Contact us form integrated to API security concern

Hi, we integrated our staging environment contact us form to Pipedrives API sandbox environment. The idea is that when a user submits the form a new lead is created and shows up in the leads inbox including some custom fields that are programmatically added.

We are sending the api_token query param to authenticate requests and we have concerns about exposing it once in production. Anyone with basic knowledge could get the api_token and use to obtain/modify/delete sensitive information about leads, deals, persons, organizations, etc.

Do you have any advice about how to implement avoiding this security risk without a backend server?.

Thank you.


Hey @Ezequiel_Rodriguez
Welcome to the community :wave:
Can you share further details about the way the Contact Form is implemented?
You are right that this is a major security threat if the API token is exposed on the frontend / client side.