I Found Blue Ocean in the Most Crowded Market on the Internet
I would like to share something that surprised me as a builder. Forms might be the most boring, most crowded category in SaaS.
Google Forms is free. Typeform charges $29/month. Jotform charges $39/month. There are literally hundreds of form builders. Any rational founder would look at this market and walk away.
I did not walk away. And four months in, I believe I have found a gap that none of them are filling.
The Gap Nobody Is Filling
I spent years in digital marketing making forms for clients. Event registrations, lead captures, surveys, feedback loops. I got quite good at it. And the thing I learned was this: building the form takes five minutes. Running the form takes five hours a week.
Reviewing responses. Sending follow-ups. Routing hot leads before they go cold. Checking who opened what email. Exporting data to three different places. Bouncing between the form tool, a spreadsheet, email, and a CRM just to keep one workflow alive.
Every form tool on the market optimizes for creation. The pretty drag-and-drop builder. The AI that generates your form in one click. That is the demo. That is what gets the Product Hunt upvote.
But I could not find anyone building for what happens after you hit publish.
That is where I decided to focus.
How I Tested the Gap
In March 2026, I did something tedious but revealing. I signed up for every form service that claimed MCP support and tested what their chat interface could actually do.
For those unfamiliar, MCP (Model Context Protocol) is the protocol that lets AI assistants like Claude, ChatGPT, and Cursor connect to external services. It is becoming the standard way users interact with SaaS tools through conversation.
Here is what I found:
- Jotform: 5 MCP tools. Can create a form. Cannot change design, cannot preview, cannot manage responses from chat.
- stigmi: Claims 58 tools, actually has 24. Can create a form. Cannot change design or preview.
- Weavely: 1 tool. Creates a form. That is it.
Every single one stops at creation. Want to change the design? Back to the dashboard. Want to send a reminder to respondents? Back to the dashboard. Want to see who opened your email? Back to the dashboard.
The chat interface serves as a front door to a traditional product. Once you walk through it, you are back in the same GUI as everyone else. I saw an opportunity to do something different.
The Bet I Made
FORMLOVA has 127 MCP tools across 25 categories. Forms, responses, analytics, emails, webhooks, team management, A/B testing, scheduling, CRM export, Google Sheets sync.
You can go from "make me an event registration form" to "send a reminder to everyone who hasn't responded" to "show me the drop-off analysis" to "export the attendees to Sheets" -- all within the same conversation, without ever opening a dashboard.
The dashboard exists. It works well. But it serves as the supporting actor, not the lead.
I should mention something that still makes me a bit nervous to share. I actually built a drag-and-drop form builder UI for the dashboard. It worked fine. Then I deleted it. That decision freed up weeks of engineering time that I redirected to post-publish operations -- the boring, painful, daily work that nobody seemed to be building for from chat.
It was a difficult choice. But so far, the feedback from beta users has validated it. Nobody has asked for the builder back. Several have told me the response management and email tools are why they stayed.
The Economics That Make $3.20/Month Work
This is the part that tends to get the most skepticism, so I would like to be as transparent as possible.
FORMLOVA's Standard plan is $3.20/month (480 yen). Premium is $6.50/month (980 yen). The free tier has unlimited forms and unlimited responses. No cap. No "upgrade to see your data" hostage-taking.
For comparison:
- Typeform Standard: $29/month (10 responses/month on free)
- Jotform Bronze: $39/month (100 responses/month on free)
- formrun (popular in Japan): roughly $26/month (30 responses/month on free)
This is not a loss leader. It is an architectural advantage.
Here is why: LLM processing costs sit on the user's side, not mine. When someone creates a form or analyzes responses through chat, their Claude or ChatGPT subscription pays for the AI inference. My servers handle database operations, email delivery, and hosting. That is the entire cost structure.
I never call an LLM API from my backend. Zero AI inference cost on my side, regardless of how many users join or how much they use the product.
