Public key model
GlossaryA design pattern where the form ID is intentionally public and safe to commit — no secret involved.
Definition
In the public key model, the form identifier doubles as the submit credential, and it's designed to be public. You commit it to your repo, embed it in your HTML, and don't rotate it. The security model relies on the fact that the endpoint is write-only from the client: a bad actor can submit (which spam scoring catches) but cannot read existing submissions.
Why it matters for form backends
It dramatically reduces onboarding friction — there's no 'protect your key' step because there's nothing to protect.
FAQ
A secret API key authorizes reads and writes and must stay on the server. A public form key only authorizes form submissions and can be in client code.
Related terms
Ready to put this into practice?
Add a form to your site in minutes — free access key, copy-paste snippet.