

🚦

Rate limiting

Per-form, per-visitor limits with atomic counters at the edge. Burst traffic and form-spam scripts hit a wall.

🛡️

Shield filtering

SQL injection, XSS, template injection, and header-injection payloads are detected and blocked at the field level.

🔑

CAPTCHA when you want it

Turnstile, reCAPTCHA v2/v3, and hCaptcha verified server-side. Free on every plan — not paywalled.

🗄️

Your data, your Supabase

Submissions land in a Postgres database you own. Export anytime via API. Raw IPs are never stored — only salted hashes.

🔀

Integrations

Resend notifications and autoresponders, HMAC-signed webhooks, HubSpot, Slack, Discord. Zapier, Make, and n8n via webhooks.

📦

Under 1KB embed

The optional embed script is 959 bytes gzipped with zero dependencies. Your Lighthouse score won't notice it.

Security suite

Six rules. Three modes. Per form.

Every rule runs in block, flag (store as spam, dry-run), or off — tune protection without redeploying.

RuleChecks
email_validationsyntax · MX · disposable · role addresses
bot_detectionhoneypot · fill-time · header heuristics
rate_limitfixed-window · per form + fingerprint
shieldSQLi · XSS · traversal · header injection
captchaTurnstile · reCAPTCHA · hCaptcha
redactemails · phones · cards · IPs
per-form security config
{
  "email_validation": { "mode": "block",
    "check_mx": true,
    "block_disposable": true },
  "rate_limit": { "mode": "block",
    "window_seconds": 60, "max": 5 },
  "bot_detection": { "mode": "block",
    "min_fill_seconds": 2 },
  "shield": { "mode": "flag" },
  "redact": { "entities": ["credit_card"] }
}
React & Next.js

A hook, not a widget.

Headless by design — bring your own markup and styles. The hook handles submission, status, and bot-check tokens.

ContactForm.tsx
"use client";
import { useFieldpost } from "@fieldpost/react";

export default function ContactForm() {
  const { submit, status, error } = useFieldpost({
    accessKey: process.env.NEXT_PUBLIC_FIELDPOST_KEY!,
  });

  return (
    <form onSubmit={submit}>
      <input name="email" type="email" required />
      <textarea name="message" required />
      <button disabled={status === "submitting"}>Send</button>
      {status === "success" && <p>Thanks!</p>}
      {status === "error" && <p>{error}</p>}
    </form>
  );
}
FAQ

Questions

Is my access key safe in client-side code?

Yes. The access key is public by design — it only identifies which form to deliver to. Abuse is handled by the security suite (rate limits, bot detection, trusted domains), and privileged operations require your private secret key.

Do I need a CAPTCHA?

Usually not. Honeypot + fill-time + header analysis + rate limiting stops the vast majority of spam without user friction. If you want one anyway, Turnstile, reCAPTCHA, and hCaptcha verification are included on every plan.

Where is my data stored?

In Postgres (Supabase) — encrypted at rest, exportable anytime through the management API. Raw visitor IPs are never stored, only salted SHA-256 fingerprints.

Can it replace my HubSpot forms?

Yes — that's literally why we built it. Keep your custom markup, submit to Fieldpost, and the HubSpot integration syncs submissions to your portal via the HubSpot Forms API. See the comparison.

Does it work without JavaScript?

Yes. A plain HTML POST works with a redirect to your thank-you page. The optional <1KB script upgrades it to AJAX with inline success states.

Ship a protected form in 5 minutes.

One endpoint, one access key, zero backend code. Free tier included.

Start building →