Skip to content
staticq

Connectors

Connectors control where your form submissions are delivered. Each form can have an email connector (sends you a notification email) and a webhook connector (POSTs the submission data to a URL you specify).

Email connector

Every new form comes with an email connector enabled by default. It sends a notification to your account email address each time someone submits the form.

What you get in each email:

  • The form name in the subject line
  • The timestamp of the submission
  • All submitted fields as a readable list
  • A link to view the full submission in the dashboard

To change the notification address, edit the connector’s configuration in the dashboard.

Webhook connector

A webhook connector sends a JSON POST request to a URL you specify every time a submission is received. This lets you integrate with any service that accepts webhooks — Zapier, Make, Slack, your own backend, etc.

Adding a webhook

  1. Open the form in your dashboard.
  2. Scroll to the Connectors section.
  3. Click Add webhook.
  4. Enter your HTTPS endpoint URL.
  5. Save.

A signing secret is generated automatically. You’ll need it to verify that incoming requests are genuinely from staticq (see below).

Payload format

{
  "form_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "form_name": "Contact form",
  "submission_id": "f9e8d7c6-b5a4-3210-fedc-ba0987654321",
  "submitted_at": "2026-03-17T12:00:00.000Z",
  "data": {
    "email": "[email protected]",
    "message": "Hello!"
  }
}

Request headers

HeaderValue
Content-Typeapplication/json
X-Staticq-Signaturesha256={hex-encoded HMAC}
User-Agentstaticq-webhook/1.0

Verifying the signature

Every webhook request includes an X-Staticq-Signature header containing an HMAC-SHA256 signature of the request body, using your connector’s secret as the key.

To verify:

  1. Read the raw request body as a UTF-8 string.
  2. Compute HMAC-SHA256 using your secret (base64url-decoded to raw bytes) as the key.
  3. Hex-encode the result.
  4. Compare it to the value after sha256= in the header.

Use a constant-time comparison to prevent timing attacks.

Managing connectors

In the dashboard, open any form to see its Connectors section.

  • Enable / disable — Toggle a connector on or off. Disabled connectors do not fire. The submission is still stored either way.
  • Delete — Remove a connector permanently. You’ll be asked to confirm.

Good to know

  • Each form can have one email connector and one webhook connector.
  • Webhook URLs must use HTTPS.
  • Webhook delivery has a 10-second timeout. If your endpoint is slow, return a 200 quickly and process the data asynchronously.
  • Delivery is best-effort. If a webhook fails or your email bounces, the submission data is still safely stored in the dashboard. There are no automatic retries for webhooks at this time.
  • Webhook secrets are shown only at creation time. If you lose your secret, delete the connector and create a new one.