Documentation
Everything you can do with a VASTROX Forms endpoint. The whole integration is one URL in your form's action.
Quick start
Create a form to get your endpoint, then point any HTML form at it with method="POST":
<form action="https://forms.vastrox.com/YOUR-ID" method="POST">
<input type="email" name="email" required>
<textarea name="message"></textarea>
<button type="submit">Send</button>
</form>Field names
Every input with a name is captured and shown in your email and dashboard. Use clear names like email, name, phone, or message. If a field named email is present it becomes the reply-to on your notification.
Control fields
Special fields (all prefixed to avoid clashing with your data) change behavior:
| Field | What it does |
|---|---|
| _redirect | URL to send the visitor to after a successful submit. |
| _subject | Overrides the subject line of the notification email. |
| _gotcha / _honeypot | Hidden honeypot. Leave empty; bots fill it and get dropped. |
| _ts | Timestamp for the timing trap (set automatically by our JS snippet). |
AJAX / JSON submissions
Send the Accept: application/json header (or POST a JSON body) to get a JSON response instead of a redirect, so you can handle success in place:
const res = await fetch("https://forms.vastrox.com/YOUR-ID", {
method: "POST",
headers: { "Accept": "application/json" },
body: new FormData(form),
});
const data = await res.json(); // { ok: true }File uploads
Enable uploads in the form settings, then add enctype="multipart/form-data" and a file input:
<form action="https://forms.vastrox.com/YOUR-ID" method="POST" enctype="multipart/form-data">
<input type="file" name="attachment">
<button type="submit">Send</button>
</form>Files are validated by extension and content type. Executable and script types are rejected. Attachments are delivered with the notification email and downloadable from your inbox.
Spam protection
Every form has layered spam filtering on by default. Add a honeypot for extra protection, hidden from humans:
<input type="text" name="_gotcha" style="display:none" tabindex="-1" autocomplete="off">For stronger protection, enable Cloudflare Turnstile in your form settings. It adds a friction-light challenge without CAPTCHA puzzles.
Webhooks
Add a webhook URL in settings and each submission is POSTed as a flat JSON object of your field names, plus _form and _submitted_at. Webhook targets are validated to block internal addresses.
POST https://your-api.example.com/leads
Content-Type: application/json
{
"email": "ada@example.com",
"message": "Hello",
"_form": "YOUR-ID",
"_submitted_at": "2026-07-07T14:03:11Z"
}Redirects & success pages
Add a hidden _redirect field, or set a redirect URL / custom success message in your form settings. Without one, visitors see a clean hosted confirmation page.