Frequently Asked Questions
Everything you need to know about OnBackend.
What is OnBackend?
OnBackend is a form backend-as-a-service. You point your static HTML forms at our endpoint, and we capture submissions, store them, and email you instantly. No server, database, or backend code required on your end.
How do I get started?
Sign up for a free account, create a form from your dashboard, and you'll get an API key. Add a hidden input with your API key to any HTML form, set the form action to our /api/submit endpoint, and you're live.
Do I need to write any backend code?
No. OnBackend works with plain HTML forms. Just add a hidden _apikey field and set your form's action attribute to our endpoint. No JavaScript, no server-side code, no framework required.
Is OnBackend free?
Yes, completely free. You get 5 forms, 500 submissions per form per month, email notifications, CSV export, and 90-day data retention. No credit card required.
How does authentication work?
We use passwordless magic links. Enter your email, click the link we send you, and you're signed in. No passwords to create, remember, or leak.
How are my API keys stored?
API keys are shown to you once at creation and stored as SHA-256 hashes in our database. We cannot recover a lost key — but you can regenerate a new one at any time from the dashboard.
What happens when someone submits my form?
The submission data is validated, checked against rate limits and spam protection, stored in your dashboard, and an email notification is sent to your configured address. The visitor is then redirected to your thank-you page (or our default one).
How does spam protection work?
OnBackend uses a honeypot field — a hidden input that humans never see but bots fill in. If the honeypot has a value, the submission is silently accepted (returning 200 OK so bots don't adapt) but never stored or emailed. Rate limiting adds another layer of protection.
Can I use OnBackend with any website?
Yes. Our submission endpoint accepts POST requests from any origin (CORS is fully open). It works with static HTML sites, WordPress, Webflow, Squarespace, or any platform that lets you create HTML forms.
Can I redirect visitors to my own thank-you page?
Yes. Set a default redirect URL when creating your form, or override it per submission using the _redirect hidden field. If neither is set, visitors see our default thank-you page.
Can I export my submission data?
Yes. Every form has a one-click CSV export. All field keys across all submissions are included as columns so nothing is missed.
How long is my data stored?
Submissions are retained for 90 days. You can delete individual submissions or entire forms at any time from your dashboard. Export your data regularly if you need to keep it longer.
What are the rate limits?
Form submissions are limited to 10 per minute per IP per form, 1,000 per hour per form, and 5,000 per day per account. Auth endpoints have separate limits. All rate-limited responses include Retry-After headers.
Can I change the notification email per form?
Yes. Each form has its own notification email setting, which defaults to your account email but can be changed to any address you control.
What if I lose my API key?
Since we store keys as hashes, we can't recover them. Go to your form's settings in the dashboard and click "Regenerate API Key". The old key stops working immediately — update your HTML form with the new one.