A working developer's reference for the vocabulary around HTML forms, form backends, spam defense (honeypot, Turnstile, hCaptcha, reCAPTCHA), transactional email (SMTP, SPF, DKIM, DMARC), webhooks and HMAC signatures, GDPR and DPA compliance, and JAMstack delivery. Each entry is a self-contained definition you can cite or link to directly — written for builders shipping real sites, not for a marketing brochure. If you're wiring up a contact form on a static site or a Next.js app, this is the glossary we wish we'd had on day one.
An access key is a public token that identifies which form backend account a submission belongs to. Unlike a secret API key, it is safe to embed in client-side HTML because it can be locked to specific domains and rate-limited per origin. With splitforms you paste an access key into a hidden input and submissions route to your inbox without any server code.
Akismet is a hosted spam filtering service originally built for WordPress comments and now widely used for form submissions. It scores incoming text against a global database of known spam patterns and returns a verdict the backend can act on. Many form backends, including splitforms, layer Akismet checks on top of honeypot and Turnstile signals to catch spam that slips past the first line of defense.
application/x-www-form-urlencoded is the default MIME type a browser uses to encode an HTML form submission, serializing fields askey=value pairs joined by ampersands. It is compact and works everywhere, but it cannot carry binary data such as file uploads. Form backends like splitforms accept urlencoded submissions out of the box, which is why a plain HTML form with no JavaScript will just work.
An autoresponder is an automatic email reply sent to the person who submitted a form, typically used to confirm receipt or deliver a lead magnet. It uses the email field from the submission as the recipient and a templated body from your form backend. splitforms lets you toggle an autoresponder per form so visitors get instant confirmation without you wiring up a transactional email service.
Cloudflare Turnstile is a privacy-friendly CAPTCHA alternative that runs invisible challenges in the background and returns a token your backend can verify. It avoids the click-the-traffic-lights interruption of reCAPTCHA while still proving the visitor is likely human. splitforms supports Turnstile as a drop-in option for forms that need stronger bot protection than a honeypot alone — see spam protection.
CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls whether a script on one origin may call an API on another origin. The server must respond with the right Access-Control-Allow-Origin header or the browser blocks the response. Form backends like splitforms send permissive CORS headers on the submit endpoint so any static site can POST to it without proxying through your own server.
CSRF(Cross-Site Request Forgery) is an attack in which a malicious site tricks a logged-in user's browser into submitting a request to another site they're authenticated with. The classic mitigation is a per-session token rendered into the form and verified on submit. Public form endpoints like splitforms aren't authenticated sessions, so they defend against the related risk of unwanted POSTs using domain locking and rate limits instead.
DKIM(DomainKeys Identified Mail) is an email authentication method that signs each outgoing message with a private key and publishes the matching public key in DNS. Receiving servers verify the signature to confirm the message wasn't tampered with in transit. Form backends that send autoresponders or notifications, splitforms included, use DKIM-signed sender domains so emails land in the inbox rather than the spam folder.
DMARC(Domain-based Message Authentication, Reporting and Conformance) is a DNS policy that tells receiving mail servers what to do with messages that fail SPF or DKIM checks for your domain. It also delivers aggregate reports so you can spot spoofing attempts. If you forward form submissions to a custom domain, configure DMARC on that domain so splitforms notifications and your real mail aren't impersonated.
Double opt-in is a subscription confirmation flow in which a user submits their email and then has to click a link in a verification message before being added to a list. It proves the email belongs to the person submitting and shields you from typos and bots. For mailing-list signups behind splitforms, you can wire double opt-in by piping submissions to your ESP via a webhook.
A DPA (Data Processing Agreement) is a contract between a data controller and a data processor that spells out how personal data is handled, secured, and deleted under GDPR. If you collect form submissions from EU residents, your form backend is a processor and you need a DPA in place. splitforms publishes a standard DPA you can countersign so your compliance paperwork is straightforward.
EU data residencymeans the personal data you collect from EU residents is stored on servers physically located in the European Union. It's a common GDPR requirement for enterprise customers and a useful trust signal for any privacy-conscious user base. splitforms is rolling out EU data residency as a per-workspace toggle so European customers can keep submissions inside EU borders end-to-end. See also: GDPR, DPA.
