FormLoom

Public key model

Glossary

A design pattern where the form ID is intentionally public and safe to commit — no secret involved.

Definition

In the public key model, the form identifier doubles as the submit credential, and it's designed to be public. You commit it to your repo, embed it in your HTML, and don't rotate it. The security model relies on the fact that the endpoint is write-only from the client: a bad actor can submit (which spam scoring catches) but cannot read existing submissions.

Why it matters for form backends

It dramatically reduces onboarding friction — there's no 'protect your key' step because there's nothing to protect.

FAQ

A secret API key authorizes reads and writes and must stay on the server. A public form key only authorizes form submissions and can be in client code.

Related terms

Ready to put this into practice?

Add a form to your site in minutes — free access key, copy-paste snippet.

Public key model — form backend glossary · FormLoom