Skip to content
staticq

Connectors

Connectors control where your form submissions are delivered. Each form can have an email connector (sends you a notification email) and a webhook connector (POSTs the submission data to a URL you specify).

Email connector

Every new form comes with an email connector enabled by default. It sends a notification to your account email address each time someone submits the form.

What you get in each email:

  • The form name in the subject line
  • The timestamp of the submission
  • All submitted fields as a readable list
  • A link to view the full submission in the dashboard

To change the notification address, edit the connector’s configuration in the dashboard.

Webhook connector

A webhook connector sends a JSON POST request to a URL you specify every time a submission is received. This lets you integrate with any service that accepts webhooks — Zapier, Make, Slack, your own backend, etc.

Adding a webhook

  1. Open the form in your dashboard.
  2. Scroll to the Connectors section.
  3. Click Add webhook.
  4. Enter your HTTPS endpoint URL.
  5. Save.

A signing secret is generated automatically. You’ll need it to verify that incoming requests are genuinely from staticq (see below).

Payload format

Every webhook delivery is wrapped in an event envelope:

{
  "api_version": "2026-03-30",
  "event": "submission.created",
  "created_at": "2026-03-17T12:00:00.000Z",
  "data": {
    "form_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "form_name": "Contact form",
    "submission_id": "f9e8d7c6-b5a4-3210-fedc-ba0987654321",
    "submitted_at": "2026-03-17T12:00:00.000Z",
    "data": {
      "email": "[email protected]",
      "message": "Hello!"
    }
  }
}
FieldDescription
api_versionSchema version for the payload format (date string, e.g. "2026-03-30")
eventThe event type (currently "submission.created")
created_atISO 8601 timestamp of when the event was generated
dataThe event-specific payload

Request headers

HeaderValue
Content-Typeapplication/json
X-Staticq-Signaturesha256={hex-encoded HMAC}
X-Staticq-Webhook-VersionThe api_version value (e.g. 2026-03-30)
X-Staticq-EventThe event type (e.g. submission.created)
User-Agentstaticq-webhook/1.0

Verifying the signature

Every webhook request includes an X-Staticq-Signature header containing an HMAC-SHA256 signature of the full request body (the entire envelope), using your connector’s secret as the key.

To verify:

  1. Read the raw request body as a UTF-8 string.
  2. Compute HMAC-SHA256 using your secret (base64url-decoded to raw bytes) as the key.
  3. Hex-encode the result.
  4. Compare it to the value after sha256= in the header.

Use a constant-time comparison to prevent timing attacks.

Managing connectors

In the dashboard, open any form to see its Connectors section.

  • Enable / disable — Toggle a connector on or off. Disabled connectors do not fire. The submission is still stored either way.
  • Delete — Remove a connector permanently. You’ll be asked to confirm.

Webhook delivery log

The dashboard shows recent delivery outcomes for each form that has a webhook connector. Open a form and expand the Recent deliveries section below the connector list to see:

  • Status — whether the delivery succeeded or failed.
  • HTTP status code — the response code from your endpoint.
  • Response time — how long the request took in milliseconds.
  • Error details — for failed deliveries, the specific error message.

Delivery records are retained for 30 days on Free and Pro plans, and 90 days on Business.

Good to know

  • Each form can have one email connector and multiple webhook connectors. The total number of connectors per form depends on your plan: Free = 2, Pro = 5, Business = 15.
  • Webhook URLs must use HTTPS.
  • Webhook delivery has a 10-second timeout. If your endpoint is slow, return a 200 quickly and process the data asynchronously.
  • Delivery is best-effort. If a webhook fails or your email bounces, the submission data is still safely stored in the dashboard. Webhooks are not automatically retried.
  • Webhook secrets are shown only once, when you create the connector. After that, the secret is masked. If you lose your secret, delete the connector and create a new one.