My running costs right now:
- Vercel (hosting): Pro plan
- Supabase (database + auth): Pro plan
- Resend (email delivery): Pro plan
- Multiple domains
These are fixed costs that scale gracefully. I am not watching a GPU bill climb with every new user. The margin on a $3.20/month subscription is real margin, not "we will figure out unit economics later" margin.
The Free Tier Philosophy
Unlimited forms. Unlimited responses. Full data export. No credit card required.
I made this decision for a specific reason: I do not want to hold anyone's data hostage.
The free-to-paid conversion needs to come from users wanting more operational power -- custom auto-reply emails, reminders, A/B testing, advanced analytics, email sequences. Not from locking their response data behind a paywall.
If someone collects 10,000 responses on the free tier and exports them all to CSV, that is perfectly fine. That is working as intended. The bet is that once they are running real operations on those forms, they will want the tools that save them hours per week.
What I Learned from 73 Beta Users
Before getting into the raw numbers, I want to share what the beta phase taught me.
I gave 73 people from my personal network full access to every feature -- no paywalls, no tier restrictions. I wanted honest feedback on whether the core idea worked, not on whether the pricing page was convincing.
What came back reshaped the product in ways I did not anticipate.
The most significant change was to the publish flow. Early testers kept accidentally publishing forms before they were ready. One person published a form with the placeholder thank-you message still in place. Another forgot to set up duplicate response prevention. The feedback was clear: the publish action needed guardrails.
So I rebuilt the entire publish flow as a server-side checklist. Now, when you say "publish this form," the system walks through each requirement one at a time -- preview confirmation, thank-you page check, duplicate prevention, privacy policy if needed. You cannot skip steps. Several beta users told me this was the feature they appreciated most, even though it technically slows them down by a few seconds.
Other feedback led to smaller but meaningful changes: adding sort options to the response list, showing email configuration status on form cards, improving how the system auto-selects which form you are talking about when you have multiple forms. These were not features I would have prioritized on my own. They came directly from watching real people use the product.
The pattern I noticed was encouraging. Beta users were not asking for a better form builder. They were asking for better post-publish tools. That told me the bet was directionally right.
Numbers (Transparent)
Since this is Indie Hackers and I know you all appreciate honesty over polish:
Product:
- 4 months of development, solo founder
- 127 MCP tools across 25 categories
- 29 field types (text, rating, NPS, ranking, file upload, signature, and more)
- 86 database migrations
- 3,155 unit tests + 90 E2E tests
- Works with Claude, ChatGPT, Cursor, Windsurf, Codex -- any MCP client
Traction:
- 73 beta users from personal network (full feature access, no paywalls)
- Average of 2-3 forms created per user
- No paid acquisition yet
- No public launch yet
Revenue:
- $0. Pre-launch.
- Target: 10,000 users in 3 years (roughly 280 net new per month)
My situation:
- Solo founder, based in Japan
- Background in digital marketing (years of form operations for clients)
- Working on this full-time, while also maintaining some digital marketing projects
- Not VC-funded, not planning to be
73 users is a small number. I know. But the signal I am reading is not the number itself -- it is the behavior. They are using the post-publish tools. They are managing responses and sending follow-up emails from chat. They are not asking for a better form builder. That gives me some confidence heading into the public launch.
The Hardest Engineering Problem Nobody Sees
The thing that consumed the most engineering time was not any feature. It was safety.
When you let an LLM orchestrate real operations -- sending emails to 500 people, deleting a form with 2,000 responses, publishing something publicly -- you need serious safety guarantees. LLMs skip instructions. They hallucinate user approval. They decide the user "probably" wants to proceed.
Prompt instructions are not enough. I tested this extensively. An LLM will cheerfully bypass "always confirm before sending" if it believes the user's intent is clear enough.
So I built server-side enforcement. Twelve tools that can cause irreversible damage (bulk email, form deletion, data deletion, publish) require a confirmation token: HMAC-SHA256 signed, bound to the specific tool and user, with a 5-minute TTL. The LLM literally cannot execute these operations without the server issuing and then verifying the token. No prompt injection, no creative interpretation, no "I will just do it" can bypass the check.
