Skip to content

Special fields

Reserved fields are namespaced with an underscore. Everything else — name, email, message, anything — is treated as form content.

FieldWhat it doesExample
access_keyRequired. Routes the submission to your form.value="a1b2c3…"
_redirectURL to send the visitor to after a successful submit. Validated against your per-form allowlist.value="https://mysite.com/thanks"
_ccExtra verified recipients for this submission (Pro).value="[email protected]"
_submission_idWith _update_token, targets an existing submission to update it instead of creating a new one.value="sub_…"
_update_tokenAuthorizes an update; returned in the response when the submission was created.value="…"
_notifyOn an update, 1 delivers the finalized submission once (notification + auto-reply + webhooks).value="1"

Spam protection uses a honeypot field — a hidden trap named fax_number by default, configurable per form — see Spam protection.

_subject, _from_name, and _reply_to are also reserved (they’re stripped from your submission data) for upcoming per-request overrides. Today the notification’s subject, sender name, and Reply-To come from your form’s settings, with Reply-To defaulting to the submitter’s email field.

  • Reserved fields work in every request format: hidden inputs in HTML forms, or plain properties in a JSON body.
  • _redirect only fires for regular form posts (a fetch caller gets JSON and handles navigation itself), and only to URLs on the form’s allowlist, so the field can’t be abused to turn your form into an open redirector.
  • _cc addresses must belong to your verified recipients; arbitrary addresses can’t be injected.
  • Multiple values — repeat a field name (checkbox groups, <select multiple>, or several file inputs) and the values are stored as an array: the notification email renders them as a list, and the webhook and read API return a JSON array.
  • Templating — the notification email’s intro text and the auto-reply body support {{fieldName}} tokens, replaced with the submitted value.
<form action="https://api.formwire.io/submit" method="POST">
<input type="hidden" name="access_key" value="YOUR-ACCESS-KEY">
<input type="hidden" name="_redirect" value="https://mysite.com/thanks">
<!-- Honeypot (see Spam protection); default field name is fax_number -->
<input type="text" name="fax_number" tabindex="-1" autocomplete="off"
aria-hidden="true" style="position:absolute;left:-9999px" value="">
<input type="email" name="email" required>
<textarea name="message" required></textarea>
<button type="submit">Send</button>
</form>