Submissions overview

A submission is one POST to your form's endpoint. Each one has:

• An id (ULID)
• A payload — every key/value the form sent (validated against the form's schema in hosted mode, free-form in legacy mode)
• A status — received, spam, processed, or failed
• Files — any uploads, with signed download URLs
• Metadata — IP, user agent, referrer, AI moderation score, category

The pipeline

POST /f/{public_id}
  ↓
1. CORS / origin gate
2. Rate limit (per IP, per form)
3. Schema validation (hosted forms)
4. Honeypot check
5. Captcha (hCaptcha / reCAPTCHA, if enabled)
6. Custom rules (regex / keywords / blocked emails)
7. Akismet (if enabled)
8. AI moderation (Pro+, if enabled)
9. Persist
  ↓
- Inbox or spam folder
- Notification emails
- Autoresponder
- Webhooks dispatched in background

The pipeline returns 200 even for spam classifications so bots don't learn what to retry. Hard rejections (CORS, captcha invalid, rate-limited) return 4xx.

Inbox vs spam

The dashboard splits submissions into two folders. Inbox is the clean stuff. Spam is anything any layer of the spam stack flagged. Both are searchable, exportable, and recoverable — moving from spam back to inbox is one click (or one MCP call).

What's next

• Inbox →
• Files →
• Exporting →
• Bulk actions →