Form endpoints

Quick start

Every site you add to LeadToSheet automatically gets a form endpoint URL like https://app.leadtosheet.com/f/abc123def4. Find it under your site's Forms page, then use it as your form's action attribute:

<form action="https://app.leadtosheet.com/f/abc123def4" method="POST">
  <input name="email" type="email" required />
  <button type="submit">Send</button>
</form>

That's it — submissions show up in your dashboard and your connected Google Sheet within seconds.

Request format

The endpoint accepts three content types:

• application/x-www-form-urlencoded — standard browser form submit
• multipart/form-data — required when uploading files
• application/json — for fetch / AJAX clients

For an AJAX submission:

await fetch("https://app.leadtosheet.com/f/abc123def4", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ email: "person@example.com" }),
});

Field values are length-capped at 10,000 characters. Sensitive field names (password, cvc, ssn, etc.) are dropped before the submission is saved, and credit-card-shaped strings are stripped server-side.

Response modes

Each endpoint has a configurable response mode (set under the site's Settings → Endpoint Settings tab):

• Redirect — 302 to your redirectUrl, or back to the page that submitted the form. Best for plain HTML forms.
• Thanks page — 302 to /f/{id}/thanks, our hosted thanks page with your custom message.
• JSON — returns { ok: true, id }. CORS is open (Access-Control-Allow-Origin: *) so this mode works for fetch / AJAX from any origin.

File uploads

Send multipart/form-data to upload files alongside regular fields. Files are streamed to your Google Drive folder and stored as SubmissionFile records. The download URL appears as the field value in your Google Sheet.

<form
  action="https://app.leadtosheet.com/f/abc123def4"
  method="POST"
  enctype="multipart/form-data">
  <input name="email" type="email" required />
  <input name="resume" type="file" />
  <button type="submit">Send</button>
</form>

Per-file size limit is 10MB. Up to 5 files per submission. Files retain their original name and content type.

Spam protection

Endpoints have three layers of spam protection:

1. Honeypot — every endpoint includes a hidden field (default name _gotcha). When it's filled by a bot, the submission is silently dropped.
2. AI classifier — submissions are scored by an LLM-backed classifier; flagged submissions are saved to a separate spam view but don't count toward your quota.
3. Allowed domains — restrict the endpoint to specific origins (see below).

Allowed domains

When set, the endpoint only accepts submissions whose Origin or Referer header matches one of your allowed domains. Subdomains are allowed automatically — if you list example.com, submissions from www.example.com and shop.example.com are accepted, but evil-example.com is not.

Leave the list empty to accept submissions from any origin. (Use the honeypot and AI classifier as your defense in that case.)

Errors

The endpoint returns standard HTTP status codes:

• 404 — endpoint id does not exist or is paused
• 400 — empty submission (no recognised fields)
• 403 — origin not in allowed-domains list, or subscription inactive / trial expired
• 413 — file payload exceeds the per-file or per-submission limit
• 429 — submission quota for the month is exhausted and the grace period has elapsed
• 500 — server error (we'll see it in our logs and follow up)

Troubleshooting

The form posts but nothing shows up.

Check that the endpoint isn't paused (under Settings → Endpoint Settings) and that your submission isn't being classified as spam — spam submissions land in a separate view, not your main leads table.

I'm getting 403 forbidden host.

Either the request is coming from a domain not in your Allowed domains list, or it's missing both an Origin and Referer header. Submit the form from a real browser page, not a CLI tool.

The redirect after submit goes to a 404.

Set a redirectUrl in the endpoint settings, or switch the response mode to Show our thanks page.