Skip to content
REST API · webhooks · MCP · tokens

Hooks,not headaches.

Everything a builder needs to wire Formspring into anything: a clean REST API, signed webhooks, scoped tokens, an OpenAPI spec, and a first-class MCP server so AI assistants can build and manage forms for you.

Read the docs Get a token
Signed webhooksOpenAPI spec109 toolsEU hosted
<form action="https://formspring.io/f/abc123" method="POST">
  <input type="email" name="email" required />
  <textarea name="message"></textarea>
  <button type="submit">Send</button>
</form>

POST · 14ms · eu-de · signed webhook fired

The endpoint is the integration

One URL in your form action.

Point the action attribute at your form endpoint and you are done - no SDK, no build step, no server route. Every submission lands in a real dashboard, fires a signed webhook, and is filtered for spam before it reaches you. Send it from raw HTML, fetch, or the terminal. 

<form action="https://formspring.io/f/abc123" method="POST">
  <input type="email" name="email" required />
  <textarea name="message"></textarea>
  <button type="submit">Send</button>
</form>
Capabilities

Inspectable plumbing, all the way down.

Five surfaces, one workspace. Read the docs for the full reference; the shape never changes out from under you every six months.

01

REST API

Create forms, read submissions, and manage everything programmatically. An OpenAPI spec ships with it, so client generation and request validation come for free.

02

Webhooks

Signed, retried, replayable delivery of every submission event. Verify the HMAC signature, replay a delivery from history, and read the delivery log right next to the submission.

03

MCP server

Connect Claude, Cursor, or any MCP client and run Formspring from your assistant. 109 tools, OAuth device flow, scoped to one workspace at a time.

04

Tokens & abilities

Scoped personal access tokens with fine-grained abilities. Grant forms:read without forms:write, rotate a token from the dashboard, and audit which token did what.

05

Embed & quick tools

Drop a form anywhere with one script tag. Shorten a link or spin up a 24-hour quick form with no account, then graduate to the full workspace when you are ready.

Webhooks & tokens

Verify the signature. Trust the payload.

Every webhook delivery carries an HMAC signature you check in constant time. Replay any delivery from history. The same scoped token reads submissions back over the REST API when you need a pull instead of a push.

HMAC-SHA256replayretriesabilitiesOAuth device flow
// Every delivery is signed. Compare in constant time.
const signature = req.headers["x-formspring-signature"];
const expected = hmacSha256(signingSecret, rawBody);

if (!timingSafeEqual(expected, signature)) {
  return res.status(401).end();
}

const payload = JSON.parse(rawBody);
handle(payload.submission);
Spam protection

Layered, not stacked.

Five filters, each at the right point in the pipeline. The cheap ones run first; nothing wastes compute on a bot a honeypot already caught.

  • 01

    Honeypot

    A hidden field is auto-injected on every form. Naive bots fill it; real people do not. Rejected before any spam compute runs.

  • 02

    Captcha (your keys)

    Bring your own hCaptcha or reCAPTCHA keys, configured per form. The challenge fires only when reputation says the friction is worth it.

  • 03

    Custom rules

    Block by keyword, domain, country, or regex. Useful for blanket bans on competitor outreach and known burner-email patterns.

  • 04

    Reputation pass

    An optional Akismet pass scores every submission and catches known bad actors before they ever reach your inbox.

  • 05

    AI moderation

    A model reads the message body itself and flags solicitation, scam patterns, and prompt injection in the response payload.

Integrations

Send submissions anywhere.

Native destinations, signed outbound webhooks, and a REST API with an OpenAPI spec. Set them up in a couple of clicks, or wire them yourself.

Slack logoSlack
Google Sheets logoGoogle Sheets
Zapier logoZapier
Notion logoNotion
Airtable logoAirtable
HubSpot logoHubSpot
Telegram logoTelegram
WHWebhook
See all integrations
Plans

Per workspace. Not per form.

One submission counter for the whole workspace. Webhooks, the API, and MCP unlock on Pro and above.

PlanPriceWhat's included
FreeFree50 submissions/mo · 30-day retention · REST API on Pro
Pro$19/mo5,000 submissions/mo · webhooks, API, MCP, AI moderation
Team$49/mo25,000 submissions/mo · roles, audit history, agency mode
Scale$149/mo100,000 submissions/mo · higher limits · SLA-backed
See full plan comparison
Questions

For builders.

Is it really free?
Yes. The Free plan accepts 50 submissions per month with 30-day retention, no credit card required. Upgrade only when a project crosses 50 a month.
How does pricing scale?
Plans are billed per workspace, not per form. Pro is $19/mo for 5,000 submissions. Team is $49/mo for 25,000. Scale is $149/mo for 100,000. Over-quota submissions return HTTP 402 so the client knows the response was not accepted.
Do I need to handle CORS?
No. The ingestion endpoint allows cross-origin POSTs from any domain, returns JSON on Accept: application/json, and supports both standard form-encoded bodies and JSON payloads. No preflight tuning required.
Is my data in the EU?
Yes. Submissions and uploaded files are stored in Germany by default - Hetzner object storage for files, EU-region transactional mail. The Data Processing Addendum at /dpa lists every sub-processor.
Will it work with my React, Next, Vue, or Astro setup?
Anything that can POST works. Drop the endpoint URL into the form action, or fetch() to it from a client component. Snippets ship for HTML, React, Vue, Next.js, Astro, SvelteKit, Nuxt, vanilla JS, Python, PHP, and Ruby.
How does spam protection work?
Layered, not stacked. A hidden honeypot field catches naive bots before any compute runs. Optional hCaptcha or reCAPTCHA add a real-user challenge. Custom rules let you block by keyword or pattern. Akismet reputation scoring filters known bad actors. AI moderation reads the message itself and flags solicitation, profanity, and prompt injection.
Are webhooks signed?
Yes. Every webhook delivery carries an x-formspring-signature header with an HMAC-SHA256 of the raw body using your per-form secret. Retries are exponential with full delivery history and one-click replay from the dashboard.

Read the docs. Get a token.

The free plan covers a personal site or a small intake flow. Upgrade when you want webhooks, the API, and the MCP server.

Read the docs →Explore the MCP server

·· signed webhooks · OpenAPI spec · EU hosted