Skip to Content
HelpTroubleshooting

Troubleshooting

Something not working the way you expected? This guide covers the most common issues and how to fix them. Jump to the section that matches your situation.

Submissions not appearing

Check your form action URL

This is the most common culprit. Your form needs the correct action URL and method="POST".

<form action="https://formtorch.com/f/YOUR-FORM-ID" method="POST">
  <form action="https://formtorch.com/f/YOUR-FORM-ID">
    <form action="https://formtorch.com/f/YOUR-FORM-ID" method="GET"></form>
  </form>
</form>

To confirm your form ID: open the dashboard , select the form, and copy the endpoint from the Setup tab.

Check the Spam tab

TorchWarden, Formtorch’s spam detection system, may have flagged the submission. Go to your form in the dashboard and click the Spam tab. If you find a legitimate submission there, click Not Spam to move it back.

Check the browser’s Network tab

Open DevTools (F12 or Cmd+Option+I), submit the form, and look for the request in the Network tab. A 200 or 303 response means the submission went through. If you see a 4xx or 5xx, something is wrong on the request side.

Check you’re viewing the right account

If you have more than one Formtorch account, make sure you’re signed in to the one where the form lives.

Redirect not working after submission

If your _redirect field isn’t sending users to your custom URL, check these:

  • Use an absolute URL. The _redirect value must start with https:// or http://. Relative URLs like /thank-you are not supported.
  • Only works with standard form POSTs. If you’re submitting via fetch or XMLHttpRequest, Formtorch returns JSON — redirect in your JavaScript after a successful response.
  • The field must be inside the <form> tag. Hidden inputs outside the form are not submitted.
<input type="hidden" name="_redirect" value="https://yoursite.com/thank-you" />
 
<input type="hidden" name="_redirect" value="/thank-you" />

Email notifications not arriving

Check your spam or junk folder

Notification emails occasionally land in spam, especially with corporate mail servers. Search for emails from notifications@formtorch.com across all your mail folders.

Verify the recipient address

Formtorch requires each notification recipient to verify their email address before they start receiving notifications. In the dashboard, go to Form SettingsNotifications. Any unverified address shows a pending badge. Resend the verification email if needed.

Clicking “Add” adds the address to your recipient list, but notifications won’t go out until the person clicks the verification link.

Check whether the submission was a test or spam

Formtorch skips email notifications for two types of submissions:

  • Test submissions: sent with _test=true in the payload
  • Spam submissions: flagged by TorchWarden

Both types still appear in the dashboard (test submissions in the Submissions tab, spam in the Spam tab), but no notification email is sent for either.

Check for bounce or delivery issues

If notifications aren’t arriving for multiple submissions, open the submission in the dashboard and check the Delivery section for error details.

Spam: TorchWarden

TorchWarden scores every submission automatically. Anything at or above the spam threshold is flagged and held in the Spam tab rather than the Submissions tab.

Legitimate submissions marked as spam

  1. Go to your form in the dashboard and open the Spam tab.
  2. Find the submission.
  3. Click Not Spam to move it to Submissions.

If this keeps happening, review your spam filter settings; they may be set too aggressively. You can also enable the honeypot field (_honeypotField) as a softer signal for bots without flagging real users.

Still getting spam through

TorchWarden runs on every submission automatically. For more aggressive filtering, you can add a honeypot field to your form:

<input
  type="text"
  name="_honeypot"
  style="display:none"
  tabindex="-1"
  autocomplete="off"
/>

You can also customize which field acts as the honeypot using _honeypotField:

<input type="hidden" name="_honeypotField" value="website" />
<input type="text" name="website" style="display:none" tabindex="-1" />

Honeypot blocking real users

If real users are being flagged as spam and the honeypot is enabled, the hidden field may be visible or auto-filled by a password manager or browser autofill.

Make sure the honeypot is hidden with CSS, not type="hidden":

<input
  type="text"
  name="_honeypot"
  style="display:none"
  tabindex="-1"
  autocomplete="off"
/>
 
<input type="hidden" name="_honeypot" />

The tabindex="-1" and autocomplete="off" attributes discourage autofill tools from populating the field. If you’re still seeing false positives, try a less obvious field name — some tools specifically target fields named _honeypot.

Webhooks not triggering

Check the webhook URL

Make sure the URL is correct and publicly accessible. A quick way to test: paste the URL into webhook.site  and trigger a test submission.

View delivery logs

In the dashboard, go to Form SettingsWebhooks and click the webhook endpoint. You’ll see a log of recent delivery attempts, including the status code and response body for each one.

Common webhook error codes

StatusCauseFix
401 UnauthorizedEndpoint requires auth Formtorch isn’t providingAdd auth headers in webhook settings
404 Not FoundWrong URLDouble-check the endpoint URL
500 Server ErrorYour server threw an errorCheck your server logs
TimeoutYour endpoint took too long to respondReturn 200 immediately; process async

Formtorch retries failed deliveries with exponential backoff: 30 seconds, 5 minutes, 30 minutes. After 3 retries, the delivery is marked failed.

