How to Choose a Form Backend API
Short answer: Check these 7 things: server-side validation, authentication modes, file upload limits, SDK quality, webhook availability, dashboard features, hosting independence. Most form backends look similar on the surface but differ significantly in these areas.
Every form backend accepts POST requests and stores submissions. That’s the baseline. The differences that actually matter show up when you’re debugging a production form at 11 PM or when a client asks why their 15 MB resume upload failed.
Here’s what to evaluate, in order of importance.
1. Does it validate data server-side?
Client-side validation is a UI convenience. Users can bypass it by opening DevTools, disabling JavaScript, or submitting via curl. The form backend is your last line of defense.
What to check:
- Does it validate email format?
- Does it validate phone number format (E.164)?
- Does it check URL structure?
- Does it enforce date formats?
- Does it reject files that exceed size limits or aren’t in allowed MIME types?
- Does it reject submissions with missing required fields?
Most form backends don’t validate anything. They accept whatever you send and store it as flat key-value pairs. You end up with entries like email: "not-an-email" and phone: "call me" in your dashboard.
A form backend with typed fields catches this before storage. Forminit uses typed form blocks — each field has a declared type (email, phone, URL, date, rating, country, file) with server-side validation rules. Invalid data returns an error response instead of being stored.
Why it matters: Bad data breaks automations. If you’re forwarding submissions to a CRM via webhook and the email field contains garbage, your CRM import fails. Validation at the backend level prevents this.
2. How does authentication work?
There are two scenarios:
Client-side forms (static sites, SPAs): The form submits directly from the browser. The endpoint URL is visible in the page source. Anyone who finds it can submit to it.
Server-side forms (Next.js, Nuxt, Express): Your backend proxies the submission. The form endpoint and API key stay on your server, hidden from the client.
What to check:
- Can you submit without an API key for static sites?
- Can you submit with an API key for server-side proxies?
- Are the rate limits reasonable for both modes?
- Does the SDK support a proxy URL pattern?
Most form backends only offer public endpoints. Forminit offers both: public mode (no API key, 1 request per 5 seconds) and protected mode (API key via X-API-KEY header, 5 requests per second). The SDK has a proxyUrl option that routes submissions through your own server.
Why it matters: Public-only endpoints are a spam vector. Anyone who discovers your form URL — from page source, network tab, or automated scanning — can submit to it programmatically. Protected mode with an API key means only your authorized server can submit.
3. What are the file upload limits?
File uploads are where most form backends show their limits. A contact form with a “attach your resume” field seems simple until the upload fails because the backend caps at 5 MB.
What to check:
| Ask this | |
|---|---|
| Size limit | What’s the max per submission? Per file? |
| File types | Which MIME types are allowed? Can you restrict them? |
| Storage | Where are files stored? Can you download them via URL? |
| Multiple files | Can one form have multiple file inputs? |
| Content type | Does it require multipart/form-data? Does the SDK handle this? |
Common limits across form backends:
| Service | Max upload size | Supported types |
|---|---|---|
| Forminit | 25 MB per submission | 50+ MIME types (docs, images, video, audio, archives) |
| Formspree | 10 MB | Limited |
| Netlify Forms | 10 MB | Limited |
| Basin | 10 MB | Limited |
| FormSubmit | ~5 MB | Very limited |
Why it matters: If your form accepts resumes, portfolios, or document uploads, 5-10 MB isn’t enough. A single high-res image can exceed 10 MB. A PDF portfolio easily hits 15-20 MB.
4. How good is the SDK?
A form backend without an SDK means you’re writing raw fetch calls, handling FormData serialization, parsing error responses, and managing file uploads yourself. An SDK abstracts this.
What to check:
- Does it provide a JavaScript SDK (npm and/or CDN)?
- How large is the SDK? (Anything over 10 KB for a form library is bloated.)
- Does it handle FormData and JSON submission modes?
- Does it return structured error objects or just strings?
- Does it support framework-specific patterns (Next.js API routes, Nuxt server routes)?
- Does it auto-capture UTM parameters and referrer data?
Forminit’s SDK is 2 KB, available via npm install forminit or CDN. It includes built-in proxy handlers for Next.js (createForminitProxy) and Nuxt.js (createForminitNuxtHandler) that wrap your API key server-side. UTM parameters and ad click IDs are captured automatically.
Why it matters: The SDK determines your developer experience. A good SDK means fewer lines of code, better error handling, and features (like UTM tracking) that work without extra effort.
5. Are webhooks available on your plan?
Webhooks forward submission data to your own server or third-party services in real time. They’re the bridge between your form backend and everything else: CRMs, databases, Slack, custom backend logic.
What to check:
- Are webhooks available on the free/starter plan or only on paid plans?
- Can you configure multiple webhook URLs per form?
- What does the webhook payload look like? Is it well-structured?
- Does it include a signature header for verification (HMAC)?
- What’s the retry policy on failed deliveries?
Several form backends gate webhooks behind paid plans. This forces you to upgrade before you can integrate with anything.
Forminit includes webhooks on all plans, with X-Forminit-Signature HMAC verification.
Why it matters: If you need to forward submissions to a CRM, database, Slack channel, or custom API, webhooks are non-negotiable. Paying extra for basic data forwarding is a frustrating experience.
6. What does the dashboard look like?
You’ll spend time in the dashboard reviewing submissions, searching for specific entries, and exporting data. A bare table with pagination is functional but painful at scale.
What to check:
- Can you search submissions?
- Can you filter by date, status, or custom criteria?
- Can you star or mark submissions as important?
- Can you track submission status (new, in progress, done)?
- Can you add internal notes to submissions?
- Can you export to CSV?
- Does it show file attachments with download links?
Forminit provides an inbox-style UI with starring, status tracking (open/in-progress/done/cancelled), internal notes, and filtering. Most competitors offer a basic table view.
Why it matters: If you’re using the form backend for lead generation or support requests, you need more than a spreadsheet. Status tracking and notes turn the dashboard from a data dump into a lightweight CRM.
7. Does it work with any hosting provider?
Some form solutions are tied to specific hosting platforms. Netlify Forms only works on Netlify. If you move to Vercel or Cloudflare Pages, you need a new form solution.
What to check:
- Does it work via HTTP POST from any origin?
- Are there CORS restrictions?
- Can you restrict submissions to specific domains (authorized domains)?
- Does the SDK work in any JavaScript environment?
Every form backend except Netlify Forms works with any host. But check for authorized domain features — being able to restrict which domains can submit to your form is a security feature, not a limitation.
Why it matters: Your form backend should be independent of your hosting choice. Coupling them creates a migration risk.
Decision checklist
Use this before committing:
- Does it validate my field types server-side?
- Can I use API key authentication for server-side submissions?
- Are file uploads large enough for my use case?
- Does the SDK support my framework?
- Are webhooks included on the plan I need?
- Is the dashboard usable for my workflow?
- Does it work independently of my hosting provider?
If a form backend checks all 7 boxes, it’s the right choice. If it misses on validation or authentication, you’ll feel it in production.