Nobody will ever look at FORMLOVA and think "great token design." But without it, the product would be dangerous to use. If you are building anything that lets LLMs take real-world actions, I would strongly recommend building the harness before you build the features.
What I Learned That You Can Steal
Three things from this build that I believe apply well beyond forms:
1. Red oceans have blue pockets.
The form market is incredibly crowded. But "form operations from a chat interface" had zero direct competition when I started building. I think every crowded market has a dimension that nobody is competing on. For forms, it was post-publish operations. For your market, it might be a different phase of the workflow that everyone ignores because it is not demo-friendly.
2. Make the user pay for the expensive part.
FORMLOVA's economics work because the most expensive component -- LLM inference -- runs on the user's existing subscription. I did not plan this as a business model hack. MCP simply works this way. But the principle generalizes: if you can architect your product so that the most expensive computation happens on infrastructure the user already pays for, your margins get much healthier.
3. Build the harness before the features.
If your product involves AI taking real-world actions (not just generating text, but actually doing things), the safety layer will take longer than you expect and matter more than any feature. I would encourage you to budget for it generously. I spent more time on the confirmation token system than on the entire analytics module. I would do it again without hesitation.
Share Campaign: Premium Free for 3 Months
To coincide with the launch, I am running a share campaign. If you share FORMLOVA on social media or write about it on your blog -- anywhere with a link to formlova.com -- you get the Premium plan completely free for 3 months. That is the full feature set: auto-reply emails, reminders, A/B testing, advanced analytics, email sequences, team management, Stripe Connect, and everything else.
The campaign runs until the end of May 2026. One share is enough. No strings attached. After 3 months, you can continue at 980 yen/month (roughly $6.50) or stay on the free tier with unlimited forms and responses. Your data stays either way.
If you would like to participate: Share campaign form
I built this campaign form using FORMLOVA itself. It is a small proof of concept -- if the form tool works well enough to run its own marketing, that says something.
Product Hunt: April 15
FORMLOVA is launching on Product Hunt on April 15, 2026.
If you are reading this before launch day, I would genuinely appreciate your support. If you are reading this after, the product is live and free to try.
- Free to start: formlova.com
- Setup guide (connect to Claude, ChatGPT, etc.): formlova.com/en/setup
- Share for 3 months Premium free: formlova.com/en#pricing
- Product Hunt launch: April 15, 2026
Further Reading
If you would like the deeper cuts:
- I Built a Form Builder, Then Deleted It -- the full build story on Hashnode
- AI Should Not Stop at Making Forms -- the thought piece on Medium
- 118 MCP Tools, 4 Safety Levels: Building a Server-Enforced Form Ops Layer -- the technical deep-dive on DEV
- Most Form Tools Stop at Creation -- FORMLOVA Starts After Publish -- the flagship blog post
- Route Post-Publish Responses by Intent -- proof of post-publish ops in action
A Genuine Question
I am about to put this in front of the internet for the first time, and there is something I am still uncertain about.
The whole value proposition depends on people understanding that form operations -- not form creation -- is where the time goes. That is obvious if you have run forms at scale. But for someone who has not, "I manage your forms from chat" might sound like a solution to a problem they do not know they have.
To those of you who have launched products that solve a pain point people do not yet realize they have: how did you bridge that gap? Did you lead with education, with a specific use case, with a free trial that creates the aha moment? I would love to hear your experience, because I have not fully figured this out yet, and I am launching in 10 days.
Your FORMLOVA-style “post-publish form operations via MCP/chat interface” angle is genuinely one of the clearest examples I’ve seen of finding a real wedge inside a saturated SaaS category. Most form tools obsess over creation, but you’ve correctly identified that the real workload is everything after publish — follow-ups, routing, analysis, and lifecycle management.
The MCP + “no dashboard dependency” approach is especially interesting, but the real challenge (as you already noticed) is making that invisible pain obvious to people who don’t yet feel it.
Saw your work — got something for you 👀
Got an idea?
Enter for $19 → win Tokyo trip + $500
Round live 👉 tokyolore.com
Prize pool just opened at $0. Your odds are the best right now.
