Webhooks

Webhooks let you trigger external workflows every time a form submission arrives. Send data to Zapier, Make, your own API, a Slack channel, or anything that can receive an HTTP POST.

Looking for a step-by-step implementation guide? See Webhook Processing for complete working examples in Next.js and Express, including signature verification.

Setting up a webhook

Open your form in the dashboard
Go to Form Settings → Webhooks
Click Add endpoint
Enter your endpoint URL
Save

Formtorch will send a POST request to that URL for every new submission.

Payload

The request body is JSON with the following shape:


{
  "formId": "a1b2c3d4e5",
  "submissionId": "x9y8z7w6v5",
  "fields": {
    "name": "Alex",
    "email": "alex@example.com",
    "message": "Hello there"
  },
  "submittedAt": "2025-03-15T14:30:00.000Z",
  "isSpam": false,
  "spamScore": 0
}

The fields object contains all the submitted form data except reserved _* fields.

Signature verification

Every webhook request includes an X-Formtorch-Signature header. This is an HMAC-SHA256 signature of the raw request body, signed with your webhook secret.

Verify it on your server to confirm the request came from Formtorch:

app/api/webhook/route.ts


import { createHmac } from "crypto";
 
export async function POST(req: Request) {
  const body = await req.text();
  const signature = req.headers.get("x-formtorch-signature") ?? "";
 
  const expected = createHmac("sha256", process.env.WEBHOOK_SECRET!)
    .update(body)
    .digest("hex");
 
  if (signature !== `sha256=${expected}`) {
    return new Response("Unauthorized", { status: 401 });
  }
 
  const data = JSON.parse(body);
  // process data...
 
  return new Response("OK");
}

Your webhook secret is shown in the dashboard when you create the endpoint.

Retry behavior

If your endpoint returns a non-2xx status code or times out, Formtorch retries the delivery with exponential backoff:

Attempt	Delay
1st retry	30 seconds
2nd retry	5 minutes
3rd retry	30 minutes

After 3 failed retries, the delivery is marked as failed. You can see delivery status for each submission in the dashboard.

What triggers a webhook

Webhooks fire for every non-spam submission. They do not fire for:

Spam submissions (isSpam: true)
Test submissions (_test=true)

If you’re connecting to Zapier or Make, use their built-in webhook trigger. Paste your Formtorch endpoint URL into the Zapier “Catch Hook” or Make “Custom Webhook” module, then send a test submission to activate the trigger.

Webhooks are available on Starter and Pro plans. See the pricing page for a full plan comparison.