Hi, we integrated our staging environment contact us form to Pipedrives API sandbox environment. The idea is that when a user submits the form a new lead is created and shows up in the leads inbox including some custom fields that are programmatically added.
We are sending the api_token query param to authenticate requests and we have concerns about exposing it once in production. Anyone with basic knowledge could get the api_token and use to obtain/modify/delete sensitive information about leads, deals, persons, organizations, etc.
Do you have any advice about how to implement avoiding this security risk without a backend server?.