What's new in Forge
New features, significant bug fixes, and infrastructure improvements. Updated weekly.
AI Form Generation — Build forms from a text prompt
The most-requested feature in Forge history. You can now describe the form you need in plain language and our AI will scaffold it for you — with the right field types, validation rules, and placeholder labels. Say 'Build me a B2B lead capture form for a SaaS company asking for email, job title, company size, and main use case' and get a production-ready multi-step form in 3 seconds. The generated form is fully editable in our visual builder — use AI to get started, then customize every detail. This feature uses structured output from GPT-4o to guarantee well-formed JSON schemas every time. We ran 40,000 internal tests before shipping. Hallucinations that produce invalid field types are caught and corrected automatically.
- →New '✨ AI Generate' button in the visual builder
- →Describe your form in plain English — get 3–12 fields instantly
- →Powered by GPT-4o: understands field types, validation rules, and conditional logic
- →Available on all plans, including the free Start tier
Submission Export — CSV, JSON, Excel, and PDF
Previously, exporting submissions required using the API. Now you can trigger exports directly from the dashboard with one click. For forms with fewer than 5,000 submissions, exports generate instantly. For larger datasets, the export runs as an async background job and we email you when the file is ready to download. XLSX exports preserve data types (numbers stay numbers, booleans stay booleans) for clean pivot tables. PDF exports use our new React PDF renderer and include your form logo and color scheme. All export formats are available on Standard and above.
- →Export any form's submissions in CSV, JSON, XLSX, or PDF format
- →Async export jobs with email notification when large exports are ready
- →Filter exports by date range and exclude soft-deleted submissions
- →PDF exports include form branding and page breaks between submissions
Per-Form Rate Limiting
Before this feature, the only protection against submission spam was our global account rate limit. If a single popular form was attacked, it could consume your entire quota. Per-form rate limits let you set independent limits: a contact form might be set to 20 submissions/minute, while a high-traffic event registration can be set to 500/minute. Rate-limited submissions receive a proper 429 response with the Retry-After header set to the reset window, so legitimate clients can retry correctly. Rate limit events are logged to your audit trail.
- →Set a per-minute submission rate limit on any individual form
- →Protects against spam bursts without affecting your global account limits
- →Rate-limited requests receive HTTP 429 with Retry-After header
- →Configurable in form settings — no code required
Dead Letter Queues & Webhook Retry with Exponential Backoff
This is the most significant infrastructure improvement in Forge's history. Previously, if your webhook endpoint was down for more than 5 minutes, you lost submissions permanently. Now every failed delivery enters a retry queue with exponential backoff. The schedule is: immediate, 1 minute, 5 minutes, 30 minutes, 2 hours, 12 hours, 24 hours, 72 hours. After all retries are exhausted, the payload moves to your Dead Letter Queue where you can inspect the full payload body, response status codes from each attempt, and manually replay the event once your endpoint is fixed. One customer used this to replay 4,300 submissions that were lost during a 6-hour AWS outage — all recovered with zero data loss.
- →All webhooks now retry automatically with exponential backoff for up to 7 days
- →Failed payloads stored in a Dead Letter Queue (DLQ) accessible from dashboard
- →Manual replay of individual DLQ events with one click
- →Configurable retry schedule: 1m, 5m, 30m, 2h, 12h, 24h, 72h
Next.js Server Actions Integration Guide
Server Actions are the most secure way to use the Forge API in a Next.js application. When you submit a form via a Server Action, your FORGE_API_KEY never appears in the client bundle — it's used only in Node.js server context. This eliminates an entire class of API key exposure vulnerabilities. Our new guide covers the full pattern: Zod validation in the action, typed error returns, optimistic UI on the client with useActionState, and progressive enhancement so the form works without JavaScript. See /docs/nextjs for the complete implementation.
- →Complete guide on submitting Forge forms via Next.js Server Actions
- →Zero client-side API key exposure — all secrets stay server-side
- →Includes useActionState integration with progressive enhancement
- →TypeScript types for all server action patterns
CORS Preflight Fixes & Custom Origin Support
Several customers reported that CORS preflight requests were failing when their pages had strict Content-Security-Policy headers. The root cause was that our OPTIONS response was missing the required Vary: Origin header, causing some reverse proxies to cache incorrect CORS responses. This is now fixed. We also shipped the long-requested multiple origins feature: instead of one allowed origin per form, you can now configure an array of allowed origins — helpful for staging + production environments. Wildcard subdomain support (*.app.com) is available on Plus and above.
- →Resolved OPTIONS preflight failures with strict Content Security Policies
- →Added support for multiple custom CORS origins per form
- →Wildcard subdomain support: *.yourdomain.com (Plus and above)
- →Local development origins (localhost:3000) now always permitted
Workspace Audit Logs
Enterprise security teams need to know exactly who did what and when. Our new audit log captures every significant event in your Forge workspace: API key creation, rotation, and deletion; form publish and unpublish events; submission exports (who exported what); webhook configuration changes; and team member additions and removals. Logs are immutable — even workspace admins cannot delete them. The audit log is accessible via the dashboard Security tab and via API for automated export to your SIEM. This feature is required for SOC 2 Type II compliance, which we are actively pursuing (target Q1 2027).
- →Immutable audit log of all admin actions across your workspace
- →Logs API key creation/rotation, form publish/unpublish, submission exports
- →30-day retention on Standard, 1-year on Max, unlimited on Secure
- →Exportable as JSON or CSV for SIEM integration
Multi-Step Forms with Progress Indicator
Multi-step forms have been available via the API for a long time, but visual builder support required custom code. As of v1.2.0, every visual builder form can be split into multiple steps by clicking 'Add Step' between field groups. Each step validates independently — users can't advance with invalid fields. The progress bar supports percentage and step count display ('Step 2 of 4') and can be themed to match your brand colors. Step-level analytics show completion percentages per step, making it easy to identify exactly which step causes the most abandonment. This is the most significant builder update since launch.
- →Build multi-step forms natively in the visual builder
- →Customizable progress bar with step labels
- →Back/next navigation with field-level validation per step
- →Step-level analytics: see exactly where users drop off