Exponential backoffis a retry strategy in which the delay between attempts doubles after each failure, often with random jitter added to avoid thundering-herd retries. It's the standard way to recover from transient network errors without overwhelming a downstream service. When a webhook receiver returns a 5xx, splitforms retries with exponential backoff so a brief outage doesn't lose a submission.
A form backend is a hosted HTTP endpoint that accepts HTML form submissions, processes them (spam filtering, validation, storage), and forwards the data to email, a database, or webhooks. It removes the need to run your own server just to receive contact-form messages. splitforms is a form backend purpose-built for static sites and JAMstack apps — point your form's actionattribute at the splitforms URL and you're done.
A form endpoint is the specific URL a form's action attribute POSTs to when submitted, exposed by a form backend service. The URL typically encodes an account or form identifier so the service knows where to route the submission. With splitforms, your form endpoint looks like https://api.splitforms.com/submit and an access_key field tells it which form is yours.
GDPR (General Data Protection Regulation) is the EU privacy law that governs how organizations collect, store, and process personal data of people in the EU. It requires a lawful basis for processing, explicit consent for marketing, and rights of access, correction, and deletion. Any form that collects names or emails from EU visitors is in scope, so splitforms ships with EU data residency and a signable DPA.
hCaptcha is a CAPTCHA service positioned as a privacy-respecting drop-in replacement for Google reCAPTCHA, used to verify that a form submission came from a human. It issues a token after the user solves a challenge, which the backend then verifies against the hCaptcha API. Form backends including splitforms support hCaptcha as one of several challenge providers you can wire to a form.
An HMAC signature(Hash-based Message Authentication Code) is a cryptographic checksum computed over a request body using a shared secret. The sender includes the signature in a request header; the receiver recomputes it and rejects mismatches, proving the request really came from the expected sender and wasn't tampered with in transit. splitforms signs every webhook with an HMAC-SHA256 signature so your endpoint can reject spoofed POSTs from random URLs that guessed your webhook address. See also: webhook.
A honeypotis a hidden form field that real users never see or fill in but naive spam bots blindly populate, giving the backend a clean signal to drop the submission. It's hidden with CSS rather than the hidden attribute so bots that parse the DOM still encounter it. splitforms enables a honeypot field by default, so most low-effort spam never reaches your inbox.
An idempotency keyis a unique client-supplied identifier sent with a request so a server can recognize and safely ignore duplicate submissions of the same operation. It's the standard way to make POST requests retry-safe over an unreliable network. When splitforms calls your webhook, it includes an idempotency key in the headers so your handler can deduplicate retries triggered by exponential backoff.
JAMstack is an architecture for fast, scalable websites built on JavaScript, APIs, and prerendered Markup served from a CDN. Dynamic behavior — auth, payments, form submissions — is delegated to third-party APIs instead of a monolithic server. splitforms is a JAMstack-native form backend: your static HTML POSTs directly to a hosted endpoint, so you keep the static-site speed and skip the server.
JSON Schema validationis a declarative way to describe the shape of an object — required fields, allowed types, regex patterns, min/max bounds — and reject anything that doesn't match. It's the lingua franca for API request validation across languages. Form backends like splitforms validate incoming submissions against a per-form JSON Schema you define so malformed or oversized payloads fail fast at the edge, before they ever hit your inbox.
A lead magnetis a free resource — a PDF, a discount code, an email course — offered in exchange for a visitor's email address. It's the dominant pattern for converting anonymous traffic into a marketable list. With splitforms, you can deliver the lead magnet via the autoresponder field by attaching a download link as soon as the form submission lands.
Magic link authis a passwordless login flow in which the user types their email and receives a one-time signed URL that logs them in when clicked. It removes password storage, password reset flows, and the worst credential-stuffing surface area. The splitforms dashboard uses magic link auth so you don't have to invent or remember a password just to read your form submissions.
multipart/form-datais the MIME type a browser uses when a form contains a file input, encoding each field as a separate MIME part with its own headers. It's the only standard form encoding that can carry binary uploads. splitforms accepts multipart/form-data submissions so you can wire up resume uploads, photo submissions, and document drop-offs without writing upload code.
