Form Capture

Invoker automatically captures form submissions from deployed pages. You do not need to build a backend, set up a database, or write any server-side code. This page explains how form capture works.

The placeholder

When you include a form in your deployed HTML, use as the form's action attribute:

html

<form action="{{SUBMIT_URL}}" method="POST">
  <input type="text" name="name" placeholder="Your name" required>
  <input type="email" name="email" placeholder="Email" required>
  <textarea name="message" placeholder="Message"></textarea>
  <button type="submit">Send</button>
</form>

At deploy time, Invoker replaces with the real submission endpoint:

https://api.invoker.page/submit/{deployId}

This happens server-side before the HTML is stored in KV, so the deployed page always contains the correct URL.

Supported content types

The submission endpoint accepts three content types:

Content Type	Description
`application/json`	JSON body with key-value pairs
`application/x-www-form-urlencoded`	Standard HTML form encoding (default for most forms)
`multipart/form-data`	Used for file uploads and complex form data

Standard HTML forms use application/x-www-form-urlencoded by default, so no extra configuration is needed. If you are submitting via JavaScript, you can send JSON:

javascript

fetch("{{SUBMIT_URL}}", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    name: "Jane Doe",
    email: "jane@example.com"
  })
});

Honeypot bot protection

Invoker supports a honeypot field for basic bot protection. Include a hidden field named _hp in your form:

html

<input type="text" name="_hp" style="display:none" tabindex="-1" autocomplete="off">

How it works:

Real users never see or fill this field
Bots that auto-fill all fields will populate it
If _hp is non-empty, the submission is silently rejected (returns 200 but is not stored)

The built-in templates already include this field.

Rate limiting

Submissions are rate limited to 10 per minute per deployment. This protects against abuse and accidental submission floods. Exceeding the limit returns a 429 Too Many Requests response.

CORS

The submission endpoint has CORS enabled for all origins. This means forms hosted anywhere -- not just on invoker.page -- can submit to Invoker. This is useful if you embed an Invoker-powered form on an external site.

Retrieving submissions

Submissions are stored in Supabase Postgres and can be retrieved two ways:

Through Claude

Ask Claude to fetch submissions:

"Show me the latest submissions for my waitlist"

Claude calls the get_submissions MCP tool and displays the data.

Through the API

bash

curl "https://api.invoker.page/submissions/d_abc123?page=1&limit=10" \
  -H "Authorization: Bearer inv_your_api_key"

See Submission Endpoints for full details.

Notifications

You can be notified of new submissions in two ways:

Email notifications -- enable per-deployment via the API or the toggle_notifications MCP tool
Webhooks -- configure generic JSON or Slack-formatted webhooks per deployment

See the Webhook Endpoints for setup details.

Form Capture ​

The placeholder ​

Supported content types ​

Honeypot bot protection ​

Rate limiting ​

CORS ​

Retrieving submissions ​

Through Claude ​

Through the API ​

Notifications ​