How Sheetspin works
Sheetspin spins up your website's full data backend in your Google Drive — forms, content, gallery, calendar, newsletter, and more. No server, no subscription, no lock-in.
The problem with website backends
Most websites need a backend the moment they add a contact form, a blog, or a newsletter signup. The options are either a paid SaaS (that owns your data), a DIY server (that requires ongoing maintenance), or a patchwork of separate tools that don't talk to each other.
Sheetspin takes a different approach: your entire site's backend lives in a single Google Sheet that you already own. A single Google Apps Script acts as the API layer, reading a live configuration tab on every request. There's nothing to maintain and nothing to pay for.
Architecture overview
Sheetspin does not store your data. There is no Sheetspin database and no third-party storage of your information. Every provisioning API call is made directly from your browser using your own Google OAuth access token. The resources created belong entirely to you.
Your Browser
│
├─── Google OAuth ──▶ Short-lived access token (memory only)
├─── Google Drive API ──▶ Creates Sheet + Drive folder
├─── Apps Script API ──▶ Creates & deploys API handler
└─── (no Sheetspin server involved in provisioning)
Your site's live API (after provisioning):
Visitor's Browser / Your Claude agent
│
└─── fetch(scriptUrl?token=...&tab=...) ← read (GET)
│
└─── Apps Script (Google)
│
├─── CacheService (read cache first)
│ ├─── manifest: 5-min TTL
│ ├─── tab data: 1-hr TTL
│ └─── auto-clears on sheet edit
│
├─── _-prefixed tabs: blocked
├─── form tab GET: blocked (write-only)
├─── form tab POST: appends row + sends email
├─── rows tab GET: returns JSON array
├─── key-value GET: returns config object
└─── asset tab GET: reads Drive subfolder → returns file list
Your Admin Dashboard / AI Agent (write API):
Your Browser / Claude agent
│
└─── POST scriptUrl { action, tab, session_token, ... }
│
└─── Apps Script (Google)
│
├─── login: verifies password hash → returns session token
├─── update_row: writes field values to a specific row
├─── delete_row: removes a row from the sheet
└─── cache_clear: forces full cache flush
Asset uploads (not through the API):
Your Browser / Admin tool
│
└─── Google Drive API ──▶ Upload file to asset subfolder
│
└─── next GET on that tab returns itThe manifest pattern — no redeployment needed
The Apps Script handler doesn't have your site structure hardcoded into it. Instead, it reads a _manifest tab in your Google Sheet on every request. The manifest is a JSON object that lists all your modules — their names, types, form field configurations, and Drive folder references.
This means you can add a new module, remove an old one, or update form fields by simply updating the sheet and the manifest row. No redeployment. No changes to the script. Your endpoint URL never changes.
To avoid reading the spreadsheet on every single request, the Apps Script caches the manifest for 5 minutes and tab data for 1 hour using Google's built-in CacheService. The cache clears automatically whenever you edit a cell in any tab — so changes in your spreadsheet propagate to your live site within seconds, not an hour. You can also force-clear the full cache from the Site Kit at any time.
Step-by-step walkthrough
Sign in with Google
You grant Sheetspin a temporary OAuth access token. This token lives only in browser memory — it's never sent to any Sheetspin server, never written to disk, and is gone the moment you close the tab.
Pick a template or start blank
Choose from 5 pre-built templates (Portfolio, Restaurant, SaaS, Non-profit, Agency) or start with a blank site and add modules one by one from your Site Kit. Either way, Sheetspin spins up the right structure in seconds.
Your Drive gets the full spin
A Drive folder is created for your site. Inside it: a Google Sheet with one tab per module, a _manifest tab the script reads on every request, and a _instructions tab that explains the spreadsheet to anyone who opens it. Asset subfolders are created for any file-storage modules. All data tabs are pre-populated with the correct column headers.
Apps Script is deployed
A single Apps Script project is created and bound to your sheet. doPost() handles form submissions; doGet() serves row and key-value data as JSON. Both read _manifest at runtime and cache responses automatically — manifest for 5 minutes, tab data for 1 hour. An onEdit trigger clears the relevant cache entry whenever you edit a cell, so your live API always reflects your sheet. The script is deployed as a public web app, producing the unique HTTPS URL that is your site's API endpoint.
Authorize your script
Because the script was deployed via API, Google requires a one-time manual authorization before it can run. Open the script URL shown in the Site Kit, sign in if prompted, and approve the permissions dialog. The script requests three scopes: access to its one spreadsheet (spreadsheets.currentonly), email sending (script.send_mail), and read access to its Drive folder (drive.readonly). This runs under your Google account — not ours.
