A server-blind, browser-native encrypted form poster.
Form submissions are encrypted in the browser using X25519 sealed boxes before reaching any endpoint. The backend receives and stores opaque ciphertext only. Decryption is operator-controlled.
formseal is not a hosted service, dashboard, or SaaS product. It is a drop-in client-side utility.
Via npm (recommended)
npm install -g @formseal/embed
fse initVia GitHub release (zero toolchain)
- Download the latest release artifact
- Unzip → drop
formseal-embed/into your project - Edit
fse.config.jsmanually
Prefer not to install globally?
npx @formseal/embed initworks, but subsequentfsecommands won't be available — you'll need to editfse.config.jsmanually.
fse configure quickYou'll be prompted for your POST endpoint and public key. See Getting started for key generation.
If the POST endpoint is fully compromised, seized, or maliciously operated, previously submitted form data remains confidential.
Encryption happens in the browser. The backend stores ciphertext only. Decryption keys never exist in the backend environment. A backend compromise yields no recoverable plaintext.
formseal is for environments where:
- The hosting provider or backend may be compromised
- The backend must be treated as hostile
- Data seizure is a realistic concern
- Retroactive disclosure must be prevented
The priority is backward confidentiality — protecting already-submitted data — not convenience or real-time administration.
On submit, formseal:
- Collects field values from your form by
nameattribute - Validates them against your field rules (in
fields.jsonl) - Seals the payload with
crypto_box_seal(Curve25519 + XSalsa20-Poly1305) - POSTs raw ciphertext to your configured endpoint
Your endpoint stores the ciphertext. Only the holder of the private key can decrypt it.
After
fse init, files live in./formseal-embed/. Reference them via your server's static path (e.g./formseal-embed/globals.js).
<form id="contact-form">
<!-- honeypot — hide off-screen with CSS -->
<input type="text" name="_hp" tabindex="-1" autocomplete="off"
style="position:absolute;left:-9999px;opacity:0;height:0;">
<input type="text" name="name">
<span data-fse-error="name"></span>
<input type="email" name="email">
<span data-fse-error="email"></span>
<textarea name="message"></textarea>
<span data-fse-error="message"></span>
<button type="submit" id="contact-submit">Send message</button>
</form>
<div id="contact-status"></div>
<script>
window.fseCallbacks = {
onSuccess: () => document.getElementById('contact-status').textContent = 'Sent securely.',
onError: (err) => console.error('formseal error:', err),
};
</script>
<script src="/formseal-embed/globals.js"></script>{
"version": "fse.v1.0",
"origin": "contact-form",
"id": "<uuid>",
"submitted_at": "<iso8601>",
"data": {
"name": "...",
"email": "...",
"message": "..."
}
}The entire object is sealed with crypto_box_seal. Your endpoint receives raw ciphertext as the request body.
No IP, no timezone, no fingerprints — just the data you explicitly collect.
Fields are defined in fields.jsonl (one JSON object per line):
{"name": {"required": true, "maxLength": 100}}
{"email": {"required": true, "type": "email"}}
{"message": {"required": true, "maxLength": 1000}}
Use the CLI to manage fields:
fse configure field add phone type:tel required:false
fse configure field required name true
fse configure field maxLength message 500
fse configure field remove company| Selector | When |
|---|---|
[data-fse-error="field"] |
Populated with a validation error |
[aria-invalid="true"] |
Set on invalid inputs |
[data-fse-status="success"] |
Set on status element on success |
[data-fse-status="error"] |
Set on status element on error |
- No admin dashboard or inbox UI
- No hosted service
- No bundled decryption tools (yet)
- No npm dependencies at runtime
These are intentional.
- Getting started
- Concepts → How it works
- Concepts → Security
- Integration → HTML
- Integration → Fields
- Integration → JavaScript
- Deployment → Endpoint
- Deployment → Decryption
- Deployment → Versioning
MIT