HACKER EXPERT ALPHA KEY DATA RECOVERY
My name is Destiny Rodrigues, and I'm from Canada. After learning about cryptocurrency investments and how my coworkers have been profiting from them lately, it really caught my attention to invest as well. However, I had no idea that this was my biggest mistake—investing with the worry brokers and falling into the hands of scammers. Thank you again to Alpha Key Recovery for helping recover every coin and clear my credit card debit. Please get in touch with them right away if you become a victim of this kind.
WhatsAPP: +15714122170
Signal : +15403249396
One pattern I've noticed in seemingly saturated markets is that true differentiation often comes from solving a specific subproblem most competitors ignore. Blue oceans aren't always about radical innovation — sometimes they're about extreme precision in addressing a narrow pain point. The most crowded markets can actually be goldmines if you zoom in on underserved niches that bigger players can't justify pursuing. What specific slice of this market felt uniquely overlooked to you?
The slice that felt completely overlooked was post-publish operations — specifically, what happens between "your form is live" and "you've acted on every response."
Every competitor I tested (Jotform, Typeform, Tally, Weavely, stigmi) optimizes for creation. And honestly, creation is already a solved problem — any of them can generate a decent form in under a minute. The unsolved part is the daily grind after that: which responses need immediate attention, who hasn't been followed up with, did the reminder go out, is version A outperforming version B.
What confirmed this wasn't theory — it was beta testing. 73 users consistently asked for better post-publish tools, not a better builder. "Can I see who hasn't responded?" "Can I send a follow-up just to low-raters?" "Can I get a weekly summary without opening a dashboard?" These aren't feature requests for a form builder. They're feature requests for an operations layer that didn't exist
The reason bigger players can't justify pursuing it is exactly what you described — it's not a demo-friendly feature. "Watch me create a form in 30 seconds" gets applause. "Watch me triage 50 responses and route hot leads from chat" doesn't demo well, but it's where the actual time goes.
Timing helped too. MCP made it possible to build 127 tools that run from any AI client, and today X (Twitter) just launched their own MCP server with 159 tools. The protocol is going mainstream this week, which means "form ops from chat" is landing at exactly the right moment.
The blue ocean point is underrated. Often the 'blue ocean' is found by looking at where incumbents are NOT focusing — their job postings, feature releases, and pricing changes reveal strategic gaps before they publish a single blog post about it. Systematic competitor monitoring at the right cadence (weekly, not quarterly) surfaces these opportunities early.
That's a sharp framework. I wish I had been that systematic from the start — my gap discovery was more accidental than methodical.
What actually tipped me off was hands-on testing, not monitoring. I tried every MCP form tool I could find (Jotform, stigmi, Weavely, Tally) and ran the same sequence on each: create a form, change the design, preview it, check responses, send a follow-up email. Every single one stopped at creation. Design changes? Back to the dashboard. Follow-up emails? Not available. The gap wasn't hidden — it was obvious the moment you tried to do real work.
But your point about job postings and feature releases is something I hadn't considered. In hindsight, Jotform's MCP server having only 6 tools (out of their massive platform) tells you exactly where they think MCP fits — as an add-on, not as the primary interface. That's a strategic signal hiding in plain sight.
Weekly cadence is the right call. The MCP ecosystem is moving fast enough that quarterly reviews would miss entire product launches.
It’s so easy to get intimidated by "crowded" markets, but people often forget that a crowded market just means there’s proven demand.
Narrowing down to a specific "Blue Ocean" within a "Red Ocean" is definitely the move. Sometimes focusing on a single, underserved feature or a specific type of user in a massive industry is way more effective than trying to build a broad platform.
Totally agree — "crowded" just means people are already paying for solutions. The real question is what they're paying for that still doesn't work well.
That's exactly how I found the gap for FORMLOVA. I mapped every major form tool (Google Forms, Typeform, Jotform, Tally) and realized they all optimize for the same phase: creation. But nobody owns what happens after you hit publish — auto-reply emails, reminders, duplicate prevention, conditional follow-ups, A/B testing, drip sequences. That's where forms actually break down in practice.
