Automation recipe · All recipes

Send a Gmail Confirmation When a Formfy Form Is Signed

When a client signs a waiver, intake form, or consent, they often walk away with no confirmation — just a browser redirect and a vague sense the submission went through. No email receipt, no PDF copy, no branded touchpoint that builds trust. For clinics, agencies, and service businesses, that silence turns into follow-up phone calls, duplicate submissions, and a weak first impression at exactly the moment a client is deciding whether to trust your practice.

Formfy fires a form.signed webhook the moment a client signs. Route that event to Gmail with a few lines of code and every signed form triggers a branded confirmation email — with a link to the signed PDF — in under 30 seconds.

Start a 15-day free trial Read the OpenAPI spec

How the recipe flows

  1. Trigger (Formfy)

    form.signed fires in Formfy when a client completes and signs the form

  2. Step 1

    Formfy delivers a signed webhook payload to your endpoint containing signer_email, form_id, and signed_at

  3. Step 2

    Your handler fetches the signed PDF download token via GET /api/v1/forms/{id}/signed-pdf

  4. Outcome

    Gmail sends a branded form completion confirmation email to the signer with a link to their signed PDF — giving clients immediate proof of submission and eliminating inbound follow-up calls to clinic or agency staff

Build the recipe step-by-step

Subscribe to the Formfy form.signed webhook, retrieve the signed PDF token, and trigger a branded Gmail confirmation automatically every time a client signs.

  1. Generate a Formfy API key

    Open the Formfy dashboard, navigate to Settings → API Keys, and click Create key. Copy the fk_live_… token into a secure secret store such as AWS Secrets Manager or a .env file. Use a fk_test_… key during development so test signatures do not count against your live plan limits. Every API call in this recipe passes the key as a Bearer token.

  2. Subscribe to the form.signed webhook event

    POST /api/v1/webhooks with your listener URL and event_types: ["form.signed"]. Formfy returns a signing_secret — store it alongside your API key. Every delivery will include an X-Formfy-Signature header computed as HMAC-SHA256(secret, raw_body). Verify this signature in your handler before triggering any Gmail send to prevent spoofed payloads.

    POST/api/v1/webhooksSee in the OpenAPI spec →

  3. Fetch the signed PDF token inside your webhook handler

    Extract the form_id from the incoming webhook payload. Call GET /api/v1/forms/{id}/signed-pdf with your Bearer token to retrieve a time-limited download token. You can embed a direct download URL built from that token in the Gmail confirmation body, giving signers one-click access to their completed document.

    GET/api/v1/forms/{id}/signed-pdfSee in the OpenAPI spec →

  4. Compose and send the Gmail confirmation

    Use the Gmail API or Nodemailer with OAuth2 to send the confirmation. Address it to the signer_email field from the webhook payload. Include the form title, signature timestamp, and the signed PDF link. A specific subject line — "Your [Form Name] is signed and on file" — performs better than generic confirmation language and reassures clients the submission was received.

  5. Deploy your handler and verify end-to-end delivery

    Deploy the handler to a public HTTPS endpoint. Send a test signature from the Formfy dashboard and watch the Webhook Deliveries log for a 200 response. Open Gmail Sent — the signed form confirmation email should appear within 30 seconds. If delivery fails, the log shows the exact HTTP status returned by your server.

  6. Rotate the webhook signing secret on schedule

    POST /api/v1/webhooks/{id}/rotate-secret quarterly or after any suspected exposure to receive a fresh signing secret. Update your deployment environment with the new value before the old secret is retired. Deliveries fail closed on a signature mismatch by design — this blocks replay attacks from triggering confirmation emails to arbitrary addresses.

    POST/api/v1/webhooks/{id}/rotate-secretSee in the OpenAPI spec →

Subscribe to form.signed and fetch the signed PDF token

Create the webhook subscription that triggers the Gmail confirmation flow. Formfy returns a signing_secret on creation — store it securely and verify every delivery before sending email.