Manage and evolve your site
From the Site Kit, you can add new modules, remove existing ones, edit form field configurations, annotate column types, and set an optional write password for content management. The write password lets your AI agent or admin dashboard update and delete rows — authenticated via short-lived session tokens that live only in your Apps Script, under your own Google account. Export the sheetspin.md skill file so your AI coding assistant knows your site's full API, data schema, and write permissions.
What gets created in your Google Drive
A Drive folder
Named after your site slug. Contains your Google Sheet and one subfolder per asset module. You upload files directly to these subfolders — the API lists whatever is there. You can browse, share, and manage everything like any other Drive folder.
A Google Sheet with multiple tabs
One tab per module (form submissions, blog posts, gallery images, etc.) plus a hidden _manifest tab the script reads on every request, and a _instructions tab with a plain-English guide to the spreadsheet. All data tabs are pre-populated with the correct column headers.
A single Apps Script web app
One script handles all your modules dynamically by reading the _manifest tab. It supports form submissions (doPost) and data retrieval (doGet), caches responses automatically, and clears the cache on every sheet edit. One deployment URL, forever — no matter how many modules you add or remove.
Module types
Contact Form
Submissions go to a sheet tab + email notification. Supports CC, BCC, custom subject, reply-to field, honeypot spam protection, and built-in rate limiting (500 submissions per hour).
Newsletter
Single email field form. Collects subscriber addresses in a dedicated tab. Same spam protection and rate limiting as contact forms.
Blog / Content
Structured rows with title, body, slug, and published flag. Your doGet endpoint returns published items as JSON.
Gallery
Links Google Drive image files to rows in a sheet tab. Your doGet returns captions and Drive file IDs.
Calendar / Events
Date-structured rows with title, description, start/end times. Returned as a sorted JSON array.
Asset Storage
A dedicated Drive subfolder holds your files. You upload directly to Drive (manually or via the Drive API) — no upload goes through the Apps Script. The GET endpoint lists everything in the folder: file name, MIME type, size, a direct image URL, and Drive link.
Site Config
Key-value pairs for site-wide settings (tagline, social links, etc.). Retrieved as a single JSON object.
Custom Rows
Freeform tabular data with any column structure you define. Returned as a JSON array.
API security model
Your API endpoint is public by design — static sites need to be able to call it without a server. Sheetspin hardens it in several ways:
Token authentication
Every request must include a secret script token. Without it, all requests return an Unauthorized error. The token is stored in your _manifest tab and in the sheetspin.md skill file you export.
Form tabs are write-only
GET requests to a form or newsletter tab return the same "Unknown tab" error as a non-existent tab. Submission data is never readable via the API — only via your Google Sheet directly.
Internal tabs are always blocked
Any tab whose name starts with _ (_manifest, _instructions, etc.) returns an error on GET, regardless of the token. Internal configuration is never exposed.
Rate limiting on form submissions
Each form tab is rate-limited to 500 submissions per hour using a LockService-guarded atomic counter. Requests beyond the limit silently succeed (to avoid leaking info to bots) but are not written to the sheet.
Honeypot spam protection
Forms support a hidden honeypot field. Bot submissions that fill it in are silently discarded before any sheet write or email notification occurs.
Write password & session-based content management
Optionally set a write password in your Site Kit to enable a content management API — update or delete rows without touching Google Sheets directly. The password is hashed before it ever leaves your browser. Only the hash is stored, in your own _manifest tab. Sheetspin never sees your password. Authentication issues short-lived session tokens tied to your Apps Script deployment. Sessions expire after one hour, and changing your password automatically invalidates all active sessions.
sheetspin.md — your AI skill file
After provisioning, the Site Kit lets you export a sheetspin.md file. Drop this into your website project and your AI coding assistant will understand your site's entire backend without any configuration:
Limitations to know about
Email quota
Google Apps Script free accounts are limited to roughly 100 email notifications per day. This is a Google-imposed limit that applies to your personal Apps Script quota.
One-time script authorization required
After provisioning, you must visit the script URL once while signed in to Google to authorize it. This is a Google requirement for scripts deployed via the API. The authorization dialog will show the script requesting spreadsheets.currentonly, script.send_mail, and drive.readonly — all scoped to the resources for this one site.
Apps Script API must be enabled
The Google Apps Script API must be enabled in your Google account before provisioning. If it isn't, Sheetspin will detect this and show a direct link to enable it — it's a single toggle.
Asset uploads go directly to Drive — not through the API
The Apps Script endpoint is read-only for assets — it lists files but cannot accept uploads. To add files to an asset module, upload them directly to the Drive subfolder (manually via drive.google.com, or programmatically via the Drive API using your own OAuth token). The next GET request on that tab will include them.
Cache size limit
Google's CacheService has a 100 KB per-entry limit. Tabs with very large datasets (thousands of rows with many columns) will be served uncached. The script handles this gracefully — the response is still returned, just not cached.