So instead of building "a better form builder," I built an operations layer that runs entirely through chat via MCP (Model Context Protocol). You connect it to Claude, ChatGPT, Cursor, or any MCP client, and say things like "create an event form" → 60 seconds later you have a draft with auto-reply, reminders, and a publish checklist already wired in. No dashboard clicking.
The interesting architectural bit: LLM costs are zero on our side. The inference runs on your MCP client (Claude, ChatGPT, etc.), so we never call LLM APIs. This means we can offer 118 tools across 24 categories — forms, analytics, email sequences, A/B testing, team management, CRM export — at $3.20/mo. The product gets smarter automatically as models improve, with no cost scaling on our end.
One thing I'd add to your "single underserved feature" point: the feature itself can be broad if the interface is narrow. We have 28 field types, conditional logic, rich thank-you pages, Stripe Connect for paid events — but the user just talks to their AI assistant. The chat interface absorbs the complexity.
If you're curious to try it: connect https://formlova.com/api/mcp to any MCP client and say "create a form." That's literally the whole onboarding.
Wow, this insight about finding a blue ocean in a crowded market is inspiring! It reminds me of tourism too—offering unique experiences like Private Tours in Istanbul can truly stand out. Focusing on personalized travel and exceptional service really creates value even in a competitive space. visit to sawtransfer
WhatsApp Number: +90 551 009 69 69
Email: reservation@sawtransfer
The "beta users weren't asking for a better X, they were asking for better post-X tools" insight is something I keep seeing play out. When I was building out analytics features, the same thing happened — store owners didn't want another dashboard, they wanted to know what to do after seeing the numbers. 86 migrations in 4 months is wild though, how are you keeping your schema stable with that pace of iteration?
That "what to do after seeing the numbers" pattern is exactly it. The moment you realize users don't want more data, they want the next action — that's when the product direction clicks.
On schema stability with 92 migrations (it's grown since the post): honestly, a few things keep it from becoming chaos.
Additive-only as the default. New columns get defaults, new tables get their own RLS policies. I avoid ALTER COLUMN type changes unless there's no alternative. Most migrations are adding capabilities, not restructuring.
RPC functions for anything with race conditions. Capacity checks, email quota enforcement, waitlist positioning, A/B test counters — these are all Postgres functions with SELECT ... FOR UPDATE. When the concurrency logic lives in the database instead of the app layer, schema changes to those flows are isolated to a single migration file.
RLS on every table from day one, ENABLE + FORCE. This sounds like overhead but it actually stabilizes things — you can't accidentally ship a migration that exposes data because RLS will block it. The policy becomes a contract.
Auto-generated types after every migration. One command (supabase gen types) regenerates the TypeScript definitions. If a migration breaks something, the type checker catches it before it reaches production. No hand-maintained type files for the database layer.
The pace is sustainable because each migration is small and self-contained. The dangerous pattern is "big bang" migrations that touch 5 tables at once — I've avoided that by keeping one migration = one concern.
What were you building the analytics features for? Curious if you hit similar schema challenges with event tracking tables.
Form making is fun after its the hell to run. I made over 15 tools but yeah running is pain. Everyone else just focus on making but I went to operation side. Even charge 3.20 dollars a month. How you find first users?
Ha, "fun to make, hell to run" — that's the perfect one-line summary of why this gap exists. If you've built 15+ tools you already know the pain firsthand.
For first users, I did three things:
MCP directory listings. Smithery, Glama, mcp.so, PulseMCP — these are where people actively browse for MCP servers to connect. Listing there is free and the traffic is high-intent. Someone searching "form" on Smithery is already looking for exactly what we built. This was the highest-ROI channel early on.
Built the product in public. Posts like this one on IH, showing the real architecture decisions and trade-offs — not "we launched!" announcements but "here's what we actually learned" stories. The 73-user beta feedback, the confirmation token system, the zero-LLM-cost model — these attract builders who want to understand the craft, and builders tend to be early adopters.
