HMAC signatures
Outbound webhooks are signed with HMAC-SHA256. Verify the signature on the receiver.
Feature
Webhooks & REST API
Pipe form data to any external service. Manage submissions programmatically via the WordPress REST API.
Part of Core Forms — every premium WordPress form feature in one plugin, one license, unlimited sites.
Two complementary integration surfaces. The Webhooks action POSTs the submission to any URL with a JSON or form-encoded payload and HMAC-signed headers for verification. The REST API exposes every form, submission and setting under `/wp-json/cf/v1/` for external dashboards, exports, and mobile apps.
What you get
How it works in Core Forms
JSON or form-encoded
Pick the payload shape your receiver expects.
Full CRUD via REST
List, read, update, delete submissions via WordPress Application Passwords.
Async queue
Failed webhook deliveries are retried with exponential backoff.
List recent submissions over REST
curl -u "user:applicationpassword" \
"https://example.com/wp-json/cf/v1/submissions?form_id=42&per_page=20"Pairs well with
Related features
Mailchimp, MailerPress, FluentCRM + 25 more
Subscribe form users to lists, push to CRMs, post to Slack/Discord, drop into Notion or Airtable, fire Zapier or Make.
Headless / REST submissions
Render and submit forms from Astro, Next.js or any non-WordPress site. Site-wide API key + drop-in widget.
Data variables
Use {{user.email}}, [field_name], {{post.ID}} and URL params in forms, emails, redirects and webhooks.
Bundled with every Core Forms license.
Webhooks & REST API — and every other feature on this site — is included with your license.
Use code CFLAUNCH for 20% off either plan.