Signature verification failing

Webhooks include an x-formtorch-signature header with an HMAC-SHA256 signature. If your verification is failing, the most common cause is reading the request body as parsed JSON before verifying. The string representation won’t match.

Read the raw body as a string first, verify the signature, then parse it.

const body = await req.text(); // raw string: do this before JSON.parse
const signature = req.headers.get("x-formtorch-signature") ?? "";
 
const expected = `sha256=${createHmac(
  "sha256",
  process.env.FORMTORCH_WEBHOOK_SECRET!
)
  .update(body)
  .digest("hex")}`;
 
if (signature !== expected) {
  return new Response("Unauthorized", { status: 401 });
}
 
const event = JSON.parse(body);

See the Webhook Processing guide for a complete working example.

File uploads not working

Check form encoding

File uploads require enctype="multipart/form-data" on the form element. Without it, the file contents won’t be included in the request.

<form
  action="https://formtorch.com/f/YOUR-FORM-ID"
  method="POST"
  enctype="multipart/form-data"
>
  <input type="file" name="attachment" />
</form>

File size limits

The maximum file size is 10 MB per file. Files larger than that are rejected. If you need to handle larger files, upload them directly to object storage (like S3 or Cloudflare R2) and submit the resulting URL in your form instead.

Attachments not appearing in notification emails

Very large files may not be attached to notification emails, but they’re always accessible in the dashboard. Go to the submission detail view and look for the file in the Fields section.

CORS and CSP errors

Formtorch accepts cross-origin requests. If you’re submitting via fetch or XMLHttpRequest from a different domain, CORS headers are included automatically.

If you’re seeing CORS errors, the most likely cause is one of:

  • Using method="GET" instead of POST
  • Sending a preflight with custom headers that aren’t allowed
  • A CDN or proxy caching the preflight response incorrectly

Content Security Policy (CSP) configuration

If your site uses a Content Security Policy, add these directives:

form-action 'self' formtorch.com;
connect-src 'self' formtorch.com;

If you’re using CAPTCHA services on top of Formtorch, add the appropriate CSP entries for those providers separately (Google reCAPTCHA, hCaptcha, Cloudflare Turnstile each have their own requirements).

Rate limiting (429 errors)

Formtorch enforces rate limits to protect both your forms and the infrastructure. If a submission returns 429 Too Many Requests, the client is sending too many requests in a short window.

For real users, this shouldn’t happen in normal usage. If you’re running automated tests or sending load traffic against your form endpoint, add _test=true to your payload so submissions are marked as test submissions and handled separately.

Test submissions counted toward quota

If your test submissions are showing up in your monthly quota count, you’re missing _test=true in the payload. Without it, every submission counts as real.

Add a hidden field while developing:

<input type="hidden" name="_test" value="true" />

Or append it to FormData in JavaScript:

const data = new FormData(form);
data.append("_test", "true");

Remove it before going live. Test submissions show a Test badge in the dashboard and never count toward your quota.

Do not use your production form ID for load testing. Use a separate test form, and always include _test=true in automated submissions.

If you’re seeing 429s for legitimate user traffic, contact support and we’ll review your rate limit configuration.

403 Forbidden

A 403 Forbidden response means the request was rejected before reaching the rate limiter. The most common cause is domain restriction.

If you have an allowed origins list configured on your form, submissions from unlisted domains are rejected with 403. To fix this:

  1. Go to Form SettingsSpam ProtectionAllowed Domains
  2. Add the domain your form is hosted on
  3. During local development, add localhost or use _test=true — test submissions bypass domain restriction

See Domain Restriction for full setup details.

Integrations

Zapier

If your Zap isn’t triggering:

  1. Check that the Zap is on. It’s easy to accidentally leave it paused.
  2. Use Zapier’s Test trigger feature to manually pull in a recent submission and confirm the connection.
  3. If you recently rotated your Formtorch API key, reconnect your account in the Zap’s trigger settings.

See the Zapier integration guide for setup details.

Webflow

Webflow’s native form handler can conflict with third-party endpoints. The right approach is to either:

  • Disable Webflow’s form handler and point the form action directly to https://formtorch.com/f/YOUR-FORM-ID
  • Or use a JavaScript fetch call to submit to Formtorch from the Webflow form’s submit event

See the Webflow integration guide for the complete setup.

Framer

Framer forms have their own submission flow that runs before any custom action. To route submissions to Formtorch, use Framer’s form action URL field in the form settings and point it at your Formtorch endpoint.

See the Framer integration guide for step-by-step instructions.

Still need help?

If you’ve worked through the relevant sections and still can’t get things working, reach out:

  • Search the docs using the search bar above
  • Check the FAQ for common questions
  • Contact us 

When you contact support, including the following helps us get to the root of it faster:

  • Your form ID
  • What you’re seeing (error message, unexpected behavior)
  • Steps to reproduce
  • The URL where your form is hosted
  • Browser and device information
Last updated on
FAQ