Made onboarding literally one line. Connect https://formlova.com/api/mcp and say "create a form." No signup wall, no credit card, no 10-step tutorial. The free tier is fully functional with unlimited forms. When the friction to try is near zero, word of mouth does the rest.
The thing I intentionally did NOT do: paid ads or cold outreach. At this stage the product needs to prove itself through usage, not impressions. Every user who stays because the tool actually solved their operations pain is worth more than 100 signups from an ad.
What kind of tools did you build? If they're in the operations space too, I'd be curious to hear what worked for your user acquisition.
this is really helpful especially the directory listing point. i hadnt thought about finding the equivalent of smithery for my niche. for jewelry there might be
similar curated lists or directories i can get listed on. going to look into that. my tools are all over the place. ADHD task app, AI interview practice, jewelry
size database, scam checker, tax calculator. all free, all for people living in japan or dealing with japan-related problems. the jewelry one is the first that got
real user feedback so im going deeper on that one now. the no paid ads no cold outreach approach makes sense at this stage. i tried posting on 5 subreddits and got
removed from 4. the one that worked brought real feedback from actual users which was a first for me. your point about friction to try is near zero really
resonates. my site is static HTML with no signup so theres literally nothing between the user and the data. what made you choose the MCP space? seems like timing
was perfect with the AI tool wave
Great question. The honest answer: I didn't choose MCP — the problem chose it.
I was already building a form service focused on post-publish operations. The original plan was a traditional dashboard with API integrations. Then MCP came along and I realized: if the AI client handles the conversation, I don't need to build the UI for 127 different operations. I just need to expose them as tools and let the LLM orchestrate.
The timing part was luck. I started building in late 2025, MCP adoption exploded in early 2026, and suddenly the architecture I'd committed to became the thing everyone was talking about. But the core insight — that form operations are underserved — would have been true regardless of MCP.
Your trajectory sounds familiar. Building lots of small tools, seeing which one gets real traction, then going deep. That's exactly how you find product-market fit without burning months on the wrong thing. The jewelry sizing database getting real feedback is a strong signal — people searched for it, found it, and told you what they thought. That's rare.
On the subreddit experience — 4 out of 5 removals is actually normal. The one that worked probably worked because you posted in a community where your tool solved an active pain point, not because you got lucky. That's the same dynamic as MCP directories: high-intent audience > broad reach.
Since you're in Japan too — if you ever want to compare notes on building for the Japanese market, happy to connect. The localization challenges here are real (and underestimated by most builders).
you calling the jewelry feedback a strong signal made my day. im still just trying things and seeing what sticks so hearing that really helps. and knowing 4 out of
5 removals is normal takes a lot of pressure off. id love to talk about the japanese market. i can share what i know about how users here react to things and
localization stuff from living here. if theres anything i can help with just say the word
Thank you. Calling the jewelry feedback a "strong signal" wasn't just encouragement — when users find your tool through search, use it, and then tell you what they think, that's the rarest feedback loop
in indie development. Most tools never get past the silent-visitor stage. You're past it.
Would love to talk about the Japanese market. We built FORMLOVA with full Japanese/English support, and there are localization decisions that surprise me every time:
Curious about your side too. Are your jewelry sizing DB users mostly expats in Japan, or are Japanese users finding it as well? The localization instincts from that audience would be really interesting to
hear.
Let's connect — DM me anytime: https://x.com/Lovanaut
all 3 of your japan market points are spot on. especially the "limited but trustworthy" over "everything free" thing. i live here and see that every day. the
information density one too - japanese sites look cluttered to western eyes but thats what feels safe here. checked my analytics and most users are from the US
right now. havent seen much traffic from japan yet. followed you on x, lets connect
Followed you back. Your analytics showing mostly US traffic makes sense — the expat community searches in English first, so US-based results dominate even when the user is physically in Japan. The Japan traffic will come once you start ranking for Japanese keywords alongside the English ones.
Let's continue on X. Looking forward to exchanging notes.