A prefilled form is one whose fields are populated from URL query parameters before the user starts typing — useful for personalized email links (Hi {name}, confirm your address) or carrying context across pages (?plan=pro). The HTML pattern is to read query params at render and set them as the valueattribute on each input. splitforms doesn't dictate how you prefill; it just receives whatever the form posts, including hidden fields you populated from the URL.
Rate limiting is a server-side control that caps how many requests a single client (or key, or IP) can make in a given time window, returning a 429 Too Many Requestsonce the cap is hit. It protects backends from abuse, spam floods, and runaway scripts. splitforms applies per-key and per-IP rate limits to every form endpoint so a hostile actor can't drain your monthly submission quota in a single afternoon.
reCAPTCHAis Google's CAPTCHA service that scores requests as human or bot, either through visible challenges (v2) or invisible behavior analysis (v3). It's the most widely deployed bot defense on the web but raises privacy concerns because it relies on Google tracking signals. splitforms supports reCAPTCHA verification when you need a familiar option, alongside Turnstile and hCaptcha.
A redirect URLis the page a user is sent to after a successful form submission, typically a thank-you page that confirms receipt and offers a next step. It's controlled either by a hidden redirect field in the form or by a per-form setting in the dashboard. splitforms honors a custom redirect URL so your visitors land on a branded thank-you page instead of a generic JSON response.
Row-level security(RLS) is a Postgres feature that attaches policies to a table so each query is automatically filtered to rows the current user is allowed to see. Even a buggy or compromised query can't leak another tenant's data because the database enforces the rule, not the application. splitforms stores submissions in Postgres with RLS so only the form owner can ever read their submissions — multi-tenancy is enforced at the row, not in app code. See also: GDPR.
SMTP (Simple Mail Transfer Protocol) is the standard protocol mail servers use to relay messages between hosts on the internet. It defines how a sending server hands off a message to a receiving server and how delivery failures are reported. splitforms uses authenticated SMTP via reputable relays to deliver form notifications, which keeps inbox placement high without you running a mail server.
An SPA (Single Page Application) is a web app that loads a single HTML document and updates the view client-side via JavaScript instead of triggering a full-page reload on every interaction. Frameworks like React, Vue, and Svelte default to this pattern. SPAs typically submit forms with fetch() rather than a native form POST, and splitforms handles both — return JSON for the SPA, or 302 redirect for plain HTML.
SPF(Sender Policy Framework) is a DNS record that lists which mail servers are authorized to send email for your domain. Receiving servers reject or down-score messages from servers not in the SPF list, reducing spoofing. If you ask splitforms to send notifications from your own domain, you'll add the splitforms relay to your SPF record so messages pass authentication.
A static site generator (SSG) is a tool that compiles content and templates into plain HTML, CSS, and JavaScript files at build time, ready to be served from a CDN with no runtime server. Popular SSGs include Next.js (in static export mode), Astro, Hugo, Eleventy, and Gatsby. Because the output is static, dynamic features like contact forms get delegated to a form backend such as splitforms.
Transactional email is a one-to-one message triggered by a user action — a form-submission notification, a password reset, a magic link — as opposed to a one-to-many marketing blast. It carries different deliverability expectations and is typically sent through a dedicated relay (Postmark, Resend, SES) with strict SPF, DKIM, and DMARC alignment. splitforms uses authenticated transactional email for every notification and autoresponder so messages land in the inbox, not the promotions tab. See also: SMTP, DKIM.
A UTM parameter is a query-string tag (utm_source, utm_medium, utm_campaign,utm_term, utm_content) appended to a URL so analytics tools can attribute traffic and conversions back to a specific campaign. Capturing UTMs at form submission lets you tie leads to the channel that drove them. splitforms automatically captures UTM parameters from the page URL and stores them with each submission, so you can see which campaign a lead came from inside the dashboard or webhook payload.
A webhookis an HTTP callback: when an event happens in one system, it POSTs a JSON payload to a URL you supply, so your code reacts in near real time. It's the standard way to fan out events without polling. splitforms fires a signed webhook for every form submission, with retries and an idempotency key, so you can pipe leads straight into a CRM, Slack, or your own database. See also: HMAC signature, idempotency key.
