Server / API Key
For Zapier, Make.com, backend services (Node.js, Python, etc.), or mobile apps.
When submitting from a server or non-browser environment, the Origin header is not available
for domain whitelisting. Instead, authenticate using the form's secret API key.
Setup
- Open your form's detail page in the Gordon CRM dashboard.
- Reveal and copy the API Key (you can regenerate it at any time if compromised).
- Include it in your request as an
x-api-keyheader.
Code Example
curl -X POST https://app.gordoncrm.com/api/forms/YOUR_FORM_ID \
-H "Content-Type: application/json" \
-H "x-api-key: YOUR_API_KEY" \
-d '\{
"email": "lead@example.com",
"first_name": "John",
"last_name": "Doe",
"phone": "555-0100"
\}'Important Notes
API Key Security
Never expose the API key in client-side code (websites, SPAs, or public repositories). It is strictly for backend, server-to-server communication. If you suspect a key has been compromised, regenerate it from the form detail page in the dashboard.
Honeypot Not Required
The website_url honeypot field is designed for browser-based spam protection. Server-to-server
submissions bypass this check entirely when authenticated via API key. You do not need to include
it in your payload.
Rate Limiting Still Applies
Server-to-server requests are still subject to rate limiting (5 requests per 60 seconds per form+IP). If you are bulk-importing contacts, consider using the CRM's contact import features instead.
Optional Fields
You can include any of the supported submission fields in your JSON payload:
\{
"email": "lead@example.com",
"first_name": "Jane",
"last_name": "Smith",
"phone": "555-0200",
"is_subscribed": true,
"opt_in_source": "zapier-webhook",
"notes": "Interested in enterprise plan"
\}