Your two keys
One is safe to publish. One never is. Here's how to tell them apart.
Every portal gets two keys, and they are not interchangeable. Using the wrong one in the wrong place is the single worst mistake you can make with FormMaker, so it's worth two minutes.
The publishable key — fm_pub_
Goes in your form's code. It can do exactly one thing: submit to your portal's forms. It cannot read them, list them, or audit them. If someone views your page source and copies it, the worst they can do is send you form submissions.
// Safe. This is what belongs in browser code.
fetch("https://formmaker.co.in/v1/forms/FORM_ID/submit", {
method: "POST",
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${import.meta.env.VITE_FORMMAKER_PUBLIC_KEY}`,
},
body: JSON.stringify(values),
});The private key — fm_live_
Goes in your AI client's connector URL and nowhere else. It unlocks every form in your portal: list, read, audit. Treat it like a password.
An environment variable does not make a key private. VITE_, NEXT_PUBLIC_, and
REACT_APP_ values are compiled into your JavaScript bundle at build time. Reading
process.env.NEXT_PUBLIC_FORMMAKER_KEY in a component looks careful and publishes the
key anyway. If a key reaches the browser, it is public — no matter how it got there.
Quick check
fm_pub_ | fm_live_ | |
|---|---|---|
| In your form's client code | ✅ that's its job | ❌ never |
| In your AI client's connector URL | ❌ won't work | ✅ that's its job |
| In a server-side proxy | ✅ fine | ❌ unnecessary — a proxy only submits |
| If someone steals it | they can submit to your forms | they can read your whole portal |
If a key leaks
Rotate it yourself, from your dashboard's Danger zone. There's no grace period by design — the old key stops working the instant you rotate, because a window on a leaked key is a window for whoever leaked it.
- Rotating the publishable key breaks deployed forms until you regenerate them.
- Rotating the private key breaks AI clients until you paste the new connector URL.
Both are recoverable in a minute. A leaked private key is not.