Method C: Server-to-Server (API Key)

Best for: Zapier, Make.com, custom Node.js/Python backends, or Mobile Apps (iOS/Android).

If you are submitting data from a server or a non-browser environment, you cannot use the "Allowed Domains" security check because servers do not send standard browser Origin headers. Instead, you must authenticate using your form's secret API Key.

How to Integrate

Reveal and copy your API Key from the Gordon CRM dashboard.
Include it in your request as an x-api-key header.
Because this traffic originates from your secure server, the website_url honeypot is ignored by our backend and is not required in your JSON payload.

Example cURL Request

curl -X POST [https://app.gordoncrm.com/api/forms/YOUR_FORM_ID](https://app.gordoncrm.com/api/forms/YOUR_FORM_ID) \
  -H "Content-Type: application/json" \
  -H "x-api-key: pk_live_YOUR_SECRET_KEY" \
  -d '{
    "email": "lead@example.com",
    "first_name": "John",
    "last_name": "Doe"
  }'

⚠️ Security Warning: Never expose this API key in client-side code (like a public website). It is strictly for backend, server-to-server communication.

Method B: React / SPA The Contact Model