USE CASES · COPY-PASTE CURL

Every form you'd
ever need a backend for.

Real curl. Real payloads. One endpoint serves your marketing contact form, your job-applications inbox, your AI agent, and your mobile app — without a line of backend code on your side.

Read the docs

Three categories below: websites · AI agents · developer infrastructure.

/ for websites

Drop-in backend for any web form.

The Formspree pattern, done right. One POST, email in your inbox, spam pipeline already running. Zero server code on your side.

contact form

Marketing site contact form

The classic. A lead fills the form, the sales team gets the email, and _replyto rewrites the email's Reply-To header — so when sales hits Reply, the message goes to the lead, not to us.

$ curl -X POST https://login.form4dev.com/api/submit/contact \
    -H "Content-Type: application/json" \
    -d '{
      "name": "Ada Lovelace",
      "email": "[email protected]",
      "message": "Interested in a demo for our 12-person team.",
      "_replyto": "[email protected]"
    }'

{ "success": true, "id": "sub_8f2a91c…" }
# Email lands in [email protected].
# Reply-To: [email protected] → hit reply, talk to the lead.

newsletter

Newsletter signup with instant autoresponder

_autoresponse sends the subscriber a confirmation email the moment they submit. No transactional-email provider needed for this one common case.

$ curl -X POST https://login.form4dev.com/api/submit/newsletter \
    -H "Content-Type: application/json" \
    -d '{
      "email": "[email protected]",
      "_autoresponse": "Thanks for subscribing — your first issue ships Friday.",
      "_subject": "New subscriber: [email protected]"
    }'

{ "success": true, "id": "sub_a14f…" }
# You get the lead. The subscriber gets an instant confirm reply.

careers

Job application with resume upload

Multipart parser handles PDFs, docs, screenshots. The resume gets attached to the recruiter's notification email. The [Possible spam] ML quarantine keeps the inbox clean without ever silently dropping a real applicant.

$ curl -X POST https://login.form4dev.com/api/submit/careers-backend \
    -F "name=Grace Hopper" \
    -F "[email protected]" \
    -F "role=Senior backend engineer" \
    -F "years_experience=8" \
    -F "cover_letter=I've shipped distributed systems at..." \
    -F "resume=@./resume.pdf"

{ "success": true, "id": "sub_c01dd…" }
# Notification email to [email protected] has resume.pdf attached.

support intake

Bug report widget with subject routing

_subject overrides the default email subject so your support inbox's filter rules route by severity, product, or environment without you running a triage script.

$ curl -X POST https://login.form4dev.com/api/submit/bug-report \
    -H "Content-Type: application/json" \
    -d '{
      "title": "Dashboard crashes on Safari 17",
      "severity": "high",
      "product_area": "billing",
      "steps_to_reproduce": "1. Open /orgs/{id}  2. Click Upgrade  3. White screen",
      "browser": "Safari 17.4 / macOS 14.5",
      "_subject": "[BUG][HIGH][billing] Dashboard crashes on Safari 17",
      "_replyto": "[email protected]"
    }'

{ "success": true, "id": "sub_b9c12…" }
# Gmail filter on "[BUG][HIGH]" pages on-call. The rest go to triage.

/ for AI agents 🤖

Forms your agent can use as a first-class citizen.

Bearer-authed POSTs skip captcha, honeypot, and the per-IP rate limit — the token IS the trust boundary. The OpenAPI spec is CORS-open so the agent discovers the surface itself.

agent · bearer

Agent books a demo on a user's behalf

Your assistant (Claude, ChatGPT, a custom one) fills out the prospect's demo form for them — the lead lands in your sales inbox stamped with the agent's label, attributed in the audit log, no captcha to break.

$ curl -X POST https://login.form4dev.com/api/submit/demo-request \
    -H "Authorization: Bearer fmd_a8c91b2e7d…" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "Sarah Chen",
      "company": "Acme Corp",
      "email": "[email protected]",
      "team_size": 12,
      "use_case": "Lead capture for marketing site + agent integration",
      "monthly_volume": 5000,
      "_replyto": "[email protected]",
      "_source": "submitted via Claude.ai on user behalf"
    }'

{
  "success": true,
  "id": "sub_d31be…",
  "submitted_via": "agent:tok_demo_intake_claude"
}
# Inbox row shows the 🤖 stamp + the token label.
# Skipped: per-IP rate limit, honeypot, CAPTCHA. The token is trust.

agent · bulk

Bulk import 1,000 leads from a scrape, CSV, or Sheet

Idempotency keys make the loop safely retryable — re-running the same script doesn't double-post. Per-IP rate limit doesn't apply to Bearer-authed traffic, so a background job can drain a queue without throttling.

$ cat leads.jsonl | while read line; do
    curl -X POST https://login.form4dev.com/api/submit/crm-intake \
      -H "Authorization: Bearer fmd_a8c91b2e7d…" \
      -H "Content-Type: application/json" \
      -H "Idempotency-Key: $(echo -n "$line" | sha256sum | cut -c1-32)" \
      -d "$line"
  done

{ "success": true, "id": "sub_…" }   ×1000
# Re-run with the same input and you get the same IDs — no dupes.
# Per-IP rate limit doesn't apply to Bearer tokens.

agent · discovery

Agent discovers the API surface itself

The whole API is described at /api/openapi.json — CORS-open, no auth required to read. Drop it into an agent's tool-use loop and it learns the endpoints, parameter types, and response shapes without a docs site.

