Headless form backend

Stop building form backends. Start shipping.

A headless API that gives you a POST endpoint in under a minute. Spam protection, field validation, and notifications included — so you can focus on your frontend.

Create Your First Form See How It Works

contact-form.js

// Submit from any frontend
const response = await fetch(
  'https://headless-form.robertboes.nl/api/v1/form/01JCK...',
  {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      name: 'Alex',
      email: 'alex@example.com',
      message: 'Hello!'
    })
  }
);

Features

Everything your forms need

From field validation to multi-channel notifications — all managed through a clean dashboard.

Dynamic Field Schema

Define 8 field types per form with automatic type coercion. Text, email, numeric, boolean, date, URL, select, and textarea.

Non-Guessable Endpoints

Every form gets a unique, random URL. Globally unique and impossible to enumerate.

Per-Form Origin Control

Whitelist specific domains per form. Dynamic CORS middleware validates every request origin in real-time.

Multi-Layer Bot Protection

Cloudflare Turnstile, reCAPTCHA v2, reCAPTCHA v3, and an invisible honeypot — use any combination per form.

Intelligent Rate Limiting

Set per-form cooldown periods. IP-based throttling prevents abuse without blocking legitimate users.

Email Notifications

Send beautifully formatted Markdown emails to multiple recipients the moment a submission arrives.

Webhook Integrations

Forward submissions to any URL. Every payload is signed with HMAC-SHA256 so you can verify authenticity.

Multi-Channel Notifications

Get notified your way — email, webhooks, Telegram, and more. Mix and match channels per form.

How it works

Up and running in three steps

Create your form

Name it, set your allowed origins, configure field schema and protection — all from the dashboard.

Add the endpoint

POST form data from any frontend — static sites, React, Vue, mobile apps, or plain HTML forms.

Receive submissions

View data in the dashboard and get notified via email, webhooks, or Telegram — your choice.

Developer experience

One endpoint. Any client.

Your forms accept JSON and form-encoded data out of the box. No SDKs, no libraries — just a standard POST request.

8 field types with automatic validation and coercion
JSON and form-encoded payloads supported
Optional access tokens for private forms
Clean JSON responses with field-level errors

Request

$ curl -X POST https://headless-form.robertboes.nl/api/v1/form/01JCK... \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Alex",
    "email": "alex@example.com",
    "message": "Hello from my static site!"
  }'

Response · 200 OK

{
  "message": "Form submitted successfully."
}

Security

Four layers of protection, zero configuration

Each layer works independently. Stack them for maximum defense or use only what you need.

Layer 1

Origin Validation

Per-form CORS whitelists reject requests from unauthorized domains before they reach your form logic.

Layer 2

Invisible Honeypot

A hidden field that real users never see. Bots fill it in automatically and get silently rejected.

Layer 3

Turnstile & reCAPTCHA

Driver-based challenge system. Choose Cloudflare Turnstile, reCAPTCHA v2, or v3 per form.

Layer 4

IP-Based Throttling

Configurable cooldown periods per form. Prevents rapid-fire abuse while keeping the door open for real users.

Notifications

Know the moment a submission arrives

Multiple channels, all configurable per form. Use one or all of them.

Email

Markdown-formatted emails sent to multiple recipients per form.

SMTP / Mailgun / SES

Webhooks

Forward submissions to any URL with HMAC-SHA256 signed payloads.

X-Signature header

Messaging

Instant alerts via Email, Telegram, Slack, Discord, and webhooks. Connect with one click.

5 channels supported