Webhooks overview

A webhook is a URL we POST a JSON payload to whenever a clean submission lands. Webhooks are per-form; a form can have multiple. Every payload is signed with HMAC-SHA256 over the raw body using a secret you copy once at creation.

Lifecycle

1. Create a webhook on a form. We generate a signing secret and show it once.
2. Submission lands and passes the spam stack.
3. Dispatch runs in the background. We POST to your URL.
4. Verify in your handler — recompute HMAC, compare in constant time.
5. Retry on failure — exponential backoff up to 7 attempts.
6. Replay any delivery from the dashboard or via the API at any time.

What gets sent

{
  "type": "submission.created",
  "submission_id": "01HFXX0X9R7KZJVN9VS6TG2C5T",
  "form_id": "r2EdO-orF-3S",
  "payload": { "email": "ada@example.com", "message": "Hi" },
  "received_at": "2026-05-07T16:09:10Z"
}

Plus headers:

X-Formspring-Signature: <hex hmac-sha256>
X-Formspring-Event:     submission.created
X-Formspring-Timestamp: 1746651750
Content-Type:           application/json

What's next

• Configuration →
• Signing & verification →
• Retries →
• Replay →
• Recipes: Slack, Discord, Sheets, Zapier, n8n, Make →