Built like the rest of your stack.
Postbox is built on a simple premise: a form is a contract between a submitter and a system. The schema defines the terms. The endpoint is the signature. Everything else — validation, spam filtering, translation, routing — is the enforcement layer. We didn't start with a UI and bolt on an API. We started with the contract and let every client — browser, curl, agent — hold it the same way.
That decision cascades into everything below. Self-documenting endpoints. Schema versioning that never breaks old integrations. A pipeline that runs after submit, not before. Agent access through MCP and skills. Here's how it all fits together.
A form is a contract.
Most form tools give you a UI with a POST
endpoint bolted on the back. Postbox inverts that. You define the
schema
(fields, types, rules) and get back an endpoint URL. The schema is the intent. The URL is the interface. A browser form, a curl script, an autonomous agent. All three hold up the same contract.
This matters because contracts don't care about the client. Your marketing team builds a landing page form. Your mobile app submits to the same endpoint. Your agent creates a new form while you're asleep. Every client gets the same validation, the same spam protection, the same routing. The contract is the source of truth, not the UI.
One URL. Two audiences. Same contract.
Every Postbox endpoint knows what it is. Send a GET
with Accept: application/json
and it tells you its schema. Send a GET
with Accept: text/html
and it renders human-readable documentation. POST
to it and you submit data. No SDK. No docs lookup. The endpoint is the documentation.
This eliminates an entire category of integration friction. Your agent doesn't need to read separate docs to understand what fields a form accepts — it asks the endpoint directly. Your frontend developer doesn't need to sync with the backend team on field changes — the endpoint reflects the current schema in real time. When the contract changes, the documentation changes with it. Automatically. Instantly.
{
"name": "Contact",
"method": "POST",
"fields": [
"email",
"message"
]
}
Schemas evolve. Old URLs never break.
Every schema change produces a new endpoint URL. The old one keeps working forever, validated against the schema it was born with. Your three-year-old contact form keeps collecting submissions even after you've redesigned the fields twice. Integrations never silently break. No migration scripts. No deprecation emails. No 3am pages.
Immutable endpoints mean you can iterate fearlessly. Add a new required field to your signup form without breaking the mobile app that still sends the old payload. Run A/B tests with different schema versions on different landing pages. Sunset an old form gradually instead of coordinating a hard cutover. Each version is a snapshot in time, and every snapshot stays alive as long as something is still pointing at it.
What happens after submit is the actual product.
Most form tools stop at "data received." Postbox is just getting started. Every submission runs through a pipeline. Schema validation. Spam detection. Language detection and translation. Smart replies drafted from your knowledge base. Routing to the destinations you care about. All async. All opinionated. All built once, so you don't have to build any of it.
The pipeline runs in the background, so submitters always get a fast 201 response. Each stage is toggleable per form. Run validation and spam on your public contact form. Add translation for your global waitlist. Enable smart replies for support tickets. Skip everything except routing for internal tooling. You configure the pipeline once, and every submission flows through it automatically.
Submissions are not data. They're a conversation.
Data sitting in a dashboard waits for you to do something with it. Postbox doesn't make you do the reading. Connect our MCP server to your agent and ask the questions you actually care about. What's the feedback looking like? What are people complaining about? Draft a reply to the angry one. The submissions read themselves back.
This flips the model from "collect then analyze" to "ask and receive." Your agent can list submissions, filter by sentiment, summarize themes across hundreds of entries, translate foreign-language feedback, and draft contextual replies using your knowledge base. You don't export to CSV. You don't build dashboards. You just ask.
Spam traps that trap spam, not your agents.
Honeypot fields are old magic. Invisible inputs that bots fill and humans don't. Postbox does them properly. You mark a field as a honeypot in the schema, it gets validated on submission, and it's automatically omitted from the discovery endpoint. Agents asking your form what it accepts never see the honeypot. Bots blindly filling every field still do. The trap catches what it's supposed to.
This is the difference between bot protection that breaks your integrations and bot protection that only targets bots. Honeypots require no JavaScript, no CAPTCHA widgets, no user friction. They just work. And because they're schema-native, you can add them to any form in seconds without touching your frontend code.
Retry-safe by default.
Every submission endpoint accepts an
Idempotency-Key
header. Include one (typically a UUID) and if you retry the same submission, you get the original result instead of a duplicate. Safe networks are rare. Retries happen. Duplicate submissions shouldn't.
The work nobody wants to write twice.
Submissions fan out wherever you need them. Webhooks with HMAC-SHA256 signatures and automatic retries. Discord rich embeds. Slack Block Kit messages. Auto-disabled after three failures, with an email to you. The boilerplate every form tool reinvents, written once, done properly.
Webhooks include the full submission payload plus metadata, signed with a per-destination secret so you can verify authenticity. Retries use exponential backoff with jitter. Discord and Slack destinations format submissions as rich embeds with proper color coding and action buttons. If a destination fails repeatedly, Postbox pauses it and notifies you instead of spamming a broken endpoint. Set it up once, and your data flows to the right place forever.
The details that matter.
Does Postbox host the form UI for me? +
Accept: text/html.
What field types are supported? +
Can I use my own OpenAI or Claude API key? +
How fast are webhook deliveries? +
Built this way on purpose.
None of this is magic. It's just a lot of small decisions made in the same direction. Treating forms like APIs. Treating agents like first-class clients. Treating the work after submit as the actual job. Come see for yourself.