$ curl -s https://login.form4dev.com/api/openapi.json | jq '.paths | keys'

[
  "/api/forms",
  "/api/forms/{formId}",
  "/api/forms/{formId}/builder",
  "/api/forms/{formId}/submissions",
  "/api/forms/{formId}/failures",
  "/api/submit/{endpointSlug}",
  "/api/submissions/{id}",
  "/api/tokens",
  …
]
# Agent reads, mints a scoped token, picks an endpoint, submits.
# No SDK install, no docs to scrape. Just JSON.

agent · voice

Voice agent → schema-validated form

Your voice agent (Twilio, Vapi, Retell) transcribes a call, extracts the structured fields, and submits. The form's strict 13-type schema catches malformed extractions before they pollute the inbox — bad voice agents fail loudly, not silently.

$ curl -X POST https://login.form4dev.com/api/submit/clinic-intake \
    -H "Authorization: Bearer fmd_voice_agent_…" \
    -H "Content-Type: application/json" \
    -d '{
      "patient_name": "Anna Smith",
      "phone": "+1 415 555 0117",
      "reason_for_visit": "Follow-up — knee injection three weeks ago",
      "preferred_date": "2026-06-15",
      "preferred_time": "afternoon",
      "insurance_provider": "Blue Shield",
      "_source": "via Twilio voice agent",
      "_replyto": "[email protected]"
    }'

{ "success": true, "id": "sub_v8c1e…" }
# Schema rejects bad date formats with 400 + a field-level error
# the agent can react to ("please confirm the date").

agent · workflow

Agent logs a workflow event from Slack / GitHub / a file watcher

Use a form as a write-side event log. The agent submits, the form's signed webhook fires to your downstream system, and the auto-retry (5× with backoff) means your pipeline doesn't lose the event if its receiver is briefly down.

$ curl -X POST https://login.form4dev.com/api/submit/build-events \
    -H "Authorization: Bearer fmd_ci_agent_…" \
    -H "Content-Type: application/json" \
    -d '{
      "kind": "deploy.completed",
      "service": "api-gateway",
      "git_sha": "8f3a91c",
      "env": "production",
      "duration_ms": 47120,
      "triggered_by": "release-bot"
    }'

{ "success": true, "id": "sub_evt_…" }
# Webhook fires to your audit-log service.
# Auto-retried at 1m, 5m, 30m, 2h, 10h if it 5xxs.

/ for developers

Real infra under the form layer.

Auto-retry'd webhooks, multipart parsing, idempotency, signed deliveries, per-tenant SMTP. Your prototype graduates to production without re-platforming.

static site

A real backend for your static site

Drop this on Vercel, Cloudflare Pages, Netlify, S3, GitHub Pages. The form URL handles CORS, parses urlencoded and JSON, runs the spam pipeline, and emails you. Zero server code on your side.

<form action="https://login.form4dev.com/api/submit/contact" method="POST">
  <input name="name" required/>
  <input name="email" type="email" required/>
  <textarea name="message" required></textarea>
  <input type="hidden" name="_subject" value="New contact — yourco.com"/>
  <button>Send</button>
</form>
<!-- That's it. No PHP, no Vercel function, no SMTP setup. -->

webhooks

Verify and consume a signed webhook

Every webhook delivery carries an HMAC-SHA256 signature you verify with timingSafeEqual. If your endpoint returns 5xx, we retry 5× with exponential backoff (1m → 5m → 30m → 2h → 10h) — your pipeline doesn't lose events on flaky deploys.

import { createHmac, timingSafeEqual } from "node:crypto";

export function verifyForm4DevWebhook(headers, rawBody) {
  const sig = headers["x-form4dev-signature"];
  const expected = createHmac("sha256", process.env.FORM4DEV_WEBHOOK_SECRET)
    .update(rawBody)
    .digest("hex");
  return sig.length === expected.length
    && timingSafeEqual(Buffer.from(sig), Buffer.from(expected));
}

export async function POST(req) {
  const raw = await req.text();
  if (!verifyForm4DevWebhook(req.headers, raw)) return new Response("bad sig", { status: 401 });
  const payload = JSON.parse(raw);
  await enqueueForProcessing(payload);
  return new Response("ok");
}

read API

List, filter, and export submissions programmatically

The same Bearer token your agent uses to submit can read submissions back — scoped to submissions:read. Pipe to your warehouse, your CRM, your nightly job.

$ curl -s "https://login.form4dev.com/api/forms/frm_8f2a/submissions?since=2026-06-01&limit=200" \
    -H "Authorization: Bearer fmd_read_only_…" \
  | jq '.data[] | {id, email: .data.email, created_at}'

{ "id": "sub_a14f…", "email": "[email protected]", "created_at": "2026-06-02T09:14:21Z" }
{ "id": "sub_b9c1…", "email": "[email protected]", "created_at": "2026-06-02T11:02:48Z" }
…
# Token scope enforced server-side. submissions:write token can't read.

Pick one. Ship it in five minutes.

Free tier: 100 submissions / month, every feature. No credit card. See pricing for higher volume.