# 1. Create the webhook subscription for the form.signed event
curl -X POST https://formfy.ai/api/v1/webhooks \
  -H "Authorization: Bearer fk_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "target_url": "https://your-server.example.com/webhooks/formfy",
    "event_types": ["form.signed"]
  }'

# 2. When the webhook fires, fetch the signed PDF token (use form_id from payload)
curl -X GET https://formfy.ai/api/v1/forms/FORM_ID/signed-pdf \
  -H "Authorization: Bearer fk_live_YOUR_KEY"

Frequently asked questions

Can I send a Gmail confirmation on form submission rather than after the signature?

Yes. Formfy emits five event types: form.created, form.sent, form.viewed, form.signed, and form.expired. If your workflow requires a confirmation at the moment the form is sent to a recipient — before they sign — subscribe to form.sent instead. You can also pass multiple values in the event_types array to subscribe a single endpoint to several events at once, for example triggering different Gmail templates at each stage.

Do I need a developer to build this Gmail recipe?

A minimal implementation is roughly 40–60 lines of Node.js or Python: verify the HMAC signature, call GET /api/v1/forms/{id}/signed-pdf, and fire a Gmail send. If you prefer no-code, you can wire the same flow through Zapier — subscribe Formfy to Zapier's catch-hook, then use Gmail as the Zapier action step. See the Zapier integration recipe for the full no-code walkthrough.

How do I attach the signed PDF as a file instead of linking to it?

After retrieving the token from GET /api/v1/forms/{id}/signed-pdf, call GET /api/v1/files/pdf/{token} to stream the raw PDF bytes. In the Gmail API, encode the buffer as base64 and attach it as a MIME part with Content-Type: application/pdf and a filename like signed-consent.pdf. Keep in mind that PDF attachments increase message size — linking to the hosted file is usually faster to deliver and easier for mobile recipients to access.

What should a signed form confirmation email include?

At minimum: the signer name, the form title, the date and time of signature, and either a download link or attachment for the signed PDF. Adding a brief next-steps section — appointment time, what to bring, who to call with questions — turns a routine receipt into a useful client touchpoint. Avoid echoing raw form field values in the email body if the form collects sensitive personal or health information.

How do I verify the Formfy webhook payload before sending email?

Formfy signs every delivery with HMAC-SHA256 using the signing_secret returned at webhook creation time. In your handler, compute HMAC-SHA256(secret, raw_request_body) and compare the hex digest to the X-Formfy-Signature header. If they do not match, return HTTP 401 and skip the Gmail send. This single check blocks spoofed payloads from triggering confirmation emails to addresses you do not control.

What happens to the Gmail confirmation if my server is down when a form is signed?

Formfy retries failed webhook deliveries with exponential backoff for up to 24 hours. Once your handler recovers and returns HTTP 200, the queued deliveries fire automatically and your Gmail confirmation flow resumes. You can also inspect and replay individual delivery attempts from the Webhook Deliveries log in the Formfy dashboard — useful for recovering missed confirmations during an outage without re-collecting signatures.

Can I CC a staff member on the signed form confirmation email?

Yes. The webhook payload includes signer_email, which you address in the To field. Your Gmail send call can add any number of CC or BCC addresses — a front-desk inbox, a records system email alias, or a practice management tool that accepts documents by email. For clinic workflows, CCing an internal address ensures staff see completed waivers and intake forms without needing dashboard access.

Does this recipe work with Google Workspace accounts?

Yes. The Gmail API works with both personal @gmail.com accounts and Google Workspace (formerly G Suite) accounts. Workspace deployments can use domain-wide delegation to let a service account send confirmations on behalf of any user in the domain — useful for multi-location clinics or agencies where confirmations should originate from a shared address rather than an individual's inbox. Enable the Gmail API in your Google Cloud project and configure the appropriate OAuth scopes before deploying.

Ship this automation in under 15 minutes

Spin up a Formfy API key, paste the example, and run your first end-to-end signed-form workflow today.

Start a 15-day free trialSee pricing