Give any HTML <form> a backend. Grab an access key, point it at
/submit, and submissions land in your inbox — spam-filtered, stored, exportable.
<!-- the whole integration. no javascript required. -->
<form action="https://submitbox.dev/submit" method="POST">
<input type="hidden" name="access_key" value="YOUR_KEY">
<input type="email" name="email">
<textarea name="message"></textarea>
<button>send</button>
</form>Submitbox handles the backend so you can ship a static site and still take messages, leads, and uploads.
Every submission delivered to your inbox, formatted, with reply-to set to the sender automatically.
Honeypot field, per-IP & per-key rate limiting, and optional Turnstile / hCaptcha / reCAPTCHA.
Attachments up to 25 MB, uploaded straight to encrypted storage and surfaced as expiring download links.
Send an automatic confirmation back to whoever filled out your form. Configurable per form.
Forward every submission as JSON with an HMAC-SHA256 signature. Wire Submitbox into anything.
Redirect to a thank-you page, or POST with fetch() and get clean JSON back. Per request.
Browse, search, and export everything as CSV. Nothing is lost, even if an email bounces.
Lock an access key to your own domains so nobody can borrow your key to spam you.
Plain HTML, React, Vue, Astro, Hugo, Jekyll, Webflow — if it can POST a form, it works.
A remote Model Context Protocol server lets Claude & other AI agents manage forms and read submissions. Plus llms.txt + OpenAPI.
From zero to a working form faster than it takes to configure SMTP.
Sign up free and generate a key. Each key is its own inbox with its own settings.
Point your form's action at /submit and drop in a hidden access_key field.
Messages arrive by email and appear in your dashboard, spam-filtered and ready to export.
Submitbox isn't just for humans. Agents can discover it, sign in, and run it — no glue code.
A Model Context Protocol server (Streamable HTTP, JSON-RPC) at /mcp. Claude & other agents get tools to list forms, read submissions, and create access keys.
Full OAuth 2.1 with dynamic client registration & PKCE. Paste the URL into an agent — it registers itself and you approve in the browser. No token to copy.
Published llms.txt, an OpenAPI 3.1 spec, and .well-known metadata. Agents & answer engines can find and understand the API on their own.
// add Submitbox as a custom connector — it does the rest
{ "mcpServers": {
"submitbox": {
"type": "http",
"url": "https://submitbox.dev/mcp"
}
}
}Start free. Upgrade only when you outgrow it. No per-seat nonsense.
For side projects and personal sites.
For freelancers and growing sites.
For companies with real volume.
No. That's the whole point — Submitbox is the backend. Your site can be 100% static: Netlify, Vercel, GitHub Pages, S3, anywhere.
Every form ships with a hidden honeypot field and per-IP rate limiting. You can additionally require Cloudflare Turnstile, hCaptcha, or reCAPTCHA — verified server-side before a submission is accepted.
Yes. Submit with fetch() and an Accept: application/json header (or send JSON) and you get a structured response. Otherwise we redirect to your thank-you page.
Submissions are stored in an encrypted database and uploaded files in encrypted object storage, hosted on AWS in the United States. Everything is encrypted in transit and at rest, and you can export it all as CSV at any time. See our Privacy Policy for details.
Yes. All traffic runs over TLS, data is encrypted at rest, access keys can be locked to your own domains, and we never sell or share your submissions. We act as a processor for the submissions your forms collect — you stay in control. See our Privacy Policy and Terms.
Yes — upgrade, downgrade, or cancel from your dashboard whenever you like. Paid plans are billed monthly with no long-term contract, and your data stays exportable.
Free to start. No credit card. Your first submission can be live in the next five minutes.
create your free access key