Why doesn't the Form API require a key?


Sorry if this has been asked before but why doesn’t the Form API require a key? I think it’s fairly easy to find out a site’s hubspot id and form id if they’re already using one of hubspot’s copy and paste JS forms.

You don’t allow CORS ajax so we pass it server side, I thought the reason for this was to protect your API key but we’re not using one anyway.

If someone could expand a bit more on form api security that would be nice :slight_smile:


Hi @Kyle_Joseph

Most of the Forms API does require authentication (either a hapikey or OAuth token), it’s specifically the URLs used to submit form data that do not. We use the same URLs to accept data from our web (HTML) forms, so they don’t require authentication since they’re designed to be accessed by visitors.

Specifically for CORS, we don’t support cross-origin requests in general since the rest of our endpoints do require authentication, and we don’t want to risk keys or tokens getting exposed to visitors. We don’t currently have an exception in place for the URLs that accept form submissions, but that’s something we’ll be looking at changing later this year.