That really helped. I couldn't figure out why my traffic was almost all US based, but now it makes sense. I had a Reddit post in r/XXS hit 15K views in 3 days, so now I'm focused on improving the site before the next push. See you on X!
You identified the gap correctly: everyone optimizes creation, no one optimizes operations. The safety layer with HMAC tokens is the part most MCP tools skip, they trust the prompt, you built the harness. That's not just engineering, it's knowing that LLMs will eventually ignore "always confirm" when they think the user is clear.
You nailed the core problem. "Always confirm before sending" in INSTRUCTIONS works maybe 90% of the time. But 90% is not a safety layer — it's a suggestion with a known failure rate. The moment a user says something like "yes send it to everyone, I already checked" with enough confidence, most models will skip the confirmation step entirely. I've watched it happen in testing.
So the confirmation token system is designed around one assumption: the LLM is untrusted for irreversible decisions.
Here's how it actually works. When a tool like send_bulk_email or delete_form is called, the server checks for a valid token. No token = no execution, just a confirmation prompt returned to the conversation. The token itself is HMAC-SHA256 signed with a 5-minute TTL, and it's bound to a specific (tool, user_id, resource_key) tuple. So a token issued for "send email to form A" cannot be replayed for form B, or reused for delete_form, or used by a different user. Timing-safe comparison on verification, stateless with zero database overhead.
12 tools are behind this gate — the 11 irreversible operations (bulk email, filtered email, scheduled email, reply to respondent, email sequences, form deletion, unpublish, team member removal, A/B test termination, response deletion, version restore) plus publish_form which has its own server-side state machine with a checklist.
The key design decision: the server decides what needs confirmation, not the LLM. The LLM never sees a "should I confirm?" choice — it simply can't execute without the token. There's zero prompt-injectable path to an irreversible operation.
I'd honestly love to see more MCP tools adopt this pattern. The protocol is powerful but the safety defaults are basically "trust the model to follow instructions," which is a bet I'm not willing to make with someone's email list or data.
The key distinction is "the server decides what needs confirmation, not the LLM." Most MCP tools invert that, they ask the model to self-police, then act surprised when confidence overrides caution. Your token system assumes the LLM is untrusted for irreversible decisions. That's not pessimism. That's just accurate threat modeling.
Exactly. "Accurate threat modeling" is the right framing. It's not about distrusting LLMs in general — they're excellent at orchestration, context understanding, and deciding what to do. The problem is narrow and specific: they cannot be trusted to not do something when they believe the intent is clear.
The mental model I use: the LLM is a brilliant employee who always wants to be helpful. That's exactly the person you don't let bypass the two-person rule on wire transfers. Not because they're malicious — because helpfulness and caution are fundamentally in tension, and helpfulness wins by default.
What makes the MCP protocol interesting is that it could support this pattern natively. The tool definition layer already separates "what the tool does" from "how the model calls it." Adding a standardized confirmation mechanism at the protocol level — rather than leaving every server to reinvent HMAC tokens independently — would raise the safety floor for the entire ecosystem.
Until then, every MCP server that handles real-world actions is making an implicit choice: trust the model, or build the harness. I'd rather see more people choose the harness.
The post-publish angle is sharp. I've seen the same pattern in other spaces - everyone builds the sexy creation part and ignores the boring operational stuff that eats hours every week.
Genuine question though - how do you explain that to users who don't know they have the problem yet? Most people just accept that managing form responses sucks. They're not searching for a solution because they think the pain is normal. That's the hardest part of selling in an unrecognised category.
The pricing makes sense if inference costs sit with the user. Curious how that plays out once AI-native pricing becomes more common.
Thank you -- you've named the exact problem I'm sitting with.
On the unrecognized category:
You're right. Nobody searches for "form operations tool." The pain is real but invisible -- spread across tabs and manual follow-ups that feel normal.
My bet is that education won't close this gap. Experience will. When someone says "make me an event form," the system creates it in 60 seconds, then walks them through auto-reply emails, reminders, and duplicate prevention as part of the publish flow. They don't go looking for operations tooling -- they run into it. The aha moment comes from contrast: the entire post-publish workflow just got set up in the same conversation, and they realize how much they used to do manually.
