Features

Spam protection

Form spam is a constant. We block the obvious stuff automatically and give you a couple of tools to handle the rest.

Honeypot field

Add a hidden _gotcha field to your form. Real users leave it empty; bots that auto-fill every input will populate it. Any submission with a non-empty _gotcha value is silently dropped — we return a normal 200 OK so bots can't tell they've been filtered.

html

<input
  type="text"
  name="_gotcha"
  style="position:absolute;left:-10000px"
  tabindex="-1"
  autocomplete="off"
/>

Hosted forms include this automatically — you only need to add it when you're writing your own HTML.

Rate limits

Every form endpoint is rate-limited along three axes, each on a rolling 60-second window:

5 submissions per IP, per form — keeps a single spammer from hammering one form.
30 submissions per IP, across all forms — caps per-source volume across the app.
60 submissions per form — fallback when the IP can't be determined (local development, missing proxy headers).

When a limit is hit, the endpoint returns HTTP 429 with a Retry-After header.

Empty submissions

Submissions that contain only control fields (_redirect, etc.) or no real data at all are rejected with HTTP 400. This blocks the simplest bot patterns at almost zero cost.

Account status checks

If a form's owner has scheduled their account for deletion, the endpoint returns HTTP 410 Gone. The form stops accepting submissions immediately so users see a clear message rather than their submissions vanishing.

Pair the honeypot with rate limits

On the public web, a hidden honeypot plus our default rate limits will block almost all submission spam without any user-visible captcha. Add a captcha later if and when a specific form becomes a target.

Next up

Special fields →

Full reference for _gotcha and other control fields.

Limits →

Submission limits per plan.

API reference →

Status codes and response headers.