Whether this converts at scale, I genuinely don't know yet. But beta users aren't asking for a better builder. They're asking for better post-publish tools. That tells me the direction is right, even if the messaging isn't there yet.
On the part nobody sees:
Since you mentioned the safety angle -- this is where most of the engineering time actually went, and I think it matters for anyone building products where LLMs take real-world actions. The core problem: LLMs skip instructions. I tested this extensively. An LLM will bypass "always confirm before sending" if it decides the user's intent is clear enough. Prompt-level guardrails are not a real safety layer.
So I moved confirmation to the server. 12 tools that can cause irreversible damage -- bulk email, form deletion, data deletion, publish, and others -- require a cryptographically signed confirmation token. The token is bound to the specific user, tool, and resource. The LLM receives it but cannot generate one, because the signing key never leaves the server. No prompt injection, no creative interpretation can produce a valid signature.
For the publish flow specifically, I built a server-side state machine. When a user says "publish this," the server returns a checklist and controls the sequence: preview confirmation (verified by actual URL open, not by the LLM claiming it was opened), thank-you page check, duplicate prevention, privacy policy. The LLM cannot skip steps. The server issues the final token only when every requirement is met.
The result: there is zero path from prompt manipulation to irreversible action. The safety boundary is cryptographic, not conversational.
This took more engineering time than the entire analytics module. Nobody will ever look at it and think "great design." But without it, I wouldn't be comfortable letting an LLM send emails on someone's behalf. If you're building anything where AI takes real-world actions, build the harness before the features.
On AI-native pricing:
Fair point. If competitors bundle inference into their SaaS fee, the pricing gap narrows. But they still need to build the operational layer -- and server-enforced safety on top of it. If the moat ends up being the product rather than the price structure, I'd rather be in that position.
The server-side confirmation token approach is exactly right. I went through the same realization - prompt-level guardrails are suggestions, not constraints. The LLM will bypass "always confirm first" the moment it decides the intent is obvious enough...
Your 12-tool safety boundary is the kind of thing that separates production systems from demos. Most people building with AI agents skip this entirely because the happy path works fine in development. The failures only show up at scale or under adversarial inputs.
The state machine for publish flows is clever. We do something similar with tiered autonomy - some actions are fully autonomous, some notify after execution, some require explicit approval before proceeding. The tier is set per action type, not per agent. Keeps the speed without the risk.
On the pricing question - fair point about the moat being product quality over cost structure. If inference costs commoditize (which they will), the operational layer and safety architecture become the real differentiator. You are building the right thing first.
How are beta users discovering you? That is usually the harder problem once the product is solid.
Appreciate the tiered autonomy detail — per action type, not per agent. That's the same conclusion we landed on independently, and it's validating to hear someone else arrived there through production pain rather than theory.
Our classification maps almost directly to yours:
The common thread: speed where it's safe, friction only where damage is real. Most people design safety as a blanket slowdown. The per-action approach keeps the 90% of interactions fast while locking down the 10% that matter.
On discovery — three things are working:
MCP directories — Smithery, Glama, mcp.so, PulseMCP. This is the highest-intent channel. Someone searching "form" on Smithery is already looking for exactly what we built. Free to list, and the traffic quality is exceptional.
Architecture posts like this thread — not launch announcements, but real decisions and trade-offs. People who care about confirmation tokens and state machines tend to be early adopters. They evaluate tools differently than someone clicking an ad.
Zero-friction entry — connect one URL, say "create a form." No signup, no credit card, unlimited forms on free tier. When trying costs nothing, word of mouth compounds naturally.
What I'm deliberately not doing yet: paid acquisition. At this stage every user who stays because the operations layer solved a real problem teaches me more than 100 signups from an ad campaign.
Curious about your domain — the tiered autonomy approach and the fact that you've hit the same guardrail-bypass problem suggest you're running agents against real-world systems, not just prototyping. What are you building?
This comment was deleted 4 days ago.